feat: migrate to OIDC trusted publishing#22
Conversation
|
SBOM submitted! Check the Ossprey platform: https://dashboard.ossprey.com/asset/?id=ossprey%2Fossbom |
|
Warning! Potential malware in this PR. Please review the vulnerability report. |
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Run python-release | ||
| uses: ossprey/cicd/python-release@v2 |
There was a problem hiding this comment.
@andyantrim I'm assuming this is what motivated pypa/gh-action-pypi-publish#406?
Tip
TL;DR — always build in a separate job that does not have OIDC privileges.
Only perform upload to PyPI in the job with OIDC. Otherwise, you're letting your build backend (and its transitive dep tree) impersonate you, not just against PyPI but anything else that may gain transitive trust to the repo in the future.
|
SBOM submitted! Check the Ossprey platform: https://dashboard.ossprey.com/asset/?id=ossprey%2Fossbom |
|
Warning! Potential malware in this PR. Please review the vulnerability report. |
Same migration as ossprey-python-client: stops inlining release logic, switches to OIDC, collapses the separate test-release workflow into a checkbox on the main one.
Changes
Required before merge: PR in cicd merged + tagged v2; PyPI/TestPyPI trusted publishers registered for ossbom; GitHub Environment pypi created in repo settings.