Microsoft is currently changing VS Code’s Python project management, see their Feb. 18th blog post.
They’ll maintain manual pip, uv, and conda integration, and approached us a year ago that we’d need to build an extension to keep Hatch integrated with it. I did that and a released a beta for it a few days ago.
Since Hatch is part of PyPA, I think it would be best if the extension would be published by PyPA too. That would entail the following (documented here)
moving the extensions’ GitHub repo under the PyPA GitHub org
either
creating a Azure DevOps PAT as described in the link above that has marketplace permissions, and adding it to the repo’s Secrets so we can make releases.
or since the PAT has broad permissions anyway (see below), just allowing me access to the marketplace publisher
Would you be up for that? Otherwise I’d have to publish it under my name, and it would be flying-sheep.hatch instead of pypa.hatch. Not the end of the world, but it would be nice to do things right!
All that would mean extending trust to me because I think the PAT would allow me as owner of that repo to do anything with pypa-namespaced extensions. I’m sure a lot of the people on the PyPA discord will vouch for me, and my long track record of contributing to Python software on GitHub does the same
I’m referring to a Azure DevOps token, not a GitHub one. The linked image implies that you can’t narrow the scope beyond “read, publish, and manage items and publishers for one organization”. I clarified the post accordingly!
My baseline position is to support this. I have no reason to block it.
But as someone with almost no knowledge of the project, I’ll personally refrain from initiating or seconding the vote – to do otherwise feels like overstepping.
There is one thing I’d like us to know:
Have the Hatch maintainers expressed any opinions about the project?
It seems that their views should play a leading role in the treatment of hatch extension repos.
Housing things together will probably lead to users believing that “pypa maintains both”, which is wrong but in a way that is typically harmless. That could lead to some confusion, but I think that’s the only downside.
Ofek actively encouraged me, both to create the initial integration[1]and write the blog post for it and now this extension. He gave me the Hatch logo sources explicitly to help me create the little symbolic Hatch icon appearing in the sidebar (see below). Cary Hawkins just recommended the extension beta to someone having trouble getting aforementioned integration to work. So safe to say that that this officially endorsed.
I’d be happy to make this the truth. If there are others than me affiliated with PyPA that have typescript experience (or want to learn), I’d happily onboard them.
which will cease to work at some point due to the aforementioned shift of the VSCode Python extension to dedicated environment management extensions ↩︎
But I don’t believe the PyPA has the infrastructure in place to support this - to my knowledge we have no Azure organisation, I’m not aware of a process for managing DNS records around PyPA, and we just recently had a discussion about how our processes around PATs are quite clumsy.
So I have strong reservations about how good a fit the PyPA is for VS Code extensions in general, and I don’t feel improving that should be a primary focus for us.
As long as we figure out who controls the DNS, and you trust me with the additional “marketplace acquire” scope (whatever that is) for the PyPA presence on the VS Code marketplace, we could change the flow to this, minimizing work from your side:
I create the PyPA marketplace publisher and initiate the domain verification
whoever controls the DNS for pypa.io adds the TXT record I send their way
I add someone else’s marketplace account as a manager for that publisher so I’m not the only one controlling it
I could then create a PAT for the repo and follow the security standards below:
only expose the PAT secret in the publishing step, not while building or so
pin GH actions used in publishing to hashes
rotate PAT after a max lifetime you specify
use GitHub 2FA (and use my GitHub account to log into the marketplace)
The tricky bit is how to manage a PyPA Azure DevOps (ADO) account. I think it becomes a question of how many of these org accounts do we want? There’s also GitLab, Codeberg, etc. And who will be the admin of the account?
You don’t necessarily need an ADO account. I could do everything, but in order to have someone besides me to (manually) manage the marketplace publisher, that someone needs a marketplace account. I’m pretty sure an ADO account is only necessary for people who want to use a PAT, so I can just make one if you want:
