From fef0d833e5f855e93841a5d541bf90c33459d6ac Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 19:52:51 +0100 Subject: [PATCH 1/4] Add trusted publishing --- .github/workflows/pypi.yml | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 4d5fda17f2..0904ada698 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -21,6 +21,10 @@ jobs: make_sdist: name: Make SDist runs-on: ubuntu-latest + permissions: + # write id-token and attestations are required to attest build provenance + id-token: write + attestations: write steps: - uses: actions/checkout@v4 with: @@ -30,6 +34,11 @@ jobs: - name: Build SDist run: pipx run build --sdist + - name: Attest GitHub build provenance + uses: actions/attest-build-provenance@v1 + with: + subject-path: dist/*.tar.gz + - uses: actions/upload-artifact@v4 with: name: sdist @@ -50,6 +59,10 @@ jobs: build_wheels: name: Build wheels for ${{ matrix.platform }} runs-on: ${{ matrix.platform }} + permissions: + # write id-token and attestations are required to attest build provenance + id-token: write + attestations: write strategy: matrix: platform: @@ -64,6 +77,11 @@ jobs: - name: Build wheels uses: pypa/cibuildwheel@v2.22.0 + - name: Attest GitHub build provenance + uses: actions/attest-build-provenance@v1 + with: + subject-path: ./wheelhouse/*.whl + - uses: actions/upload-artifact@v4 with: name: wheels-${{ matrix.platform }} @@ -72,6 +90,10 @@ jobs: build_universal_wheel: name: Build universal wheel for Pyodide runs-on: ubuntu-latest + permissions: + # write id-token and attestations are required to attest build provenance + id-token: write + attestations: write steps: - uses: actions/checkout@v4 with: @@ -89,6 +111,11 @@ jobs: run: | PYODIDE=1 python setup.py bdist_wheel --universal + - name: Attest GitHub build provenance + uses: actions/attest-build-provenance@v1 + with: + subject-path: dist/*.whl + - uses: actions/upload-artifact@v4 with: name: universal_wheel @@ -125,6 +152,10 @@ jobs: upload_pypi: name: Upload to PyPI on release + environment: release + permissions: + # write id-token is required for upload attestation + id-token: write needs: [check_dist] runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' @@ -146,6 +177,3 @@ jobs: path: dist - uses: pypa/gh-action-pypi-publish@v1.12.2 - with: - user: __token__ - password: ${{ secrets.pypi_password }} From c9b142465401cc5d1bfec9b612ee8b6e3f5f38e4 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 20:08:10 +0100 Subject: [PATCH 2/4] Don't persist credentials in pypi.yml Ref: --- .github/workflows/pypi.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 0904ada698..975a0c136f 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -30,6 +30,7 @@ jobs: with: fetch-depth: 0 submodules: true + persist-credentials: false - name: Build SDist run: pipx run build --sdist @@ -54,6 +55,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 build_wheels: @@ -73,6 +75,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build wheels uses: pypa/cibuildwheel@v2.22.0 @@ -98,6 +101,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 From 79a84fa26ad3a7f114ceb9d2005c9ee18284098a Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Mon, 23 Dec 2024 11:40:26 +0100 Subject: [PATCH 3/4] Don't attempt to publish from forks --- .github/workflows/pypi.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 975a0c136f..f9c6345447 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -162,7 +162,8 @@ jobs: id-token: write needs: [check_dist] runs-on: ubuntu-latest - if: github.event_name == 'release' && github.event.action == 'published' + # Don't publish from forks + if: github.repository_owner == 'pymc-devs' && github.event_name == 'release' && github.event.action == 'published' steps: - uses: actions/download-artifact@v4 with: From b52a09c8c77fe60eff6e6a0d98bce132265341a3 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Mon, 23 Dec 2024 11:40:49 +0100 Subject: [PATCH 4/4] Include more comments --- .github/workflows/pypi.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index f9c6345447..1bd7a5f656 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -156,9 +156,11 @@ jobs: upload_pypi: name: Upload to PyPI on release + # Use the `release` GitHub environment to protect the Trusted Publishing (OIDC) + # workflow by requiring signoff from a maintainer. environment: release permissions: - # write id-token is required for upload attestation + # write id-token is required for trusted publishing (OIDC) id-token: write needs: [check_dist] runs-on: ubuntu-latest @@ -182,3 +184,4 @@ jobs: path: dist - uses: pypa/gh-action-pypi-publish@v1.12.2 + # Implicitly attests that the packages were uploaded in the context of this workflow.