[CI][Python] Investigate trusted publishing for uploading wheels to PyPI #44733
Comments
|
We talked about trusted publishing and related GitHub features just yesterday at the infra roundtable! |
|
Ah, it's nice that you attend those. Thanks a lot :) |
|
I am curious on how the ASF release process wants to handle those. Currently if we follow the current release process we would be generating the binaries, uploading them to dist.apache.org, verifying them and once the vote passes, downloading them locally from dist and uploading them to PyPI. A different solution could be to just generate the final wheels once the source has been voted and released and upload those newly generated wheels on the same job that generates them without possibility of tampering (bear in mind source code is signed and could be validated that no modification has happened). |
|
cc @kou for feedback too |
|
I've often said that I don't find our voting process useful. If the binaries are thoroughly verified on CI jobs, then it does not really make sense to have them verified manually, either (especially as the manual verification just consists in executing a script). |
Describe the enhancement requested
"Trusted publishing" may help improve the security of wheel uploads, and also provide automated digital attestations.
See https://discuss.python.org/t/pypi-now-supports-digital-attestations/71158 and https://trailofbits.github.io/are-we-pep740-yet/ .
It might make it either easier or harder to publish releases, however :)
Component(s)
Continuous Integration, Packaging, Python
The text was updated successfully, but these errors were encountered: