search

casperdcl / deploy-pypi

Securely build and upload Python distributions to PyPI
Other
15 stars 2 forks source link

support Trusted Publishers #17

Closed casperdcl closed 7 months ago

casperdcl commented 1 year ago
references - description: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers#using-trusted-publishing-with-github-actions - implementation: https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/oidc-exchange.py - `detect_github(audience) -> oidc_token`: https://github.com/di/id/blob/main/id/_internal/oidc/ambient.py - GHA env vars: https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
0x2b3bfa0 commented 1 year ago

Would a shell script be enough, or does it have to be pure Python?

curl --get "$ACTIONS_ID_TOKEN_REQUEST_URL" \
     --header "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
     --data $(curl "https://$REGISTRY_DOMAIN/_/oidc/audience") |
jq "{token: .value}" |
curl "https://$REGISTRY_DOMAIN/_/oidc/github/mint-token" --data @- |
jq --raw-output .value

Note that https://github.com/casperdcl/deploy-pypi/issues/17#issue-1893037869 is wrong, and $REGISTRY_DOMAIN is the host name of the registry; e.g. upload.pypi.org

casperdcl commented 1 year ago

shell script is the only thing supported^single-file

casperdcl commented 1 year ago

https://github.com/pypa/gh-action-pypi-publish/blob/a712d989cca7b5d2b239f655efb2512082d5bce8/action.yml#L12-L23

looks like it's meant to be https://upload.pypi.org

0x2b3bfa0 commented 1 year ago

shell script is the only thing supported

I asked because the only ™️ thing your shell script does is invoking the python executable in every conceivable way. Maybe you wanted something along the lines of python -c 'urllib ...' instead of curl and jq for this?

Rube_Goldberg's__Self-Operating_Napkin__(cropped)

0x2b3bfa0 commented 1 year ago

looks like it's meant to be https://upload.pypi.org

It also works with pypi.org but you're right; updated!