joshua-auchincloss
commented
10 months ago Looking at https://github.com/joshua-auchincloss/hatch-cython/blob/main/.github/workflows/build.yaml, I see a few problems there:
building is performed in the job having the OIDC privilege — this opens up possibilities for privilege escalation through poisoning the build scripts.
Fix: move it into a separate job and pass as an artifact to the publishing one
the publishing job has OIDC privilege, but an API token is still passed, meaning that the secretless publishing isn't actually happening — it seams to be a half-migrated state where there's pieces that make it possible to drop the long-living API token but the togle isn't actually switched to use newer short-lived tokens.
Fix: remove the
with:setting altogether, clean up the long-living API token from the repo secrets and revoke said token on the PyPI sidebonus points: a separately built artifact could be tested as installed and only then published — what's published currently, can potentially start yielding different result from what's being tested
bonus points 2: sign the dists with sigstore and publish that to GH releases
Hey! Thanks for the feedback - always striving for best practices :) I'll take a look at this in the coming days and review the release pattern
Looking at https://github.com/joshua-auchincloss/hatch-cython/blob/main/.github/workflows/build.yaml, I see a few problems there:
with:setting altogether, clean up the long-living API token from the repo secrets and revoke said token on the PyPI sidehttps://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/