←back to thread

218 points miketheman | 7 comments | | HN request time: 1.046s | source | bottom
Show context
belval ◴[] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
woodruffw ◴[] No.42137628[source]
> Where the only official workflow is "Use GitHub Actions".

The standard behind this (PEP 740) supports anything that can be used with Trusted Publishing[1]. That includes GitLab, Google Cloud, ActiveState, and can include any other OIDC IdP if people make a good case for including it.

It's not tied to Microsoft or GitHub in any particular way. The only reason it emphasizes GitHub Actions is because that's where the overwhelming majority of automatic publishing traffic comes from, and because it follows a similar enablement pattern as Trusted Publishing did (where we did GitHub first, followed by GitLab and other providers).

[1]: https://docs.pypi.org/trusted-publishers/

replies(6): >>42137658 #>>42137713 #>>42139209 #>>42140207 #>>42140433 #>>42143213 #
1. guappa ◴[] No.42140433[source]
Except that also for trusted publishing, they only allowed github in the beginning and eventually added a couple of other providers. But if you're not google or microsoft you won't be added.
replies(1): >>42140733 #
2. woodruffw ◴[] No.42140733[source]
These kinds of comments are borderline mendacious: you can observe, trivially, that 50% of the Trusted Publishers currently known to PyPI are neither Google nor Microsoft controlled[1].

If PyPI accepts two more likely ones, a full 2/3rds will unrelated to GitHub.

[1]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/

replies(3): >>42141474 #>>42142880 #>>42144016 #
3. guappa ◴[] No.42141474[source]
Ping me when one of them will be an open source entity rather than a company.
replies(1): >>42147409 #
4. cpburns2009 ◴[] No.42142880[source]
Wow, you can use a whole two other providers from your list: Gitlab and ActiveState. Color me unimpressed.
5. immibis ◴[] No.42144016[source]
Wow. I get to choose one from a total of FOUR large corporations! Amazing openness!
replies(1): >>42146833 #
6. woodruffw ◴[] No.42146833{3}[source]
Once again: this is constrained by design. If you don’t want to use OpenID Connect, just create a token on PyPI and publish the normal way. You are not, and will never be, required to use this feature.
7. woodruffw ◴[] No.42147409{3}[source]
https://docs.pypi.org/trusted-publishers/internals/#how-do-i...