cookiecutter-hypermodern-python icon indicating copy to clipboard operation
cookiecutter-hypermodern-python copied to clipboard

Published 20 hours ago verified publisher icon cjolowicz

[FR] Promote secretless publishing to PyPI

Open webknjaz opened this issue 2 years ago • 1 comments
trafficstars

It is no longer needed to make long-living API tokens and store them as secrets. Now that PyPI supports trusted publishing through OIDC, it's best to stop prompting people to make permanent tokens, as the short-lived ones are more secure. And user: __token__ was never necessary, since it has always been the default.

The action supports this since the private beta: https://github.com/marketplace/actions/pypi-publish#trusted-publishing. But the currently hardcoded version in the workflow is too old. This is why I tend to put @release/v1 in the docs and reusable places, so it always has all the latest features without me having to constantly update that version. The end-users, though, can decide on their own if they want to pin tags or commit shas.

Action items

  1. Drop user and password inputs from https://github.com/cjolowicz/cookiecutter-hypermodern-python/blob/9343fc8/%7B%7Bcookiecutter.project_name%7D%7D/.github/workflows/release.yml#L58-L71.
  2. Replace v1.6.4 with release/v1.
  3. Replace repository_url with repository-url while on it.
  4. Set id-token permission to write as documented @ https://github.com/marketplace/actions/pypi-publish#trusted-publishing.
  5. Add a link to https://docs.pypi.org/trusted-publishers/ somewhere.

webknjaz avatar Jun 26 '23 15:06 webknjaz

Is there a fork or pr which includes this?

bosd avatar Nov 23 '23 21:11 bosd