-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to trusted publishing for releases? #646
Comments
You'd need to get @FFY00's approval, I think the rest of us would be okay with it if @FFY00 approved, but that might not happen. The worry is over security, is that we'd be allowing public CI to release, and the attack vector would be someone taking over GHA and releasing a malicious version of build. If our dependencies (like pip, flit, packaging) used GHA to release, it would be an easier sell. But I don't think they do. |
A simi-dependency, virtualenv, uses Trusted Publisher releases: https://github.com/pypa/virtualenv/blob/main/.github/workflows/release.yml |
As another datapoint: |
Yup, and since we ship pure wheels and don't need to build for wide set of platforms/environments, I struggle to see the benefit of building in the CI. Trusted publishing solves an issue for users who want to build release artifacts in the CI, however, I don't think this is an issue we have. Does that make sense? That said, I realize I may have been too harsh on sticking to my position, so while my thoughts on the issue haven't changed, if the other maintainers feel strongly about this, I am happy for the project to adopt a different release workflow. Especially considering I have taken a long break from active maintenance of this project, as I sort out my mental health and other issues. |
I understand this position, but I want to provide some pushback on it from two angles:
TL;DR: I think on a practical level, CI publishing makes for good process. With my security hat on, CI publishing (especially with trusted publishing) reduces the overall number of ways an attacker can compromise a Python package. With all that said, I want to acknowledge that it's your project and ultimately your call to determine an appropriate threat model for yourselves. So if I haven't been persuading enough to at least continue this conversation, please feel free to close this 🙂 |
build
is at the center of a large (and growing) number of dependency graphs, so I'm plugging trusted publishing as a good idea: with trusted publishing,build
would use GitHub Actions for PyPI releases, and would be able to do so automatically and securely without having to pre-configure an API token.If there's interest, then I'm more than happy to send a PR adding a trusted publishing workflow + offer guidance on how to use it!
The text was updated successfully, but these errors were encountered: