search

fatiando / community

Community resources, guidelines, meeting notes, authorship policy, maintenance, etc.
Other
8 stars 4 forks source link

Use Trusted Publishers in PyPI instead of API tokens #141

Closed leouieda closed 6 months ago

leouieda commented 6 months ago

Description:

To get GitHub actions publishing to PyPI and TestPyPI, we had to create API tokens for each project and add them as Secrets to the respective repositories. These tokens are a bit dangerous if they leak since they give publishing rights. A better approach is the new Trusted Publishers in PyPI. Basically, admins can configure PyPI to exchange tokens with an Action running on a particular repo. Then we don't need the API tokens.

To do this:

  1. Make sure the PyPI Action is at least v1.8.12.
  2. On PyPI and TestPyPI, go to the package configuration, then "Publishing" and add our repository as a trusted publisher. Set the "environment" to "pypi".
  3. On the repository, edit the publish job of pypi.yml to look like this: 
    publish:
runs-on: ubuntu-latest
needs: build
# Only publish from the origin repository, not forks
if: github.repository_owner == 'fatiando' && github.event_name != 'pull_request'
environment: pypi
permissions:
  # This permission allows trusted publishing to PyPI (without an API token)
  id-token: write
  4. Remove the following from the steps that use the PyPI Action: 
    with:
user: __token__
password: ${{ secrets.TEST_PYPI_TOKEN}}
  5. Delete the PYPI_TOKEN and TEST_PYPI_TOKEN from the Secrets tab in the repository
  6. Remove the token from PyPI and TestPyPI

Apply to:

Further instructions:

We want your help!

We know that maintenance tasks are very demanding, so we don't expect a single person to tackle this issue by themselves. Any help is very welcomed, so please comment below that you want to take care of the changes on any repository and we will assign it to you.

leouieda commented 6 months ago

Done!

santisoler commented 6 months ago

Awesome! Thanks @leouieda for applying all these changes!