-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python: New release + publish from CI with a Trusted Publisher? #305
Comments
(If there's interest, I can contribute that publishing workflow. But someone who currently controls the project on PyPI will need to do the configuration on that side.) |
cc @adityasaky |
I currently control the PyPI project. Happy to help out with the config there, I've been meaning to enable this here and on in-toto but a PR would be great! |
Sounds good -- I'm going to wrap up #306 for tests and linting in CI and then I'll send a PR for the publishing workflow. |
Just did it for in-toto in-toto/in-toto#674 :) |
(In the mean time, I'd recommend doing one last manual release here -- #301 is currently blocking DSSE integration into sigstore-python.) |
Looks like this issue was addressed, or is there a need for a more recent Python release? |
Looks like the release was handled, thanks! The other part of the issue was Trusted Publishing, but that's tangential and could be tracked with a separate issue. I'll leave that up you 🙂 |
Now that #301 is merged, a new release is needed 🙂
On a tangential note: I don't see a current publishing workflow, which suggests that this package is currently being published from someone's development machine. My recommendation would be to switch to CI/CD for publishing, with a Trusted Publisher to do credentialless authentication to PyPI.
The PyPA has a guide for that here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
The text was updated successfully, but these errors were encountered: