-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trusted publishing (OIDC) #1135
base: main
Are you sure you want to change the base?
Conversation
Happy to help. Let me know. |
Thanks @fonnesbeck! I sent you a DM EDIT: Will probably have to wait till tomorrow due to timezones. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1135 +/- ##
==========================================
+ Coverage 82.10% 82.12% +0.01%
==========================================
Files 185 185
Lines 48130 48130
Branches 8669 8669
==========================================
+ Hits 39519 39527 +8
+ Misses 6444 6438 -6
+ Partials 2167 2165 -2 |
Just had a session with @fonnesbeck, so the necessary settings are in both PyPI and GitHub, so this should be ready to merge. Hopefully I didn't make any mistakes 🙈 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but I just have one question. Why are the wheel and sdist checks done separately when you had unified them into a single step using an external tool? That looked like a cleaner solution to me.
|
||
- name: Build SDist | ||
run: pipx run build --sdist | ||
|
||
- name: Attest GitHub build provenance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Over at the pymc repo you had unified the sdist and bdist_wheel steps into a single check from a different tool. Why not do that here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @maresb
Description
Increase the security of our release process by enabling OIDC.
This mirrors pymc-devs/pymc#7622 and follows similar efforts in pymc-labs/pymc-marketing#975 and pymc-labs/CausalPy@f38030b which AFAIK have been working seamlessly.
While this is a draft release, the only blocker is my lack of permissions on PyPI. TODO:
release
environment I recently createdFor PyPI, I need help from one of @fonnesbeck, @michaelosthege, @twiecki. I'm happy to hop on a call with any of you so that we can bring this over the finish line.
This requires a new release to properly test. (We could also mostly-test this if we set up a test-pypi step, but let's do that separately if people want.)
The only change is that when publishing, one of the "required reviewers" for releases as defined in the
release
environment needs to approve the "Upload to PyPI on release" job before it executes. This helps to limit the possibilities for anyone trying to publish a fake release to PyPI.Once there has been a release so that we confirm that this workflow is working properly, then we should delete the PyPI token. (Otherwise there is a lingering risk that someone somehow steals the token and gains privileges over the PyPI project.)
Checklist
Type of change
📚 Documentation preview 📚: https://pytensor--1135.org.readthedocs.build/en/1135/