Closed shaypal5 closed 6 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
c16f0f1
) 97.89% compared to head (c3fa0a5
) 97.85%. Report is 8 commits behind head on master.
So my question is, can you figure out a way to separate the PyPI upload step into a separate job in the same flow?
yes we can simply use twine upload ...
Awaiting your approval, @Borda
Hey, I'd love your help, @Borda .
I've set up a new dedicated Github Actions environment for this repository, named
pypi_publish
, which has aPYPI_PASSWORD
secret withcachier
's PyPI API token.However, from what I understand, a Github Actions environment is a job-level property: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment
This seems a bit risky to me; a possible attack on PyPI secrets is now not only doing something fishy in the
gh-action-pypi-publish@v1.8.11
action, but also in any unrelated action we use earlier in the flow (in this case,AButler/upload-release-assets@v3.0
).So my question is, can you figure out a way to separate the PyPI upload step into a separate job in the same flow? Alternatively, is there a way to set up the environment for only a single step?
Cheers!