Add GH workflow to build and release on PyPI (WIP) #1933
Conversation
Add workflow with two jobs to build and publish on PyPI. The release job waits for the build job and uses a custom release environment, which can be configured to require review. To share the build artifacts between the jobs and to make them available for intermedieate review, they are stored using 'actions/upload-artifact' and 'actions/download-artifact'. https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts To upload the build artifacts to PyPI, the PyPA recommended 'pypa/gh-action-pypi-publish' is used. https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ **Caveat** The URL to grab the artifacts, e.g. for review, requires knowledge of action ID and artifact ID, and a login token (no special permissions). This makes it a bit cumbersome to fetch the artifacts with a script and compare them to a local build. https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Pull Request Test Coverage Report for Build 2076681489
💛 - Coveralls |
|
Re "Release on GitHub": |
😮 wow. They really are making artifacts hidden from unauthenticated users, how disappointing of GitHub. This limits the number of people able to download the artifacts to a mere 70 million accounts: a security improvement indeed 🙄 This was so close to Just Working but then... not quite. So, assuming we do want to integrate the GitHub release into the process and also want to have the local verification as automatic as possible, a potential solution for both is:
It's definitely more work than I expected but maybe doable? We would not need to handle edge cases since we could just say e.g. that maintainers need to delete failed -rc releases before trying to re-release |
|
I think using the |
To clarify, this means configured in GitHub project/environment settings, not in the workflow? Are we defining that all maintainers can deploy? I think this might be fine: Current pypi.org project maintainers is a subset of all maintainers but that makes sense as you can upload anything with pypi.org access. With deploy permission you can only release from git sources... |
Yep, others too have expressed their doubt about the security benefit of this restriction.
Yep, I was really excited when I discovered the download/upload feature... and then quickly somewhat disappointed.
Thanks for thinking this through with me! That's one of the approaches I had in mind. I'll explore in that direction then. |
Right, I forgot to mention that this is a 3rd-party action too. I was less worried since it seems endorsed by the pypa. But yeah, if it just calls twine, we might as call it ourselves. I'll prepare a POC using |
Yes! Environments and protection rules like "requires review" are configured in the GitHub repo settings (see GH docs).
I haven't thought this far. I probably would have started with requiring a review from one of the maintainers who currently also has pypi.org access. I am not sure if the git sources constraint is a good argument for broadening the subset, because git sources can be anything. |
|
One more thing (that is probably future work as well): is signing the release still relevant? I'm not sure if anyone uses our signatures for anything... but we could:
|
I'm in favor of the latter, GPG isn't relevant for PyPI anymore, and IIUC this is also the right direction towards generating in-toto attestations for our supply chain (I really need to catch up on the latest in-toto/sigstore developments). |
|
Even more future improvements (there's a lot of details in this one PR/discussion, no need to fix everything in one go): For standard auditability reasons, the build log should include the hashes (and/or signatures ) of the artifacts. |
- Publish GitHub release candiate as part of the build process
-> makes integration with local verify_release before review
easier
- Add --skip-pypi flag to verify_release script for pre-release
check between build and release job (before review approval)
- Tweak verify_release to work with my fork
- Comment out release on (test) pypi step in release job, because
verify_release currently only works with vX.Y.Z releases, and
I don't want to push them to test pypi for ongoing prototyping,
because we can't reuse a version later when we want to test an
an actual release.
- Add finalize GitHub release step to release job (does not work
yet, error: release already exists)
|
Damn, I think can't re-open the PR after having deleted the remote branch in my fork, even though I have re-pushed it. Will need to check. Otherwise, I'll create a new one migrating the key points in the discussion here. |
Fixes #1550
This PR adds a workflow with two jobs to build and release on PyPI. The release job waits for the build job and uses a custom release environment, which can be configured to require review.
To share the build artifacts between the jobs and to make them available for intermediate review, we use actions/upload-artifact (in build) and actions/download-artifact (in release) (also see GitHub docs).
To upload the build artifacts to PyPI, we use pypa/gh-action-pypi-publish as recommend by PyPA.
A demo is available in my fork.
Caveat
The URL to grab the build artifacts created in a workflow run requires knowledge of the corresponding action ID and artifact ID, plus a login token (w/o special permissions). This makes it a bit cumbersome to fetch the artifacts with a script in order to compare them to a local build. It might be easier to instruct reviewer to download the artifacts manually using the GitHub UI, and tailor the local verification script accordingly.
TODO
repository_urlto release on PyPI instead of Test PyPI and update the tokenworkflow_rundocs)Note, this could be akin to and in parallel with the "release-on-pypi" job, waiting for the same review approval, and uploading the same build artifacts as release assets. Alternatively, we could create the release as part of the build job and upload the build artifacts as release assets right away, bypassing the download/upload caveat from above. It would be nice if we could set the release as draft at first, but that has the same caveat, i.e. it requires a token and special knowledge to download the assets.