Skip to content

ci: Use trusted publishers for publishing to PyPI #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 22, 2024
Merged

ci: Use trusted publishers for publishing to PyPI #353

merged 1 commit into from
Mar 22, 2024

Conversation

@matthewfeickert
Copy link
Member

@matthewfeickert matthewfeickert commented Mar 22, 2024

For a full example (with lots of discussion) c.f. scikit-hep/pyhf#2183

For a concise summary, c.f. the Scientific Python Developer Guide section on this.

What is required of a maintainer for this to work

  1. Login to PyPI
  2. Follow the Adding a trusted publisher to an existing PyPI project instructions.

@matthewfeickert
ci: Use trusted publishers for publishing to PyPI
8fcd95c 
* Use the OpenID Connect (OIDC) standard to publish to PyPI using PyPI's
  "Trusted Publisher" implementation to publish without using API tokens
  stored as GitHub Actions secrets.
   - c.f. https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
   - c.f. https://docs.pypi.org/trusted-publishers/
@codecov
Copy link

codecov bot commented Mar 22, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.89%. Comparing base (f3e9540) to head (8fcd95c).

Additional details and impacted files 
@@             Coverage Diff              @@
##           3.0_develop     #353   +/-   ##
============================================
  Coverage        79.89%   79.89%           
============================================
  Files               41       41           
  Lines             2253     2253           
============================================
  Hits              1800     1800           
  Misses             453      453
Flag Coverage Δ
unittests 79.89% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

matthewfeickert
matthewfeickert commented Mar 22, 2024
View reviewed changes
.github/workflows/pypi.yaml
Comment on lines +10 to +13
# Mandatory for publishing with a trusted publisher
# c.f. https://docs.pypi.org/trusted-publishers/using-a-publisher/
permissions:
id-token: write
Copy link
Member Author

@matthewfeickert matthewfeickert Mar 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I have not added the strongly encouraged recommendation of adding a specific release environment (would be done under https://github.com/ssl-hep/ServiceX_frontend/settings/environments) as I wanted to run this past the dev team first. If this is of interest, I can add it in and explain any questions people have.

@matthewfeickert
Copy link
Member Author

matthewfeickert commented Mar 22, 2024

@BenGalewsky @gordonwatts @ponyisi This is ready for review. Though not something that needs to be rushed, as I know we're all busy today.

BenGalewsky
BenGalewsky approved these changes Mar 22, 2024
View reviewed changes
Copy link
Contributor

@BenGalewsky BenGalewsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to the future! So grateful for your dedication to the scientific python ecosystem.

Just make an issue for switching to environments. I think there could be a few complexities there for our current workflow

@BenGalewsky BenGalewsky merged commit 4b8403c into ssl-hep:3.0_develop Mar 22, 2024
@matthewfeickert matthewfeickert deleted the ci/use-pypi-trusted-publishers branch March 22, 2024 19:42
@matthewfeickert matthewfeickert mentioned this pull request Mar 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenGalewsky BenGalewsky BenGalewsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewfeickert @BenGalewsky