Closed tomchristie closed 2 years ago
Is python-hyper's policy of auto-inviting anyone who commits to have the commit bit compatible with tag-to-deploy release strategy? All it'd take is one account to go rogue and we'd have a compromised package.
Yes - who gets the publish keys is a pretty tricky problem, isn't it.
This would be easier if GitHub's policy happened to be that "Maintain"-level access was required in order to create releases. That'd be helpful because you could have the majority of a team with "Write"-level access, but then just 2 or 3 folks with "Maintain" or "Admin", who're able to hit the big red deploy button.
I've taken a big dig around GitHub's docs on securing actions etc. to see if there's a good solution to this at the moment. Perhaps there's some creative way around, but I can't find anything that's quite suitable. Which is a shame, because GitHub Actions + releases together are otherwise a really fantastic way of managing deploys. (And are great if you are okay with a policy of write-access maintainers can deploy.)
It looks like GitHub enterprise provides custom roles, currently in beta, which I think would allow an appropriate setup. (General team with PR read/write permissions, plus a small admin team with release management permissions.)
Those(non-existent) custom actions are visible in h11
's settings but there's no "create a role" button.
Right - there is a way you can do this, while still having admin sign-off on deploys.
Create a GitHub environment with required reviews. You can then add the PYPI_TOKEN
to that environment only.
You can then specify in the workflow config to run against that environment.
Hi folks 👋🏼
Here's a pass at what I think we'd need in order to have automated deployments, triggered by tagging a GitHub release.
PYPI_TOKEN
in the repo settings.The PR would perhaps also need to be fleshed out with something like a
DEPLOYMENT.md
text (or similar?) to describe the release process.