Add PyPI API token to github secrets

[tristanlatr]

Hi @chorsley ,

Could you follow the following process in order to add PyPI key to the github secrets?

In your account settings, go to the API tokens section and select "Add API token" Then in the github repo settings, add the value to a new secret named "PYPI_TOKEN"

Then the publication of the package should be automatic when new tags are pushed and the tests passes :D

Thank you!

[chorsley]

Hi @tristanlatr,

Before we line any of that automated publishing up, we'd want to be very careful that a random committer can't add malicious code in a commit, get us to trigger the Pypi publish step, then have unsuspecting people install a malicious version of the package.

We'd want to have some kind of final PR approval and review on any code to be introduced into the release before the package is published.

This becomes a release management issue. I'm happy to put in my 2c from successful patterns we've used previously, but what are you doing / thinking on that front at the moment?

[tristanlatr]

Hi @chorsley,

I agree that automated publishing is a security risk because what you’ve explained, the same risk is present when people install wappalyzer from sources, though.

I don’t want to over complexify the release process. Like getting approval on all PRs. This is becoming a challenge for me on other open source software, I’m waiting for months that my PRs get approved. So I don’t want to go this route for this repo.

So I’m ok with manual publishing for now.

[igibek]

Hey, everyone

It is not totally related to the discussion above, but I decided to give you a heads up that PyPI still shows that the latest version is 0.3.1. Can someone publish the latest 0.4.0 version?

Thanks