Merge remote-tracking branch 'origin' into feat-core-metadata

Author: joshuarli

.github/workflows/build.yml

@@ -54,6 +54,9 @@ jobs:
     needs: [linux, macos]
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4
@@ -64,8 +67,8 @@ jobs:
       with:
         path: dist
     - run: python3 -um make_index --pypi-url https://pypi.devinfra.sentry.io --dest index
-    - uses: google-github-actions/auth@v0
+    - uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
       with:
-        credentials_json: ${{ secrets.PYPI_DEVINFRA_SENTRY_IO }}
-    - run: yes | gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS"
+        workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+        service_account: [email protected]
     - run: python3 -uS bin/upload-artifacts

bin/upload-artifacts

@@ -6,9 +6,9 @@ import os.path
 import shlex
 import subprocess
 
-CACHE_ONE_HOUR = ("-h", "Cache-Control: public, max-age=3600")  # gcs default
-CACHE_FIVE_MINUTES = ("-h", "Cache-Control: public, max-age=300")
-CACHE_NO = ("-h", "Cache-Control: no-store")
+CACHE_ONE_HOUR = ("--cache-control", "public, max-age=3600")  # gcs default
+CACHE_FIVE_MINUTES = ("--cache-control", "public, max-age=300")
+CACHE_NO = ("--cache-control", "no-store")
 
 
 def main() -> int:
@@ -24,20 +24,20 @@ def main() -> int:
     cmds = (
         # upload wheels first before the index
         (
-            "gsutil",
-            *CACHE_ONE_HOUR,  # these are immutable so cache at default
-            "-m",  # parallel
+            "gcloud",
+            "storage",
             "cp",
             "-n",  # no-clobber
+            *CACHE_ONE_HOUR,  # these are immutable so cache at default
             os.path.join(args.index, "wheels", "*"),
             "gs://pypi.devinfra.sentry.io/wheels/",
         ),
         # upload the site parts in clobber mode (may be updating pages)
         (
-            "gsutil",
-            *CACHE_FIVE_MINUTES,  # shorter than default to make pip snappier
-            "-m",  # parallel
+            "gcloud",
+            "storage",
             "cp",
+            *CACHE_FIVE_MINUTES,  # shorter than default to make pip snappier
             "-r",  # recursive
             *(
                 os.path.join(args.index, name)
@@ -47,10 +47,11 @@ def main() -> int:
             "gs://pypi.devinfra.sentry.io",
         ),
         (
-            "gsutil",
+            "gcloud",
+            "storage",
+            "cp",
             # the packages.json file must be consistently read so no caching
             *CACHE_NO,
-            "cp",
             os.path.join(args.index, "packages.json"),
             "gs://pypi.devinfra.sentry.io",
         ),

docker/requirements.txt

@@ -21,4 +21,4 @@ wheel==0.38.4
 
 # The following packages are considered to be unsafe in a requirements file:
 pip==23.3
-setuptools==70.0.0
+setuptools==78.1.1