I have not planned to write an action, I thought more of bash/python to pull the artifacts and use existing official action for publishing, but yeah - good idea - I might package that into reusable action that we could use for other projects. Might be generalisable.
On Thu, Jun 20, 2024 at 7:52 PM Greg Stein <gst...@gmail.com> wrote: > Hey Jarek ... note that we have an infrastructure-actions repository for > "official ASF" GH Actions. If you agree with that approach, then you can > dev/test there or we can move your tested Action there when you're ready to > share it with others. > > Cheers, > Greg > InfraAdmin, ASF > > > On Thu, Jun 20, 2024 at 7:10 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > Unless I hear otherwise, I **assume** there are no big reasons against > > this. My plan is that I will add a Github Action (manually triggered, > > limited to release managers only) which will NOT build the packages, but > it > > will download them from `downloads.apache.org` (or dist.apache.org for > RC > > packages) and publish them to PyPI. This should be really "safe" and will > > remove the needs for us to keep local pypi keys to upload the packages. > > > > This will require repo reconfiguration, so I will have to - likely - > open a > > JIRA ticket to INFRA - once I do it, I will be happy to describe the > steps > > for all other projects that upload packages to PyPI and use GitHub. > > > > Does that make sense? > > > > J. > > > > > > On Fri, Jun 14, 2024 at 12:14 PM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > > > >> My only question is what do the users see in terms of the verified > > >> identity that performed the release. Does it still appear to have come > > >> from the individual maintainer? The ASF? Somewhere else? I'd only be > > >> concerned if the answer was "somewhere else". > > >> > > > > > > Currently users do not see anything. There was a discussion on Python's > > > discord about exposing Trusted Published information in PyPI > > > > > > https://discuss.python.org/t/pre-pep-exposing-trusted-publisher-provenance-on-pypi/42337 > > > as a "pre-PEP discussion". This resulted in Draft PEP 740 - > > > > > > https://discuss.python.org/t/pep-740-index-support-for-digital-attestations/44498 > > > - where you will be able to upload multiple attestations when you > publish > > > your packages. So the thinking is that you can have multiple > attestations > > > of provenance of your package when you upload it to PyPI and a trusted > > > publisher will be just one of them. So in our case we could also add > our > > > own signatures when we publish., This is still draft and we will have a > > > chance of influencing the direction, I am sure. Generally Michael and > the > > > whole security team are on the spree of onboarding more and more > projects > > > to use trusted publishers and they are planning to discuss and > > implemented > > > more security/provenance features when they reach critical mass (from > the > > > discussions I had - I believe they are doing very well there - and > > having a > > > stories where prominent projects are on-board is going to help with > that > > as > > > well. > > > > > > J. > > > > > > > > > > > > > > >> Mark > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: > > security-discuss-unsubscr...@community.apache.org > > >> For additional commands, e-mail: > > >> security-discuss-h...@community.apache.org > > >> > > >> > > >
