←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 3 comments | 14 Nov 24 14:25 UTC | HN request time: 0.524s | source
Show context
belval ◴[14 Nov 24 16:05 UTC] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
1. HdS84 ◴[15 Nov 24 06:36 UTC] No.42144423[source]
While I understand that, are more deep problem is that their main competitor (gut lab) is too busy to implement the fad of the day. Got labs cicd is already an unholy mess of scripting in yaml, and there is no good way to provide encapsulated pieces of code to gitlab. GitHub has actions which have a defined input and output, gitlab has nothing comparable. That makes it very difficult to provide functionality for gitlab.
replies(2): >>42144481 #>>42145032 #
2. riffraff ◴[15 Nov 24 06:51 UTC] No.42144481[source]
Is it really that hard to provide a gitlab workflow?

AFAIU it'd be enough to have a docker image and use that in a standalone workflow which is a few lines of yaml in both GitHub and gitlab, what'd be the problem with that?

3. myworkinisgood ◴[15 Nov 24 08:46 UTC] No.42145032[source]
CI/CD components and steps.