Skip to content

Use official publish GitHub action in CI #1309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EpicWink wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Use official publish GitHub action in CI #1309

EpicWink wants to merge 2 commits into from
+33 −6

Conversation

@EpicWink
Copy link
Contributor

@EpicWink EpicWink commented Feb 9, 2026

And split build from publish into a new job, also checking the dists.

Resolves #1307

Manual steps to do:

  1. Configure GitHub environment called pypi, and register with PyPI
  2. Optionally, remove the PYPI_TOKEN project secret
  3. Make a pre-release (eg v1.3.1rc0) testing the publish workflow and associated configuration

@Gallaecio
Copy link
Member

Gallaecio commented Feb 10, 2026

Why the 2 separate jobs? I was thinking a simpler approach, like the one we follow in Scrapy, may be best.

@EpicWink
Copy link
Contributor Author

EpicWink commented Feb 10, 2026

@Gallaecio as mentioned in #1307 (and in the action's README), having a second workflow for publish reduces the usage of the protected ID token (and environment) by arbitrary execution: only the download and publish actions get access to it. Future changes to the build process won't be able to publish packages without maintainer knowledge.

@Gallaecio
Copy link
Member

Gallaecio commented Feb 10, 2026

Interesting.

But if the build process would be compromised, how would this help? The attacker would already be able to modify the files being uploaded without us noticing. And I thought credential sniffing was not much of an issue with trusted publishing anyway, since the tokens involved are short-lived.

@EpicWink
Copy link
Contributor Author

EpicWink commented Feb 10, 2026

Best practice is to reduce attack surface, not to hope you've thought of every scenario.

Ask example scenario is that the attacker exfiltrates and uses the token (to publish a release), then fails the CI job. The new package's release may be unnoticed for some time, affecting users.

At least with the separate job, you know that a release has been made, and can optionally download the wheel to validate.

@codecov
Copy link

codecov bot commented Feb 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.63%. Comparing base (8cdcf80) to head (16922fd).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1309   +/-   ##
=======================================
  Coverage   96.63%   96.63%           
=======================================
  Files         235      235           
  Lines        2915     2915           
=======================================
  Hits         2817     2817           
  Misses         98       98

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Switch to trusted publishing for package upload to PyPI in CI

2 participants

@EpicWink @Gallaecio