Skip to content

Add manual publish-to-JFrog workflow for iam-ape#36

Open
yanas-orca wants to merge 1 commit into
mainfrom
ci/publish-iam-ape
Open

Add manual publish-to-JFrog workflow for iam-ape#36
yanas-orca wants to merge 1 commit into
mainfrom
ci/publish-iam-ape

Conversation

@yanas-orca

Copy link
Copy Markdown
Contributor

What

Adds .github/workflows/publish-iam-ape.yaml — a workflow that builds and publishes only the iam-ape package to Orca's JFrog PyPI repo (orca-pypi). Modeled on orcasecurity/orca_textract's publish.yaml.

Design constraints (as requested)

  • Manual dispatch onlyon: workflow_dispatch; no push/tag/PR triggers.
  • Write-permission users only — inherent to workflow_dispatch: GitHub only allows users with Write access to trigger it.
  • iam-ape onlyworking-directory: iam-ape, so no other tool in this repo is built or published.
  • Publishes with twine to https://orcasecurity.jfrog.io/artifactory/api/pypi/orca-pypi using secrets.JFROG_RW_USER / secrets.JFROG_RW_PASSWORD, with --skip-existing (safe re-runs).

⚠️ Requires a secret to be provisioned before it can publish

This repo (public) currently has no Actions secrets (0 repo-level, 0 org-scoped). Before the workflow can authenticate, an org admin must add JFROG_RW_USER and JFROG_RW_PASSWORD to orca-toolbox — either as repo secrets or by scoping the existing org secret to this repo. Exposing read-write artifact creds to a public repo is a deliberate decision; the manual-dispatch-only trigger (no PR/fork exposure) is the mitigation.

Usage

Once the secrets exist, bump iam-ape/pyproject.toml version, then run this workflow from the Actions tab to publish — including the interim 1.1.7 release.

@orca-security-eu orca-security-eu Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant