Update publish workflow to use PyPI Trusted Publisher #991
Conversation
|
It might make sense to put these changes behind a new template variable so plugins can adopt when they have time. Or we could do them all at once and spend a Monday getting everyone straight. |
gerrod3
force-pushed
the
trusted-publisher
branch
from
d49e092 to
ed84f30
Compare
| environment: | ||
| name: "pypi" | ||
| url: "https://pypi.org/p/{{ plugin_name | dash }}" |
There was a problem hiding this comment.
This environment is the new GH thing for describing the "environment for a deployment" and the deployment in our case being the "upload to pypi".
You specify url here and not for the bindings. Is it needed or not?
There was a problem hiding this comment.
From my googling no it isn't needed. It's set in the example on PyPI, but I think it's just extra context for where the environment is publishing. The bindings could contain multiple projects so one url wouldn't be "correct".
There was a problem hiding this comment.
Sad, but I'll leave it to your discretion.
gerrod3
force-pushed
the
trusted-publisher
branch
from
7f3a19f to
b161dd7
Compare
|
Successful test: https://github.com/pulp/pulp_ostree/actions/runs/18953524764 |
3 participants
Requires adding the trusted publisher to each project + client's PyPI page. Also, the GitHub "pypi" environment we are using is autocreated once the workflow is merged and ran, but you can create it before hand and assign it permissions for when it is allowed to run.
In ostree I created it before hand and applied the same branch protection rules we use to only allow the environment to run on protected branches.https://docs.github.com/en/actions/reference/workflows-and-actions/deployments-and-environments