[maintenance hint] Use pypi-publish action with secretless publishing from GHA
#196
Comments
|
It's a long-lived API token created by me. I set that up before PyPI had trusted publishing. I use trusted publishing for all my other Python projects and I've considered setting it up here but doing so requires full access to this repo which I don't have since it's a personal repo. @matthew-brett must setup a As alarming as the current setup looks it isn't especially insecure. It's about as secure as an environment with no additional security options enabled would be. I've been paranoid enough to keep an eye on this projects releases just in case, but I've been the only one publishing releases ever since. |
FYI such environments are auto-created on the first use in GHA. Creating the manually is optional. But adding rules requires manual steps. |
|
That's good to know. I had manually created every environment I've ever used so far. |
I was skimming through the recent changes as I was trying to figure out a new regression and noticed something that should probably be fixed — the GHA workflow calls Twine directly and uses a long-living API token or even a user-wide password (which is worse, security-wise).
There's a more secure and easier way of doing this now which my action (yes, it's a shameless plug!) has supported since the early spring, way before it's gone GA: https://github.com/marketplace/actions/pypi-publish#trusted-publishing.
My PyPUG guide is also updated with a full usage example of secretless publishing: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.
I suggest you upgrade the automation to be more in line with the modern practices :)
The text was updated successfully, but these errors were encountered: