search

sarugaku / shellingham

Tool to Detect Surrounding Shell
ISC License
222 stars 33 forks source link

Add trusted_publishing via Pypi #85

Closed michaelfeil closed 5 months ago

michaelfeil commented 5 months ago

Benefit: If someone submits a PR, they cannot steal the PYPI_TOKEN Closes #84

Adapted from: https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing

There are some steps that the admin of this repo need to do. Both are UI actions.

TODO:

  1. Pypi.org Follow pypi guide https://docs.pypi.org/trusted-publishers/adding-a-publisher/

This should roughly do it

- owner "sarugaku"
- repository name "shellingham"
- workflow "publish.yml"
- environment name "pypi" # The name of environment in the yaml needs to match the name of the github UI and what you put on pypi
  1. Github.com Create a environment named "pypi" in github UI under environments. Below a screenshot of project github.com/michaelfeil/infinity and added e.g. me as Required Reviewer (e.g. if someone else pushes a tag to my repo, this stalls the github CI, and I get a notification to approve the publish.yml workflow) image
michaelfeil commented 5 months ago

@uranusjr

uranusjr commented 5 months ago

Alright I think I’ve set things up… Let’s see next time we need to release something. Thanks a lot!