Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📦 Migrate release workflow to Trusted Publishing #2149

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

webknjaz
Copy link
Member

Resolves #2147.

Contributor checklist
  • Included tests for the changes.
  • PR title is short, clear, and ready to be included in the user-facing changelog.
Maintainer checklist
  • Verified one of these labels is present: backwards incompatible, feature, enhancement, deprecation, bug, dependency, docs or skip-changelog as they determine changelog listing.
  • Assign the PR to an existing or new milestone for the target version (following Semantic Versioning).

@webknjaz webknjaz added the skip-changelog Avoid listing in changelog label Dec 17, 2024
@webknjaz webknjaz requested a review from jezdez December 17, 2024 00:49
timeout-minutes: 2 # docker+network are slow sometimes

environment:
name: pypi
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jezdez we need to configure a trusted publishing entry on PyPI. It should point to this repository and this workflow name. It should also have the exact string pypi in the environment entry.
I'm assuming the Jazzband bot account has Owner privileges. They are necessary to proceed. The Maintainer role would not have proper level of access. (We might have to ask @nvie if that's the case)

Additionally, please go to the repository settings, open the Environments page and create one called pypi. Add required reviewers and save. Don't disallow self-reviews.
I imagine you'll add folks who currently have release privileges. Bear in mind that there's max of 6 entries. These can be individual accounts or teams. It sometimes makes more sense to group people into teams.

@webknjaz
Copy link
Member Author

Hey @nvie, is there any chance you could verify if the jazzband bot account on PyPI has an Owner privilege or just a Maintainer?

@nvie
Copy link
Member

nvie commented Dec 20, 2024

Hi @webknjaz — sorry for the delay as I was flooded with GitHub notifications and this one didn't stand out enough. I just checked for you and indeed the Jazzband bot was a Maintainer, not an Owner. I just changed that for you. Let me know if there is anything else I can help you with! 🙏

@webknjaz
Copy link
Member Author

@nvie thanks! This should let Jannis configure TP. I don't have access to the bot account.

Alternatively, I could ask you to configure TP if you're up for it. And someone with the repo settings access would also need to configure another bit.

@nvie
Copy link
Member

nvie commented Dec 20, 2024

Unfortunately I don't know what TP is (I'm no longer active in the Python community and haven't caught up enough with recent developments in the ecosystem).

@jezdez Given that the Jazzband bot is now an Owner, do you have enough to invite other Owners to the project as you see fit? I will let you handle that. If there is anything I can assist with, just let me know though!

@webknjaz
Copy link
Member Author

@nvie oh, trusted publishing is a thing where PyPI can be configured to trust a specific GitHub Actions workflow and we can then upload new releases w/o needing to stick any secrets into the GitHub repo settings. Plus it now enables automatic digital attestations + other provenance bits through this OIDC-based mechanism.

Jazzband doesn't give the members direct access to PyPI, it's being proxied through a special server where people can preview the uploads. I'm seeking to get rid of that middle link, as it's now possible to implement everything within GitHub.

That said, @jezdez hasn't been available for a while so I figured I'd ask you for the PyPI setup confirmation, at least. Technically, it's Jannis who is supposed to configure things but we now established that it wouldn't be possible w/o you anyway. With the new bot privileges, though, Jannis will be able to add the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
skip-changelog Avoid listing in changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[TODO] Migrate the release process to Trusted Publishing
2 participants