Python: New release + publish from CI with a Trusted Publisher? #305
Comments
|
(If there's interest, I can contribute that publishing workflow. But someone who currently controls the project on PyPI will need to do the configuration on that side.) |
|
cc @adityasaky |
I currently control the PyPI project. Happy to help out with the config there, I've been meaning to enable this here and on in-toto but a PR would be great! |
|
Sounds good -- I'm going to wrap up #306 for tests and linting in CI and then I'll send a PR for the publishing workflow. |
Just did it for in-toto in-toto/in-toto#674 :) |
|
(In the mean time, I'd recommend doing one last manual release here -- #301 is currently blocking DSSE integration into sigstore-python.) |
|
Looks like this issue was addressed, or is there a need for a more recent Python release? |
|
Looks like the release was handled, thanks! The other part of the issue was Trusted Publishing, but that's tangential and could be tracked with a separate issue. I'll leave that up you 🙂 |
Now that #301 is merged, a new release is needed 🙂
On a tangential note: I don't see a current publishing workflow, which suggests that this package is currently being published from someone's development machine. My recommendation would be to switch to CI/CD for publishing, with a Trusted Publisher to do credentialless authentication to PyPI.
The PyPA has a guide for that here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
The text was updated successfully, but these errors were encountered: