Skip to content

Migrate PyPi publishing to Trusted Publishers and environments #20376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 27, 2025
Merged

Migrate PyPi publishing to Trusted Publishers and environments #20376

merged 2 commits into from
May 27, 2025

Conversation

AAraKKe
Copy link
Contributor

@AAraKKe AAraKKe commented May 27, 2025

What does this PR do?

This PR updates the actions that publish new packages to PyPi to use trusted publishers and run behind a given environment. Any run outside the appropriate environment won't be able to retrieve the short-lived JWT token.

For the typo squatting an environment has been defined to run only in master and the secret has been moved to the environment secrets. This will allow to remove repository secrets.

Motivation

Improved security and reduce token rotation requirements.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@AAraKKe AAraKKe requested a review from a team as a code owner May 27, 2025 08:27
@AAraKKe AAraKKe added the qa/skip-qa Automatically skip this PR for the next QA label May 27, 2025
@AAraKKe AAraKKe changed the title Migrate PyPi publishing to Trusted Puyblishers and environments Migrate PyPi publishing to Trusted Publishers and environments May 27, 2025
@AAraKKe AAraKKe force-pushed the aarakke/migrate-to-pypi-oidc branch from 9f9ec5b to de61562 Compare May 27, 2025 08:29
iliakur
iliakur approved these changes May 27, 2025
View reviewed changes
Copy link
Contributor

@iliakur iliakur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@AAraKKe AAraKKe added this pull request to the merge queue May 27, 2025
Merged via the queue into master with commit 789b784 May 27, 2025
28 checks passed
@AAraKKe AAraKKe deleted the aarakke/migrate-to-pypi-oidc branch May 27, 2025 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iliakur iliakur iliakur approved these changes

Assignees
No one assigned
Labels
dev/testing dev/tooling qa/skip-qa Automatically skip this PR for the next QA team/agent-integrations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AAraKKe @iliakur