Skip to content

Comments

Use environment variables instead of contexts#1765

Merged
ncoghlan merged 3 commits intopypa:mainfrom
tomkins:zizmor-actions-fixes
Dec 23, 2024
Merged

Use environment variables instead of contexts#1765
ncoghlan merged 3 commits intopypa:mainfrom
tomkins:zizmor-actions-fixes

Conversation

@tomkins
Copy link
Contributor

@tomkins tomkins commented Dec 22, 2024
edited by github-actions bot
Loading

Closes #1748

Updates the "Signing the distribution packages" section to use environment variables rather than GitHub Actions context variables. No additional setting of environment variables are needed - these are all set/available already.

I've got a repo where we're using trusted publishing, although it's a slight variation on this, but hopefully it's an example that the environment variables work just fine:

https://github.com/developersociety/django-findreplace/blob/7fcf87397590b984dacaca58719f2d8b737d4f77/.github/workflows/publish.yml#L81
https://github.com/developersociety/django-findreplace/actions/runs/12457101550

📚 Documentation preview 📚: https://python-packaging-user-guide--1765.org.readthedocs.build/en/1765/

@tomkins tomkins requested a review from webknjaz as a code owner December 22, 2024 20:45
@tomkins
Copy link
Contributor Author

tomkins commented Dec 22, 2024

I've also added a persist-credentials: false for checkout, which is another potential zizmor found issue.

This might be overkill for fixing, as in theory the directory should never be added into a package. However, if for some bizarre reason a mistake is made - it would be good to help prevent it.

After this, zizmor is happy with the file:

$ zizmor --gh-token "$(gh auth token)" ./source/guides/github-actions-ci-cd-sample/publish-to-test-pypi.yml
2024-12-22T20:51:21.772745Z  INFO audit: zizmor: 🌈 completed /Users/tomkins/Development/packaging.python.org/source/guides/github-actions-ci-cd-sample/publish-to-test-pypi.yml
No findings to report. Good job! (9 suppressed)

ncoghlan
ncoghlan approved these changes Dec 23, 2024
View reviewed changes
Copy link
Member

@ncoghlan ncoghlan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks.

I added a link to the relevant zizmor issue explanation to the original bug report.

@ncoghlan
Copy link
Member

ncoghlan commented Dec 23, 2024
edited
Loading

PyPI still has its webscraping protections turned on (#1744), so I expect the merge request to fail (alas)

@ncoghlan ncoghlan enabled auto-merge December 23, 2024 02:55
@ncoghlan ncoghlan mentioned this pull request Dec 23, 2024
Merged
@ncoghlan ncoghlan disabled auto-merge December 23, 2024 04:04
@ncoghlan ncoghlan enabled auto-merge December 23, 2024 04:04
@ncoghlan ncoghlan disabled auto-merge December 23, 2024 04:04
@ncoghlan
Copy link
Member

ncoghlan commented Dec 23, 2024

Pending checks seem to be in a weird state. Closing/reopening to try to kick them.

@ncoghlan ncoghlan closed this Dec 23, 2024
@ncoghlan ncoghlan reopened this Dec 23, 2024
@ncoghlan
Copy link
Member

ncoghlan commented Dec 23, 2024
edited
Loading

Huh, looks like it may have been a bug in the new check review widget (the workflows needed approval to run, but the review widget didn't tell me that, I had to go look at the Actions UI).

Edit: checking the feedback request post at https://github.com/orgs/community/discussions/143787, that's a known limitation of the new widget (and fixing it is already on their TODO list)

@ncoghlan ncoghlan added this pull request to the merge queue Dec 23, 2024
Merged via the queue into pypa:main with commit fe434c3 Dec 23, 2024
3 checks passed
@webknjaz
Copy link
Member

webknjaz commented Dec 23, 2024

@ncoghlan I've working around that by manually going to the checks/actions tab and clicking the button in the workflow..

@tomkins tomkins deleted the zizmor-actions-fixes branch December 23, 2024 10:22
@di di mentioned this pull request Jan 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ncoghlan ncoghlan ncoghlan approved these changes

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

zizmor reveals "github.ref_name may expand into attacker-controllable code", should something else be used?

3 participants

@tomkins @ncoghlan @webknjaz