So I’ve been exploring GitHub’s integration possibilities deeply during about a year now. I’ve even started a framework for writing GitHub Apps (and Actions actually, but that’s not the point) and consider myself knowing a lot in this area.
GitHub Actions feature is in a limited public beta mode now, but a lot of people already have access to it. Some of its uses have already been discussed at New GitHub feature: Actions.
In short, it allows building a graph (called workflow) of actions which can depend on each other triggered by certain events. And those actions (GitHub Actions) are just docker containers with customizable env vars,
ENTRYPOINT in runtime. The execution of actions is orchestrated by GitHub platform as defined in the Workflow and they are run on the GitHub side.
It’s possible to create, share and versions reusable parts of workflows as GitHub Actions. If you store their declarations in separate repos you can publish them in the GitHub Marketplace (example page: Ansible Lint Action) so that others could easily locate and use them.
In a nutshell, Action would look like a repo with
README, metadata would be in dockerfile, readme would contain usage instructions.
Users can refer to Actions using GitHub repo addresses, in general.
Now, the reason I’m raising this discussion is that anyone is able to create Actions and publish them on Marketplace. This doesn’t include a review of any kind by GitHub, unlike typical GitHub Apps.
Also, it’s confusing for users when they’ll start seeing gazillions of Actions: which one is okay to use? is this one secure? etc.
That said, I suggest that PyPA should have an official curated Action published to Marketplace.
What would this Action do? Well, at first just
twine upload. Going forward, it should be configurable with env vars and maybe have some built-in toggle for switching to Test PyPI.
How would this work? From the UX perspective, users would have to build their wheels in the previous Action and then use this one. Actions have a shared file system which means that artifacts stored by one Action are accessible by others.
Why would users have a separate Action to “just” publish dists to PyPI? Because the publish action will need a secret password set up in the env and from a security perspective it’s better to limit access to the secret as much as possible.
P.S. I was also thinking about having Actions for building dists (PEP517 and stuff) but that has to be thought through more carefully.