Add pypa/gh-action-pypi-publish@release/v1 to mozilla org
Categories
(mozilla.org :: Github: Administration, task)
Tracking
(Not tracked)
People
(Reporter: robhudson, Unassigned)
Details
I'm testing out publishing a Python package via tagging a relase on Github. The current security recommendation for this Github action (pypa/gh-action-pypi-publish) is to use Trusted Publishing (https://docs.pypi.org/trusted-publishers/) which is available in versions >= 1.8.0 of this Github action.
The docs recommend using the latest v1 release, specified by pypa/gh-action-pypi-publish@release/v1 or use an exact version.
However, the only version allowed in the mozilla org currently is pypa/gh-action-pypi-publish@v1.4.2, as noted in the error I received for my run here: https://github.com/mozilla/basket-client/actions/runs/5480970519
I would like to either get this opened up to any v1 release or have it updated to a current version that supports trusted publishing.
Thanks,
Rob
|
||
Comment 1•2 years ago
|
||
NI set for secops to weigh in on this - the original was approved over in bug 1710299 - Austin - please let me know if you have questions or concerns.
Not sure what the syntax would be to allow @v1 and @v1.4.2 ... @v1*? Mainly, I'm loathe to break existing workflows.
|
||
Comment 2•2 years ago
•
|
||
Approved by SecOps
I wish there was an easier way to say something like anything v1 or greater (@v1>)?
Regardless, lets do: pypa/gh-action-pypi-publish@release/v1* and should we need to bump to v2, we can do a new separate ticket for tracking.
|
|
||
Comment 3•2 years ago
|
||
Alright, I've made that change. Given that the original repo is specifying the exact version using a different syntax I did NOT remove that entry from the list.
Please confirm things are working as expected.
|
|
Reporter | |
Comment 4•2 years ago
|
||
Works great, thank you!
Description
•