Open jorisroovers opened 1 year ago
* [ ] Consider adding branch protection rules
I was referring to the environment protections, not branch protection.
* [ ] Reconsider how dev builds are triggered from CI, splitting the it out in a separate pipeline instead of calling the workflow directly from `ci.yml`
I don't see a problem with this for as long as the job has a separate environment set.
[ ] Ensure publishing secrets aren't available to CI jobs
Hey @jorisroovers, I'd like to invite you to join the private beta of secretless publishing from GHA to PyPI. Please, fill out this form https://forms.gle/XUsRT8KTKy66TuUp7 to get in.
Note-to-self: This section in the OIDC docs has good suggestions on github action hardening: https://github.com/pypi/warehouse/blob/ab05dd4c137eb57ff55794a659062f02b4c326bc/docs/user/trusted-publishers/security-model.md#considerations
Just configured a few things:
*
). This effectively makes me the only one who can add or delete tags.main
:
main
require 1 or more approvals and no changes requested before they can be merged.main
. I’ve added the Python 3.11 tests
, sdist-build-smoke-test
, build-test
and doc-checks
.main
can deploy to the production
environment (i.e. PyPI).Notes
Next up are job permissions.
To consider as part of this:
ci.yml
Suggested by @webknjaz here: https://github.com/jorisroovers/gitlint/pull/418/files#r1131056985