Put together a big upgrade to my python-lib cookiecutter template today: it now uses pyproject.toml rather than setup.py, and it configures a publish.yml workflow that publishes packages to PyPI without needing a password or authentication token using PyPI Trusted Publishers
@simon awesome template.
It's nice to see a no extenal packager solution with pyproject.toml
@simon The Trusted Publishing part is very neat, thank you for sharing! 🙌
I wonder how this PyPI "pending publisher" feature works if you a) rename your github account or repo b) delete your github account and then someone else creates a new one with the same name.
Does GitHub notify PyPI about these changes? Because neither Github repo name nor account (or organization) name are guaranteed to be stable 🤔
@simon awesome thank you! I was actually looking at the repo last week and was surprised you hadn’t moved to pyproject.toml yet, figured you just hadn’t gotten around to it yet.
The more experience I get with the new PyPI "trusted publishers" mechanism the more I love it - it's SUCH a low friction way to publish a package from GitHub to PyPI, and configuring it for a new project really is just a case of filling in a few form fields and dropping in a couple of lines of YAML https://til.simonwillison.net/pypi/pypi-releases-from-github
@simon that's as much low friction as being invisible gatekeeping (want to easily publish to pypi? use github); especially now with github buying into the ai hype with its full microsoft chest.
@simon @glyph Quick suggestion: instead of "pip install", "python -Im pip install" and "python -Im build" (etc.).
The "-I" (that's LATIN CAPITAL LETTER I, as in "Isolated", which is the mode it turns on) flag helps mitigate quite a few mailcious things people might try in pull requests, and so is something I always recommend for anything that'll run in CI.
Edited 306d ago
@mawhrin interestingly development of the feature was funded by Google
It's built on top of OIDC, presumably to help facilitate adding other platforms in the future - but it would take coordinated work from those platforms https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
@djh that's a great question! My hunch is that the OIDC stuff under the hood has been designed with that in mind, but I've not dug into the details.
@sethmlarson may know the answer!
@simon @djh Thanks for the tag Simon, indeed when a publisher is specifically in the "pending" state I believe there isn't any pinning to a specific "ID" until after first "use".
I wonder if it could be improved a bit by doing an initial request to GitHub's API and bind to the ID early? Might be worth opening an issue :)
@sethmlarson @djh that sounds good enough to me - I expect most pending publishers only exist for a short period of time, and their creators should stay very aware of renames to their own GitHub accounts
@simon @sethmlarson Gotcha thanks for the details! Sounds good, I was just wondering how these simple systems on their own interact in complex ways when plugged into each other.