Closed impredicative closed 4 years ago
luk3yx
commented
4 years ago I have added a starter workflow (in commit 767e0bf8c65aa9957e6b2cc415ea9a0ad026b9fd), I will leave this issue open until the next miniirc release to ensure it works correctly.
I also use full disk encryption, my PyPI password shouldn't be able to be stolen easy.
impredicative
commented
4 years ago In the workflow, I encourage using a PyPI token instead of the username and password. The token can be generated on the PyPI website. I acknowledge that what's there now is a starter workflow.
Even with full disk encryption, there are sometimes malicious libraries that read files on disk and upload their contents. I basically no longer have a need for the file on disk anymore.
luk3yx
commented
4 years ago In the workflow, I encourage using a PyPI token instead of the username and password. The token can be generated on the PyPI website. I acknowledge that what's there now is a starter workflow.
Thanks for pointing that option out, I have changed GitHub actions to use a token (and enabled 2FA on PyPI).
impredicative
commented
4 years ago TWINE_USERNAME in the workflow can just be the literal string __token__. It is not a secret anymore. Just TWINE_PASSWORD is a secret, with its value being the actual token.
It is easy to forget to tag a new PyPI release on GitHub. This can be automated, for example by publishing to PyPI via the Releases feature in the web UI of GitHub. This or some other condition would trigger the PyPI publish. In this way your PyPI token can also avoid existing on your local disk where it can risk being stolen. I'm using this approach in my packages urltitle and bitlyshortener using GitHub Actions.