search

python-hyper / h11

A pure-Python, bring-your-own-I/O implementation of HTTP/1.1
https://h11.readthedocs.io/
MIT License
490 stars 62 forks source link

GitHub action for automated deployment #142

Closed tomchristie closed 2 years ago

tomchristie commented 2 years ago

Hi folks 👋🏼

Here's a pass at what I think we'd need in order to have automated deployments, triggered by tagging a GitHub release.

The PR would perhaps also need to be fleshed out with something like a DEPLOYMENT.md text (or similar?) to describe the release process.

sethmlarson commented 2 years ago

Is python-hyper's policy of auto-inviting anyone who commits to have the commit bit compatible with tag-to-deploy release strategy? All it'd take is one account to go rogue and we'd have a compromised package.

tomchristie commented 2 years ago

Yes - who gets the publish keys is a pretty tricky problem, isn't it.

This would be easier if GitHub's policy happened to be that "Maintain"-level access was required in order to create releases. That'd be helpful because you could have the majority of a team with "Write"-level access, but then just 2 or 3 folks with "Maintain" or "Admin", who're able to hit the big red deploy button.

I've taken a big dig around GitHub's docs on securing actions etc. to see if there's a good solution to this at the moment. Perhaps there's some creative way around, but I can't find anything that's quite suitable. Which is a shame, because GitHub Actions + releases together are otherwise a really fantastic way of managing deploys. (And are great if you are okay with a policy of write-access maintainers can deploy.)

It looks like GitHub enterprise provides custom roles, currently in beta, which I think would allow an appropriate setup. (General team with PR read/write permissions, plus a small admin team with release management permissions.)

Those(non-existent) custom actions are visible in h11's settings but there's no "create a role" button.

tomchristie commented 2 years ago

Right - there is a way you can do this, while still having admin sign-off on deploys.

Create a GitHub environment with required reviews. You can then add the PYPI_TOKEN to that environment only.

You can then specify in the workflow config to run against that environment.