Commit graph

322 commits

Author SHA1 Message Date
William Woodruff
89ddbeae04
README: retitle, add note
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 23:37:32 +09:00
William Woodruff
a0f29a5690
Apply suggestions from code review
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-04-03 23:14:57 +09:00
William Woodruff
0b567d5b01
oidc-exchange, twine-upload: remove more OIDC refs
...but not all, since some make sense in a debugging
context.

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 21:32:49 +09:00
William Woodruff
4372cb5585
README: replace OIDC with "trusted publishing"
Also updates the link to reference the public documentation
for trusted publishing, rather than the PyPI short help
section (which also needs to be updated).

Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-03 21:26:53 +09:00
Sviatoslav Sydorenko
69efb8cbfb
Merge pull request #142 from trail-of-forks/tob-indicate-oidc
Add explanation of why the OIDC publishing was chosen to the log output.
2023-04-03 02:07:09 +02:00
William Woodruff
dfde872acc
Apply suggestions from code review
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-04-02 22:20:08 +09:00
William Woodruff
3d567f44ce
twine-upload: expound
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-01 21:09:00 +09:00
William Woodruff
67b747a9c8
oidc-exchange: more explanation
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-04-01 14:41:16 +09:00
Sviatoslav Sydorenko
29930c9cf5
Merge pull request #139 from trail-of-forks/tob-improve-errors
This change improves the error output produced within the OIDC token exchange script by adding a title and a link to the Warehouse documentation for trusted publishers.

Ref #138.
2023-04-01 04:10:38 +02:00
Sviatoslav Sydorenko
9c859e9a77
Merge pull request #140 from hugovk/oidc-whitespace
This change removes accidental double whitespaces from the OIDC CI log that were caused by a misconception that the arguments of `echo` would be joined the same way as Python's implicit string concatenation works.
2023-04-01 04:04:52 +02:00
Hugo van Kemenade
65bf8a81de Remove double spaces 2023-03-29 21:22:09 +03:00
William Woodruff
486ec8dd23
oidc-exchange: improve errors
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-03-30 01:45:41 +09:00
Sviatoslav Sydorenko
48b317d84d
Merge PR #136 into unstable/v1
This patch improves the logging detalization of which authentication
mode is selected when the action runs. It uses the `::notice` workflow
command to surface this detail to the workflow run summary page as
annotations.
2023-03-22 16:22:52 +01:00
William Woodruff
ae295504b3
twine-upload: increase detail on console notices
Signed-off-by: William Woodruff <william@trailofbits.com>

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-03-22 11:19:01 -04:00
Sviatoslav Sydorenko
f3ce18f699
Merge pull request #134 from trail-of-forks/tob-better-errors
oidc-exchange: avoid splitting the error message
2023-03-21 23:13:05 +01:00
William Woodruff
ea29ccc08c
oidc-exchange: avoid splitting the error message
Signed-off-by: William Woodruff <william@trailofbits.com>
2023-03-21 11:17:21 -04:00
Sviatoslav Sydorenko
a3a3bafbb3
🐛 Merge PR #131 from into unstable/v1
This patch fixes the default PyPI upload URL in the action metadata — a regression that happened in v1.8.0.
2023-03-16 10:10:51 +01:00
Jay Chung
d5417dc8be 🐛Correct default upload URL
close: #130
2023-03-16 16:39:57 +08:00
Sviatoslav Sydorenko
8ef2b3d46c
Merge PR #123 into unstable/v1
This patch implements support for secret-less OIDC-based publishing to
PyPI-like package indexes. The OIDC flow is activated when neither
username, nor password action inputs are set.

The OIDC "token exchange," is an authentication technique that PyPI
(and TestPyPI, and hopefully some future others) supports as an
alternative to long-lived username/password combinations or API
tokens.

OIDC token exchange boils down to the following set of steps:

1. A user (currently only someone in the OIDC beta on PyPI) configured
   a particular GitHub Actions workflow in their repository as a
   trusted OIDC publisher;
2. That workflow uses this action to mint an OIDC token;
3. That OIDC token is sent to PyPI (or another index), which exchanges
   it for a temporary API token;
4. That API token is used as normal.

For the seamless configuration-free upload to work, the end-users are
expected to explicitly assign the `id-token: write` privilege to the
auto-injected `GITHUB_TOKEN` secret on the job level. They should also
set up GHA workflow trust on the PyPI side.

PyPI's documentation: https://pypi.org/help/#openid-connect
Beta test enrollment: https://github.com/pypi/warehouse/issues/12965
2023-03-16 02:48:42 +01:00
William Woodruff
2b46bad8cb
OIDC beta support
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
2023-03-15 17:08:09 -04:00
Sviatoslav Sydorenko
22b4d1f125
🐛 Make kebab options fall back for snake_case
The previous release didn't take into account the action defaults so
the promised fallbacks for the old input names didn't work. This patch
corrects that mistake.
2023-03-11 03:06:39 +01:00
Sviatoslav Sydorenko
7104b6e981
Merge branch 'maintenance/kebab-case-inputs' into unstable/v1
This patch normalizes the action inputs to be kebab-case while keeping
the old snake_case fallbacks working.
2023-03-11 02:01:32 +01:00
Sviatoslav Sydorenko
f131721e84
🎨 Convert action inputs to use kebab-case
Up until now, the action input names followed the snake_case naming
pattern that is well familiar to the pythonistas. But in GitHub
actions, the de-facto standard is using kebab-case, which is what
this patch achieves.
This style helps make the keys in YAML better standardized and
distinguishable from other identifiers.
The old snake_case names remain functional for the time being and will
not be removed until at least v3 release of this action.
2023-03-11 01:24:52 +01:00
Sviatoslav Sydorenko
32b5e93709
Merge pull request #122 from colindean/empty-token
This patch implements displaying a warning when the password
input passed in to the action is empty.
2023-03-10 20:39:33 +01:00
Colin Dean
efcb9babc8
🎨 Warn about empty password/token action input
Before this patch, the warning would say that the token was
expected to start with `pypi-` but it may be unobvious. With this
change, the end-users are warned when they're passing a completely
empty password value.

Fixes #25.
2023-03-10 20:37:53 +01:00
Sviatoslav Sydorenko
d2ce3ec872
⇪ Bump isort to v5.12.0
The previous version had a Poetry packaging problem. This patch
fixes that.
2023-03-10 20:27:46 +01:00
Sviatoslav Sydorenko
0eaf3a11fd
Merge pull request #121 from pypa/dependabot/pip/requirements/cryptography-39.0.1
Bump cryptography from 38.0.4 to 39.0.1 in /requirements
2023-03-06 23:17:07 +01:00
dependabot[bot]
6a2da9bc3b
Bump cryptography from 38.0.4 to 39.0.1 in /requirements
Bumps [cryptography](https://github.com/pyca/cryptography) from 38.0.4 to 39.0.1.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/38.0.4...39.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-08 04:41:02 +00:00
Sviatoslav Sydorenko
7eb3b701d1
Merge pull request #119 from pypa/pre-commit-ci-update-config 2023-01-02 22:23:27 +01:00
Sviatoslav Sydorenko
91e612128c
Revert WPS flake8 hook version to 4.0.1 2023-01-02 22:21:39 +01:00
pre-commit-ci[bot]
c13a06eb2f
[pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/asottile/add-trailing-comma.git: v2.3.0 → v2.4.0](https://github.com/asottile/add-trailing-comma.git/compare/v2.3.0...v2.4.0)
- [github.com/PyCQA/isort.git: 5.10.1 → 5.11.4](https://github.com/PyCQA/isort.git/compare/5.10.1...5.11.4)
- [github.com/python-jsonschema/check-jsonschema.git: 0.18.3 → 0.19.2](https://github.com/python-jsonschema/check-jsonschema.git/compare/0.18.3...0.19.2)
- [github.com/pre-commit/pre-commit-hooks.git: v4.3.0 → v4.4.0](https://github.com/pre-commit/pre-commit-hooks.git/compare/v4.3.0...v4.4.0)
- [github.com/codespell-project/codespell: v2.2.1 → v2.2.2](https://github.com/codespell-project/codespell/compare/v2.2.1...v2.2.2)
- [github.com/PyCQA/flake8.git: 4.0.1 → 6.0.0](https://github.com/PyCQA/flake8.git/compare/4.0.1...6.0.0)
- [github.com/PyCQA/pylint.git: v2.15.3 → v2.15.9](https://github.com/PyCQA/pylint.git/compare/v2.15.3...v2.15.9)
2023-01-02 20:49:16 +00:00
Sviatoslav Sydorenko
a260c7e54e
Merge pull request #117 from pypa/dependabot/pip/requirements/certifi-2022.12.7 2022-12-10 03:25:32 +01:00
dependabot[bot]
5a2ea379cb
Bump certifi from 2022.9.24 to 2022.12.7 in /requirements
Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.9.24 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2022.09.24...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-12-09 09:36:08 +00:00
Sviatoslav Sydorenko
c7f29f7ade
🐛 Override $HOME in the container with /root
This is necessary to let `python -m site` locate the real install
directories.
This fixes #115 — the bug caused by GitHub passing the value of
`$HOME` from the host system that does not match the container's
expectations.
2022-12-07 02:41:32 +01:00
Sviatoslav Sydorenko
644926c972
🧪 Always run smoke testing in debug mode 2022-12-07 02:34:31 +01:00
Sviatoslav Sydorenko
e71a4a4c1d
Add support for verbose bash execusion w/ $DEBUG 2022-12-07 00:07:43 +01:00
Sviatoslav Sydorenko
e56e8212f4
🐛 Make id always available in twine-upload 2022-12-07 00:07:20 +01:00
Sviatoslav Sydorenko
c879b84594
🐛 Use full path to bash in shebang 2022-12-07 00:02:01 +01:00
Sviatoslav Sydorenko
57e7d53102
🐛Ensure the default $PATH value is pre-loaded
This patch imports the system-global profile script to
populate the `$PATH` variable with the typically available binary
paths.

Ref:
https://github.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340065840
2022-12-06 23:58:05 +01:00
Sviatoslav Sydorenko
ce291dce5b
🎨🐛Fix the branch @ pre-commit.ci badge links 2022-12-06 23:24:07 +01:00
Sviatoslav Sydorenko
102d8ab13f
🐛 Rehardcode devpi port for GHA srv container 2022-12-06 23:18:25 +01:00
Sviatoslav Sydorenko
3a9eaef3ef
🐛Use different ports in/out of GHA containers 2022-12-06 23:13:58 +01:00
Sviatoslav Sydorenko
a01fa7442e
🐛 Use localhost @ GHA outside the containers 2022-12-06 23:04:43 +01:00
Sviatoslav Sydorenko
ee892fd7f2
🐛Move Twine repository URL definitions to steps 2022-12-06 23:01:39 +01:00
Sviatoslav Sydorenko
47622d7eb0
🎨 Add CI/CD badges to README 2022-12-06 22:59:26 +01:00
Sviatoslav Sydorenko
54b250c7bf
🧪 Add Python linters to pre-commit.ci 2022-12-06 22:52:30 +01:00
Sviatoslav Sydorenko
967acbb201
🎨Reuse existing requirement pins @ smoke-test 2022-12-06 22:30:01 +01:00
Sviatoslav Sydorenko
5755482491
Stop upgrading pip @ GHA unnecessarily 2022-12-06 22:27:07 +01:00
Sviatoslav Sydorenko
dfc70e7dc8
Make the stub package dir creation verbose @ GHA 2022-12-06 22:26:35 +01:00
Sviatoslav Sydorenko
1c4183fd91
🎨 Make the GHA steps named 2022-12-06 22:26:08 +01:00