Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add trusted publishing (OIDC) #1135

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add trusted publishing (OIDC) #1135

wants to merge 4 commits into from

Conversation

maresb
Copy link
Contributor

@maresb maresb commented Dec 22, 2024

Description

Increase the security of our release process by enabling OIDC.

This mirrors pymc-devs/pymc#7622 and follows similar efforts in pymc-labs/pymc-marketing#975 and pymc-labs/CausalPy@f38030b which AFAIK have been working seamlessly.

While this is a draft release, the only blocker is my lack of permissions on PyPI. TODO:

  • In PyPI, enable trusted publishing from the release environment I recently created

For PyPI, I need help from one of @fonnesbeck, @michaelosthege, @twiecki. I'm happy to hop on a call with any of you so that we can bring this over the finish line.

This requires a new release to properly test. (We could also mostly-test this if we set up a test-pypi step, but let's do that separately if people want.)

The only change is that when publishing, one of the "required reviewers" for releases as defined in the release environment needs to approve the "Upload to PyPI on release" job before it executes. This helps to limit the possibilities for anyone trying to publish a fake release to PyPI.

Once there has been a release so that we confirm that this workflow is working properly, then we should delete the PyPI token. (Otherwise there is a lingering risk that someone somehow steals the token and gains privileges over the PyPI project.)

Checklist

Type of change

  • New feature / enhancement
  • Bug fix
  • Documentation
  • Maintenance
  • Other (please specify):

📚 Documentation preview 📚: https://pytensor--1135.org.readthedocs.build/en/1135/

@maresb maresb marked this pull request as draft December 22, 2024 19:03
@fonnesbeck
Copy link
Member

Happy to help. Let me know.

@maresb
Copy link
Contributor Author

maresb commented Dec 22, 2024

Happy to help. Let me know.

Thanks @fonnesbeck! I sent you a DM

EDIT: Will probably have to wait till tomorrow due to timezones.

Copy link

codecov bot commented Dec 22, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.12%. Comparing base (231a977) to head (b52a09c).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1135      +/-   ##
==========================================
+ Coverage   82.10%   82.12%   +0.01%     
==========================================
  Files         185      185              
  Lines       48130    48130              
  Branches     8669     8669              
==========================================
+ Hits        39519    39527       +8     
+ Misses       6444     6438       -6     
+ Partials     2167     2165       -2     

see 2 files with indirect coverage changes

@maresb maresb marked this pull request as ready for review December 23, 2024 21:47
@maresb
Copy link
Contributor Author

maresb commented Dec 23, 2024

Just had a session with @fonnesbeck, so the necessary settings are in both PyPI and GitHub, so this should be ready to merge. Hopefully I didn't make any mistakes 🙈

Copy link
Contributor

@lucianopaz lucianopaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but I just have one question. Why are the wheel and sdist checks done separately when you had unified them into a single step using an external tool? That looked like a cleaner solution to me.


- name: Build SDist
run: pipx run build --sdist

- name: Attest GitHub build provenance
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Over at the pymc repo you had unified the sdist and bdist_wheel steps into a single check from a different tool. Why not do that here too?

Copy link
Contributor Author

@maresb maresb Dec 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compilation/extensions.

From the build-and-inspect-python-package readme:
image

Copy link
Contributor

@lucianopaz lucianopaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @maresb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants