Official GitHub Action for publishing to PyPI

I’m cool with it.

1 Like

I don’t really have any say in the matter.

1 Like

FWIW, I’m okay with the updated proposal. Thanks for taking the initiative and for talking it over with folks, @webknjaz!

1 Like

I don’t really have any further opinion to add.

1 Like

Thanks! This seems fine to me and I think we can go ahead. I hope once you get further on this, you also add documentation someplace on packaging.python.org and pypa.io. Also: I suggest you put something in your calendar for a month after the initial publication of the GitHub Action, for checking for unanticipated problems (looking on StackOverflow, Twitter, Reddit, discuss.python.org, and GitHub for reports of confused users). That’ll help us make sure that we catch any bugs or gaps in documentation!

1 Like

Cool, thanks :slight_smile:

So @EWDurbin has brought up one concern about the fact that currently it’s only possible to use username+password auth type. At some point in future it’s planned to implement token-based access and he suggested that it’s better to “advertise” such action only after that happens.

OTOH I think that the code for action can already be put it place under PyPA org, this is harmless.

Also, we’ve checked that PyPA doesn’t yet have access to GitHub Actions which will probably prevent us from creating that fancy Marketplace page. Which is fine, it’s still usable + getting that enable will probably be nicely aligned with appearance of token support in Warehouse.

As for docs, yes, I’d add those but this may need to wait as per Ernest’s suggestion.

Action items

  • Put the repo with code under pypa
  • Write the docs but not merge them yet
  • Try convincing GitHub to enable Actions for pypa (and python, but that’s not directly related)
  • Keep improving the Action
  • Implement Action testing
  • Do a security review of the Action

Once Warehouse supports tokens

  • Publish the Action to the Marketplace
  • Merge docs
  • Monitor SO and other sources of complaints
  • Keep it up with the latest best practices

Sounds good?

Is this a reference to PyPI supporting token-based access in the future, or are you saying that you’re also planning to implement token-based access for the action? The reason I ask is because I’m wondering if it makes to talk about whether the action can support token-based access and, for the purposes of symmetry / feature parity with PyPI, whether it should and if this is possible. (I’m asking without knowing much about PyPI’s plans.)

I would also add (1) testing and (2) security review to the list of action items. Does providing an action introduce any new security considerations that we should be aware of and address? For example, what is the worst that can happen if the code for the action has a bug? Could it allow users to upload a package to a name owned by someone else? Also, what would be the best ways to test something like this – can it be done in an automated fashion?

TL;DR we probably don’t want to make users set up things twice.
AFAIU it’s planned to add token-based access to PyPI and Ernest’s point was that he doesn’t want to advertise the action to users when they can only use login/pass based auth. So in such a case, PyPA would have to also aggressively encourage users who’d already set up the action with login/pass to switch to tokens. Which is fine more or less since with Actions having access to Checks page we could also propagate warnings and recommendations about the best practices.

Good points. On our side, we probably should just watch out to not print secrets out to stdout/stderr so that it’d not get to public logs. I saw some project helping to emulate Actions env so those could be used for testing purposes.
Uploading to someone else’s package? No, as long as they don’t have a password/token. Because it’s just twine upload so security considerations are the same and in general users cannot inject code there.

P.S. I’ll modify the list to add your suggestions.

This is not really relevant to the action since it’s kinda proxy interface for Twine. Users can set env vars. But those are used by Twine. So they’ll be able to set an appropriate env var as soon as Twine learns how to use it. I don’t see anything special that the action itself would have to implement. Maybe I’d add a warning :warning: recommending users using passwords to switch to tokens but that’s irrelevant to the ability to actually use the action.

Hi,

Can we proceed with this, please?

It might help to be more specific with the next actions. Your previous post listed what needs doing, but I honestly don’t know who would do most of them. Maybe it’s obvious to the people expecting to do them, but I fear that the delay is because everyone thinks it’s someone else’s task…

I think that the next step is putting a repo in the right org. And I have no idea how has power to do it.

As for other things, I think I’ll probably end up doing them by myself.

If you want it under pypa you’ll need to ask either @dstufft or @EWDurbin :slight_smile: to facilitate that :sunny:

1 Like

… or me, actually :slightly_smiling_face: (or a few others, @dustin, @jaraco or @xafer specifically).

One reason I asked was because I wondered if there was an implied request for me to do something in there. But I’m not personally very clear on what all the implications are here, so I’d prefer to leave it to others who are, to do the actual move.

Also, “putting a repo in the right org” is extremely vague. What repo? What org? One reason nothing is happening, as I said, is that there’s no concrete action here. I assume the required action is “I want to move https://github.com/whoever/something to be owned by pypa, as https://github.com/pypa/something”. (I assume “whoever” is @webknjaz) But without knowing what that repo is, no-one can do much. And I think that @webknjaz needs to initiate that transfer, so step 1 will be for him to work out what he needs to do before the PyPA owners can accept the repo.

AFAICS everything needed from my side has been done.

GitHub - pypa/gh-action-pypi-publish: The blessed GitHub Action, for publishing your distribution files to PyPI: https://github.com/marketplace/actions/pypi-publishGitHub - pypa/gh-action-pypi-publish: The blessed GitHub Action, for publishing your distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish

Action items here:

  • @webknjaz needs to file a transfer request from his repository to pypa (Settings > Danger Zone > Transfer Ownership). Ping me if that’s not how things work. :slight_smile:
  • One of the Owners of pypa on GitHub need to accept the transfer request to complete the transfer.

I don’t think there’s anything else to do here. Once that is done, we can have the remaining conversation / discussion on the issue tracker of the new repository. =)

1 Like

Since @webknjaz just added me to his repo and I have repo creation permissions, looks like I can make the transfer happen on my own. :slight_smile:

The transfer is done now: https://github.com/pypa/gh-action-pypi-publish :tada:


Could one of the pypa admins create a new team (GitHub Actions Maintainers) and add @webknjaz (and me to reduce the bus factor) to that team + assign that team write permissions to the above repo?

Looks like I can do that myself too. :slight_smile:


Okay, someone has to invite @webknjaz to PyPA and add him to that team.

While you’re at it, the team also needs to be assigned admin permissions to “gh-action-pypi-publish”. :slight_smile:


I promise I’ve made sure this isn’t something I can do. :stuck_out_tongue:

Thanks @pradyunsg :slight_smile:

@webknjaz I looked at the repo to see how this was progressing. It might be worth converting the list of action items you wrote up in this message into issues in the repo’s tracker. That way people looking at the repo can easily see what still needs to be done.

2 Likes