Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Trusted Publishers for publishing releases to PyPI #1226

Open
matthewfeickert opened this issue May 24, 2024 · 0 comments
Open

Use Trusted Publishers for publishing releases to PyPI #1226

matthewfeickert opened this issue May 24, 2024 · 0 comments
Labels
feature New feature or request

Comments

@matthewfeickert
Copy link
Member

At the moment uproot still uses long lived API token based publishing to PyPI

uproot5/.github/workflows/deploy.yml

Lines 43 to 45 in 734700e

- uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.pypi_password }}

It would be preferable from a security and long term security maintenance view (c.f. scientific-python/summit-2024#9) to use Trusted Publishers for this.

Given that adding a trusted publisher to an existing PyPI project requires owner level control of the PyPI project, I can't make the necessary changes to enable this, but c.f. the following PRs as examples of what is needed after the fact:
@matthewfeickert matthewfeickert added the feature New feature or request label May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matthewfeickert