Update the GHA workflow for publishing to PyPI and eliminate discouraged practices #120
Comments
|
Thank you! The project doesn't need much maintenance but since I'm not using Python at work I think it would make sense to find a new home for it and @aio-libs makes perfect sense. I'd be happy to move it there and continue maintaining it there. |
|
Your call but I've gone ahead and invited you to the org! Whenever you're ready, give me the owner permission so I could do the transfer. You'll be free to set up accesses as you see fit and I typically help out with CI/CD/packaging/RTD/docs subdomain when needed, even though I don't normally maintain each project under the @aio-libs umbrella. |
|
Hey @saghul, I've found an invitation to join the repository in my inbox that I missed in April… Would you mind re-sending it? |
|
@saghul ^ |
|
Hey! Sure thing! |
|
@saghul thanks, finally we're in sync :) |
|
Not sure how I can do that, WTF? Since this is my personal account I can only add you as a collaborator. |
|
Oh… I forgot this is how it works. We need a “mule” account in between. So you probably need to transfer it to me, and I'd transfer it to the org then. |
|
GH will keep the redirects on the HTTP and Git levels even with such a double move, by the way. |
|
@saghul so I've got an idea of a mule-org and made one. Let's test using it as a trampoline instead... |
|
Done! |
|
I looked at the new "repo transfer" interface and realized that they seem to have a direct transfer possibility now... So I was probably overengineering here :) |
|
@saghul now that it's in, could you give me “Owner” on PyPI, so I could transfer it over there and configure tokenless publishing for the later GHA->PyPI integration? |
|
Same username there? |
|
yep |
|
@saghul plz let me know when you do that and I'll cross that item off my list ;) Everything else does not strictly require my involvement (or yours for that matter), so maybe @Dreamsorcerer or @bdraco would have a minute to pick up those items. |
|
I've updated the checklist in the initial post. |
webknjaz
changed the title
|
Invited you to pypi! |
|
Thanks! I moved it and adjusted the privileges (the org is the only owner, others are maintainers so they show up in the UI on the project page). |
|
Configured trust on the PyPI side similar to other projects. Ideally, the unified workflow should move into |
|
Feel free to go ahead! |
Hey, I noticed you're using my action for uploading to the PyPI, but its version is outdated — it was deprecated 2 years ago (pypa/gh-action-pypi-publish@1bbe3c9) and doesn't contain modern features. I noticed that other actions referenced in the workflow also use deprecated versions that may stop working anytime now.
Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ to get it up-to-date. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.
Action items:
release/v1for stable rolling updates, or concrete tags/commit SHAs + dependabot)with:PYPI_PASSWORDsecret from the repository settings on GitHubattestations: trueunderwith:(this is a new, experimental digital signing feature of the action)pypiwith required reviews in the repo settingssetup.pywithpython -Im build— this will build an sdist and a wheel out of that sdist (as a smoke test) if you don't pass unnecessary CLI args that would change this behaviorP.S. If you ever decide you want to host this project under @aio-libs (which would make sense for us given that aiohttp depends on it, but no pressure!) — let me know and I can make this happen.Moving
aiodnsunder the @aio-libs umbrella:The text was updated successfully, but these errors were encountered: