search

ansible-community / molecule-hetznercloud

A molecule driver for Hetzner Cloud
https://ansible.readthedocs.io/projects/molecule/
GNU Lesser General Public License v3.0
27 stars 14 forks source link

Configure PyPI package publishing #48

Closed jooola closed 1 year ago

jooola commented 1 year ago

The CI is already configured to build the package and to publish it to PyPI on releases.

The only missing secrets are the following:

PYPI_USERNAME
PYPI_PASSWORD

We are missing the credentials or permissions to push the molecule-hetznercloud package on PyPI: https://pypi.org/project/molecule-hetznercloud/

@cidrblock Could not give access to the PyPI package, we might need to ask someone else: @ssbarnea ?

Ideally, we could add permissions to upload the package to the following user: https://pypi.org/user/HetznerCloudGmbH/

Once this issue is solved, I can cut a new release.

webknjaz commented 1 year ago

The only missing secrets are the following:

This is an outdated way of publishing from GHA. Default to using the secretless publishing instead.

My PyPUG guide was recently updated to showcase this method: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

webknjaz commented 1 year ago

The CI is already configured to build the package

You forgot to add --strict to your twine check command. Although, this is something you should run in the normal CI. You don't need it explicitly in the publishing workflow as my pypi-publish action already runs it under the hood.

webknjaz commented 1 year ago

Secretless publishing will need a separate job, action inputs removed and the pypi GH env applied to the job, and protected.

jooola commented 1 year ago

@webknjaz Thanks for the pointer.

Does the secretless publishing solve the initial issue (no permissions to upload new version to PyPI) ?

webknjaz commented 1 year ago

Does the secretless publishing solve the initial issue (no permissions to upload new version to PyPI) ?

So the OIDC trust is set up on PyPI specifically to allow publishing from GHA. It's always bound to a PyPI project and is restricted to a combination of a repository, workflow and env. It's not connected to any user accounts on PyPI. So I suppose, yes?

apricote commented 1 year ago

So the OIDC trust is set up on PyPI specifically to allow publishing from GHA. It's always bound to a PyPI project and is restricted to a combination of a repository, workflow and env. It's not connected to any user accounts on PyPI. So I suppose, yes?

But is the OIDC trust actually set up right now for this package? It does not look like the OIDC trust was previously used to publish the package.

jooola commented 1 year ago

But is the OIDC trust actually set up right now for this package? It does not look like the OIDC trust was previously used to publish the package.

It has been set up, sorry the discussion was spread across Github and Matrix.