Skip to content

feat: Use Trusted Publishers with GitLab CI/CD #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: Use Trusted Publishers with GitLab CI/CD #411

wants to merge 3 commits into from
+15 −4

Conversation

matthewfeickert
Copy link
Member

matthewfeickert
matthewfeickert commented Apr 17, 2024
View reviewed changes
{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %} Outdated
Comment on lines 155 to 160
# Retrieve the OIDC token from GitLab CI/CD and exchange it for a PyPI API token
- oidc_token=$(python -m id PYPI)
- response=$(curl -X POST "${OIDC_MINT_TOKEN_URL}" -d "{\"token\":\"${oidc_token}\"}")
- api_token=$(jq --raw-output '.token' <<< "${response}")

- pipx run twine upload --password "${api_token}" --verbose dist/*whl dist/*gz
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These steps are currently based off of those show in pypi/warehouse#13575 (comment). @kratsg can you please try this PR's changes on one of your CERN GitLab projects to validate them before we request review?

Copy link
Member Author

@matthewfeickert matthewfeickert Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah they're actually in the docs now: https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd and https://docs.pypi.org/trusted-publishers/security-model/#gitlab-cicd

@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from ccc0e99 to 553190e Compare April 22, 2024 22:57
@matthewfeickert matthewfeickert mentioned this pull request Apr 23, 2024
Closed
@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from 553190e to 8a55804 Compare April 24, 2024 22:57
@matthewfeickert matthewfeickert mentioned this pull request May 3, 2024
Closed
@matthewfeickert
feat: Use Trusted Publishers with GitLab CI/CD
cdb62ce 
* PyPI Trusted Publisher support now includes GitLab CI/CD, so use
  generated OIDC tokens to publish to TestPyPI or PyPI as needed in
  GitLab pipelines.
   - c.f. https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
@matthewfeickert
Add required id_tokens
d8b6211
@matthewfeickert
feat: Use pipx to run id
14518cf 
* Requires id v1.4.0+
@matthewfeickert matthewfeickert force-pushed the feat/use-trusted-publisher-for-gitlab branch from 8a55804 to 14518cf Compare September 17, 2024 22:37
@facutuesca
Copy link

Since twine 6.1.0, uploading with Trusted Publishing on GitLab CI/CD is automatically detected, and doesn't need any of the manual steps that were needed before (other than adding the id_tokens section). For example:

publish-job:
  stage: deploy
  image: python:3-bookworm
  id_tokens:
    PYPI_ID_TOKEN:
      aud: pypi
  script:
    - python -m pip install -U twine
    - twine upload python_pkg/dist/*

See the updated docs here: https://docs.pypi.org/trusted-publishers/using-a-publisher/#gitlab-cicd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matthewfeickert @facutuesca