Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supported PyPI trusted publishers #136

Open
lpsinger opened this issue May 4, 2023 · 13 comments
Open

Supported PyPI trusted publishers #136

lpsinger opened this issue May 4, 2023 · 13 comments
Labels
enhancement New feature or request

Comments

@lpsinger
Copy link

lpsinger commented May 4, 2023

See https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/, https://docs.pypi.org/trusted-publishers/using-a-publisher/.

To support trusted publishers, add this to the pypa/gh-action-pypi-publish step:

permissions:
  id-token: write

Perhaps a boolean flag to turn this on or off?

@ConorMacBride ConorMacBride added the enhancement New feature or request label May 18, 2023
@ConorMacBride
Copy link
Member

I think we need to wait for pypi/warehouse#11096 to be closed before this will work in the reusable workflows unfortunately.

Once it is, adding what you have above to the upload job in each publish workflow should be all that is needed. The user and password inputs should be okay to keep — it will attempt the trusted publisher authentication when the password is empty. I think it should be fine without an additional flag to enable.

@pllim
Copy link
Contributor

pllim commented Oct 16, 2023

Any update on this? Has the situation changed? PyPA merged the recommendations into https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

@Cadair
Copy link
Member

Cadair commented Oct 16, 2023

Last I checked (a couple of weeks ago) it's still unsupported upstream.

@Cadair
Copy link
Member

Cadair commented Oct 16, 2023

Looks like if you forked the templates into the same org you could maybe make it work: pypi/warehouse#11096 (comment)

@mhvk
Copy link

mhvk commented Nov 11, 2024

Saw the github notifications about trusted publishers while building pyerfa - is there any update on how this should be done? Feel free to point me to documentation... (Right now, google/duckduckgo both lead to this issue, so that would help others too...)

@pllim
Copy link
Contributor

pllim commented Nov 11, 2024

AFAIK PyPI has not implemented the support yet. This issue is still unresolved:

@Cadair
Copy link
Member

Cadair commented Nov 11, 2024

yep we are waiting for upstream support. Apparently it's being worked on currently.

@mhvk
Copy link

mhvk commented Nov 11, 2024

Thanks, both! Funny that github is pushing it so much if it only half works...

@astrofrog
Copy link
Contributor

astrofrog commented Nov 14, 2024

APLpy has started erroring on upload to PyPI because of this:

Error: Trusted publishing exchange failure: 
OpenID Connect token retrieval failed: GitHub: missing or insufficient OIDC token permissions, the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable was unset

This generally indicates a workflow configuration error, such as insufficient
permissions. Make sure that your workflow has `id-token: write` configured
at the job level, e.g.:

permissions:
  id-token: write

Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.

/~https://github.com/aplpy/aplpy/actions/runs/11846325120/job/33013937737

Is there any workaround at this point?

@astrofrog
Copy link
Contributor

Should we perhaps change the workflows to use twine do to the upload ourselves instead of using pypa/gh-action-pypi-publish? Or would that not fix it?

@pllim
Copy link
Contributor

pllim commented Nov 15, 2024

I think you have to disable trusted publishing if you use the workflow from here, for now.

@astrofrog
Copy link
Contributor

@pllim - how does one do this?

@pllim
Copy link
Contributor

pllim commented Nov 15, 2024

I cannot see aplpy admin page, but on my own package , here is how I get to it:

  1. Log in to PyPI.
  2. Your Projects -> package name -> Manage
  3. Select Publishing from left navbar
  4. See screenshot below
Screenshot 2024-11-15 094505

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants