[drive-by feedback] Update the GHA workflow for publishing to the PyPI

[webknjaz]

Hey, I noticed some outdated practices in .github/workflows/release.yml and with my PyPA hat on, I decided to document a few possible improvements.

Ever since GHA went GA I've been trying to improve a standard dist publishing method and came up with an action that is now under the PyPA umbrella, being recommended officially in various places including GitHub's own docs: https://github.com/marketplace/actions/pypi-publish#usage.

I saw that you resort to storing username/password for uploading the dists to PyPI as GitHub repository secrets. While technically this works, there's a better way — using secretless publishing that's gone GA about a year ago. And my action started supported it even earlier — during the private alpha testing period.

My PyPUG guide now contains a full example of using it. Follow https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and you'll be set. The GH doc is not as detailed: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow.

This requires some changes but is quite straightforward:

• Delete the use of long-lived API tokens, removing them from the repo secrets and revoking on PyPI
• Set up a GitHub environment called pypi with required reviews in the repo settings
• Set up OIDC on the PyPI and in the GH workflow job privileges
• Split the jobs for building and uploading, having different privileges for security reasons
• As a bonus, the guide shows how to make Sigstore signatures for those dists with OIDC and no persistent secrets

---

Another observation that surprised me is the use of a dead non-standardized format that's been discouraged for like a decade and is dangerous to use — eggs. So I'm curious — what's the use case for even making them in the first place, in 2024?

Refs:

• https://packaging.python.org/en/latest/discussions/package-formats/#egg-format
• https://packaging.python.org/en/latest/discussions/pip-vs-easy-install/
• https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html

[clebergnu]

Hi @webknjaz,

Thanks a lot for all the information you're sharing here. We should definitely adopt actions/pypi-publish.

With regards to the use of eggs, we've been using it for running Avocado itself, like in containters with the Podman spawner (avocado run --spawner=podman) without the need to actual install Python packages. I understand that we may eventually have to come up with a different solution, but that has been working great for that use case.

Anyway, thanks again, and we'll definitely follow up with your suggestion.