It might help to be more specific with the next actions. Your previous post listed what needs doing, but I honestly don’t know who would do most of them. Maybe it’s obvious to the people expecting to do them, but I fear that the delay is because everyone thinks it’s someone else’s task…
I think that the next step is putting a repo in the right org. And I have no idea how has power to do it.
As for other things, I think I’ll probably end up doing them by myself.
One reason I asked was because I wondered if there was an implied request for me to do something in there. But I’m not personally very clear on what all the implications are here, so I’d prefer to leave it to others who are, to do the actual move.
Also, “putting a repo in the right org” is extremely vague. What repo? What org? One reason nothing is happening, as I said, is that there’s no concrete action here. I assume the required action is “I want to move https://github.com/whoever/something to be owned by pypa, as https://github.com/pypa/something”. (I assume “whoever” is @webknjaz) But without knowing what that repo is, no-one can do much. And I think that @webknjaz needs to initiate that transfer, so step 1 will be for him to work out what he needs to do before the PyPA owners can accept the repo.
AFAICS everything needed from my side has been done.
Action items here:
- @webknjaz needs to file a transfer request from his repository to pypa (Settings > Danger Zone > Transfer Ownership). Ping me if that’s not how things work.
- One of the Owners of pypa on GitHub need to accept the transfer request to complete the transfer.
I don’t think there’s anything else to do here. Once that is done, we can have the remaining conversation / discussion on the issue tracker of the new repository. =)
Since @webknjaz just added me to his repo and I have repo creation permissions, looks like I can make the transfer happen on my own.
The transfer is done now: https://github.com/pypa/gh-action-pypi-publish
Could one of the pypa admins create a new team (GitHub Actions Maintainers) and add @webknjaz (and me to reduce the bus factor) to that team + assign that team write permissions to the above repo?
Looks like I can do that myself too.
Okay, someone has to invite @webknjaz to PyPA and add him to that team.
While you’re at it, the team also needs to be assigned admin permissions to “gh-action-pypi-publish”.
I promise I’ve made sure this isn’t something I can do.
@webknjaz I looked at the repo to see how this was progressing. It might be worth converting the list of action items you wrote up in this message into issues in the repo’s tracker. That way people looking at the repo can easily see what still needs to be done.
Sure, will do
Did I miss anything here?
I’ve been silent for a while and a few things have changed over time.
So here are a few updates:
- GitHub Actions CI/CD workflows syntax has been swapped with YAML (was HCL originally) and the Action has updated metadata for that now (
action.ymlfile as opposed to
- Jobs are now executed in VMs, not containers; GNU/Linux, macOS and Windows are supported natively
- Additionally to using docker containers, it’s now possible to use JS that’ll be invoked in the context of job env, w/o any isolation AFAIU
- GitHub Actions will be generally available starting Nov 13, 2019
- A number of people have found the Action repo on their own, posted some feedback and even PRs
- I’ve submitted a PR (review pending) with a write-up on using this Action https://github.com/pypa/packaging.python.org/pull/647
- Warehouse now supports API tokens based auth which is recommended in README and that PR
Based on the above, it looks like after merging the packaging guide PR it’s a good time to finally publish this Action to GitHub Marketplace.
Great work on the progress! Were you able to complete the various action items? It seems like the security review would be important to complete before publishing, as well as automated tests (preferably including some higher-level ones, as close to end-to-end as possible).
@cjerdonek testing ecosystem is rather poor now, so I think it’s acceptable to introduce it after publishing. While I totally want it to be there, I see it as a thing that’s stopping the process right now. If we don’t proceed now, we may end up seeing hundreds of low-quality actions published by others in the Marketplace, and from what I saw most of the actions have nothing even remotely resembling tests.
As for the security review, what exactly do you expect? I’m thinking of a small paragraph having a few advices.
I was just thinking that a PyPA member other than yourself could review that aspect of the code since this will be published under the PyPA name.
Ah, sure. I’ll ask @pradyunsg then. But really there’s more metadata and README than what you call code at this stage (just pip install + twine invocation). I hope that in the future it’ll get wrapped with Python so that we’ll have some “real” code
Oh, in that case it should probably be a pretty quick review, then!
I’d taken a look at the action a few weeks ago and didn’t really have any security related concerns. I’ll take another look today evening, but generally I don’t have major concerns here tbh.
Now that security review is done, nothing seems to block the publishing. The docs PR is in review and it’s even better if the Action gets published so that the Marketplace link could be included in that PR.
I’ll publish it soon once I have some time for this.