📦 Migrate release workflow to Trusted Publishing #2149
Conversation
| timeout-minutes: 2 # docker+network are slow sometimes | ||
|
|
||
| environment: | ||
| name: pypi |
There was a problem hiding this comment.
@jezdez we need to configure a trusted publishing entry on PyPI. It should point to this repository and this workflow name. It should also have the exact string pypi in the environment entry.
I'm assuming the Jazzband bot account has Owner privileges. They are necessary to proceed. The Maintainer role would not have proper level of access. (We might have to ask @nvie if that's the case)
Additionally, please go to the repository settings, open the Environments page and create one called pypi. Add required reviewers and save. Don't disallow self-reviews.
I imagine you'll add folks who currently have release privileges. Bear in mind that there's max of 6 entries. These can be individual accounts or teams. It sometimes makes more sense to group people into teams.
|
Hey @nvie, is there any chance you could verify if the jazzband bot account on PyPI has an |
|
Hi @webknjaz — sorry for the delay as I was flooded with GitHub notifications and this one didn't stand out enough. I just checked for you and indeed the Jazzband bot was a Maintainer, not an Owner. I just changed that for you. Let me know if there is anything else I can help you with! 🙏 |
|
@nvie thanks! This should let Jannis configure TP. I don't have access to the bot account. Alternatively, I could ask you to configure TP if you're up for it. And someone with the repo settings access would also need to configure another bit. |
|
Unfortunately I don't know what TP is (I'm no longer active in the Python community and haven't caught up enough with recent developments in the ecosystem). @jezdez Given that the Jazzband bot is now an Owner, do you have enough to invite other Owners to the project as you see fit? I will let you handle that. If there is anything I can assist with, just let me know though! |
|
@nvie oh, trusted publishing is a thing where PyPI can be configured to trust a specific GitHub Actions workflow and we can then upload new releases w/o needing to stick any secrets into the GitHub repo settings. Plus it now enables automatic digital attestations + other provenance bits through this OIDC-based mechanism. Jazzband doesn't give the members direct access to PyPI, it's being proxied through a special server where people can preview the uploads. I'm seeking to get rid of that middle link, as it's now possible to implement everything within GitHub. That said, @jezdez hasn't been available for a while so I figured I'd ask you for the PyPI setup confirmation, at least. Technically, it's Jannis who is supposed to configure things but we now established that it wouldn't be possible w/o you anyway. With the new bot privileges, though, Jannis will be able to add the configuration. |
Resolves #2147.
Contributor checklist
Maintainer checklist
backwards incompatible,feature,enhancement,deprecation,bug,dependency,docsorskip-changelogas they determine changelog listing.