search

python-cachier / cachier

Persistent, stale-free, local and cross-machine caching for Python functions.
MIT License
534 stars 60 forks source link

Add a reference to the correct environment to pypi releaseflow #181

Closed shaypal5 closed 6 months ago

shaypal5 commented 6 months ago

Hey, I'd love your help, @Borda .

I've set up a new dedicated Github Actions environment for this repository, named pypi_publish, which has a PYPI_PASSWORD secret with cachier's PyPI API token.

However, from what I understand, a Github Actions environment is a job-level property: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment

This seems a bit risky to me; a possible attack on PyPI secrets is now not only doing something fishy in the gh-action-pypi-publish@v1.8.11 action, but also in any unrelated action we use earlier in the flow (in this case, AButler/upload-release-assets@v3.0).

So my question is, can you figure out a way to separate the PyPI upload step into a separate job in the same flow? Alternatively, is there a way to set up the environment for only a single step?

Cheers!

codecov[bot] commented 6 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (c16f0f1) 97.89% compared to head (c3fa0a5) 97.85%. Report is 8 commits behind head on master.

Additional details and impacted files [![Impacted file tree graph](https://app.codecov.io/gh/python-cachier/cachier/pull/181/graphs/tree.svg?width=650&height=150&src=pr&token=fhsTDs7HL9&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier)](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier) ```diff @@ Coverage Diff @@ ## master #181 +/- ## ========================================== - Coverage 97.89% 97.85% -0.05% ========================================== Files 6 6 Lines 523 512 -11 Branches 94 96 +2 ========================================== - Hits 512 501 -11 Misses 10 10 Partials 1 1 ``` | [Files](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier) | Coverage Δ | | |---|---|---| | [cachier/core.py](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier#diff-Y2FjaGllci9jb3JlLnB5) | `100.00% <100.00%> (ø)` | | | [cachier/cores/base.py](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier#diff-Y2FjaGllci9jb3Jlcy9iYXNlLnB5) | `100.00% <100.00%> (ø)` | | | [cachier/cores/mongo.py](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier#diff-Y2FjaGllci9jb3Jlcy9tb25nby5weQ==) | `94.91% <100.00%> (ø)` | | | [cachier/cores/pickle.py](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier#diff-Y2FjaGllci9jb3Jlcy9waWNrbGUucHk=) | `100.00% <100.00%> (ø)` | | ------ [Continue to review full report in Codecov by Sentry](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier). > **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier) > `Δ = absolute (impact)`, `ø = not affected`, `? = missing data` > Powered by [Codecov](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier). Last update [5f627e7...c3fa0a5](https://app.codecov.io/gh/python-cachier/cachier/pull/181?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=python-cachier).
Borda commented 6 months ago

So my question is, can you figure out a way to separate the PyPI upload step into a separate job in the same flow?

yes we can simply use twine upload ...

shaypal5 commented 6 months ago

Awaiting your approval, @Borda