You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _posts/2024-12-13-python-packaging-security.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ last_modified: 2024-12-19
20
20
21
21
We can learn a lot from the Python package breach [involving Ultralytics](https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/). This breach highlighted the importance of making our PyPI publishing workflows for Python packages more secure.
22
22
23
-
In this breach, hackers exploited a GitHub action workflow to inject malicious code into a Python package. This package was then published to PyPI. The outcome: Users who downloaded the package unknowingly allowed their machines to be hijacked for Bitcoin mining.
23
+
In this breach, hackers exploited a GitHub Actions workflow to inject malicious code into a Python package. This package was then published to PyPI. The outcome: users who downloaded the package unknowingly allowed their machines to be hijacked for Bitcoin mining.
24
24
25
25
{% include pyos-blockquote.html quote="Hackers tricked a Python package into running bad code, using other people’s computers to mine Bitcoin without permission. Yikes!" class="highlight" %}
26
26
@@ -42,9 +42,9 @@ Below are **3 things that you can do right now** to secure your PyPI Python pack
42
42
43
43
### Secure GitHub--Human and GitHub--PyPI connections
44
44
45
-
1. 🔒 If you have a GitHub action that publishes to PyPI, make sure that the **publish section of your action uses a controlled GitHub environment**. Name that environment `pypi` and set environment permissions in GitHub that allow specific trusted maintainers to authorize the environment to run. I'll show you how to do this below.
45
+
1. 🔒 If you have a GitHub Action that publishes to PyPI, make sure that the **publish section of your action uses a controlled GitHub environment**. Name that environment `pypi` and set environment permissions in GitHub that allow specific trusted maintainers to authorize the environment to run. I'll show you how to do this below.
46
46
1. 🤝 Create a **Trusted Publisher link between your package's (GitHub/GitLab) repository and PyPI**. You can call this trusted connection within the locked-down GitHub environment (named `pypi`) that you created above.
47
-
1. 🍒 Add [`zizmor`](https://woodruffw.github.io/zizmor/) to your build to check GitHub actions for vulnerabilities. You can run zizmor on your workflow files locally, or you can set it up as a pre-commit hook which is probably a better bet.
47
+
1. 🍒 Add [`zizmor`](https://woodruffw.github.io/zizmor/) to your build to check GitHub Actions for vulnerabilities. You can run zizmor on your workflow files locally, or you can set it up as a pre-commit hook which is probably a better bet.
48
48
49
49
Together, these three steps protect both sides of your PyPI publication process--the trigger on GitHub and the connection between GitHub and PyPI. 🚀🚀🚀
The Ultralytics breach highlights the need for us all to follow and understand secure PyPI publishing practices and carefully monitor workflows. Below are actionable steps you can take to enhance security when publishing Python packages to PyPI using GitHub actions.
58
+
The Ultralytics breach highlights the need for us all to follow and understand secure PyPI publishing practices and carefully monitor workflows. Below are actionable steps you can take to enhance security when publishing Python packages to PyPI using GitHub Actions.
59
59
60
60
<iclass="fa-solid fa-circle-info"></i> [PyPA provides a great overview of using actions to publish your Python package.](https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/)
61
61
{: .notice }
62
62
63
63
## 1. Create a dedicated GitHub environment for publishing actions
64
64
65
-
First, make sure that your PyPI publish GitHub action uses an isolated GitHub environment. Isolated environments ensure your publishing process remains secure even if other parts of your CI pipeline are compromised. This is because you can lock an environment down by ensuring that only specific users can authorize this environment to run.
65
+
First, make sure that your PyPI publish GitHub Action uses an isolated GitHub environment. Isolated environments ensure your publishing process remains secure even if other parts of your CI pipeline are compromised. This is because you can lock an environment down by ensuring that only specific users can authorize this environment to run.
66
66
67
67
68
-
A GitHub action is a CI/CD (Continuous Integration/Continuous Deployment) tool that allows you to automate tests. [Click here to read more about what CI/CI is.](https://www.pyopensci.org/python-package-guide/continuous-integration/ci.html)
68
+
A GitHub Action is a CI/CD (Continuous Integration/Continuous Deployment) tool that allows you to automate tests. [Click here to read more about what CI/CI is.](https://www.pyopensci.org/python-package-guide/continuous-integration/ci.html)
69
69
{: .notice .notice--success }
70
70
71
71
If you look at the workflow example below, notice that we have an [environment called `pypi`](https://github.com/pyOpenSci/pyosMeta/blob/2a09fba/.github/workflows/publish-pypi.yml#L57) that is used for trusted publishing. The `pypi` environment creates a direct link between this action and PyPI Trusted Published (discussed below).
@@ -84,7 +84,7 @@ If you look at the workflow example below, notice that we have an [environment c
84
84
```
85
85
*****
86
86
87
-
To lockdown a GitHub environment:
87
+
To lock down a GitHub environment:
88
88
89
89
* First, go to the <kbd>Settings</kbd> in your repository where the workflow is run
90
90
* Within settings, select **environments** from the left-hand sidebar
@@ -95,9 +95,9 @@ To lockdown a GitHub environment:
95
95
*Optionally, you can click <kbd>prevent self-review</kbd>, preventing someone from triggering a release or a build and then running it!*
96
96
97
97
<figure>
98
-
<img src="/images/python-packaging/create-github-environment.gif" alt="Animated gif file that shows the github interface where you can click on settings and go to the environment setting to create or edit a GitHub environment">
98
+
<img src="/images/python-packaging/create-github-environment.gif" alt="Animated gif file that shows the GitHub interface where you can click on settings and go to the environment setting to create or edit a GitHub environment">
99
99
<figcaption>
100
-
To create a new environment to use in a GitHub action, 1) go to your repo's settings; 2) click <kbd>environment</kbd>; 3) add a new environment. In this screenshot, we already have a <kbd>pypi</kbd> environment created. Note that you can name your environment whatever you want, however, PyPI suggests that you use the name <kbd>pypi</kbd> for a Trusted Publisher workflow.
100
+
To create a new environment to use in a GitHub Action, 1) go to your repo's settings; 2) click <kbd>environment</kbd>; 3) add a new environment. In this screenshot, we already have a <kbd>pypi</kbd> environment created. Note that you can name your environment whatever you want, however, PyPI suggests that you use the name <kbd>pypi</kbd> for a Trusted Publisher workflow.
0 commit comments