I just logged into my pypi account (I was there to register an account, and it turns out I already have one, which I have no memory of, and I do not have any projects published there), it seems that they actually have an automated way to create the github actions for you automatically: https://docs.pypi.org/trusted-publishers/
But I would assume that might require that I have admin access to the github repo (not sure yet, as I don't have any other project to test), so if you are fine with that (e.g. add me to the PyPi maintainer list, I try to use that approach, if it doesn't work, give me admin access to the github repo), I'm fine :) Also, there's a recent pytorch supply chain attach report <https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/> which will be relevant to us if we choose to use github actions to auto publish to pypi, then we probably should follow their suggested mitigation <https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/#mitigations>, which is to change to "Require approval for all outside collaborators": [image: image.png] (changing this setting on github also requires admin access, the screenshot is taken from a repo I have admin access on) On Sat, Jan 13, 2024 at 3:13 AM Jens Geyer <jensge...@hotmail.com> wrote: > > I can probably add you to the PyPi maintainer list. Would that help? > > > Am 12.01.2024 um 23:19 schrieb Yuxuan Wang: > > IMHO there are two issues with the pypi publishing problem: technical and > > non-technical. > > > > The non-technical issue is the credential/secret required to publish to > > > https://protect.checkpoint.com/v2/___https://pypi.org/project/thrift/___.YzJ1OnJlZGRpdDpjOmc6MThmM2FhOGE3MzlkYjk0ZGEzNzQwM2ZmMDhlNzUwZjg6Njo2MTllOjY0ZTYwOWM0ZmJkYjhjNGU3NjZlYTVjY2YyMmZhNDEwZTZiOGU0ZTUyNjNlZTdmOWEzNTg0YzcxYzhkMGVjMzU6cDpU. > Any of the technical solution also > > depends on that being available. > > > > Once we have it (in github actions secret store, for example), then > > technical solution is not the hard part. As I mentioned in the jira > thread > > Reddit already has a github action pipeline to publish to pypi on git tag > > we can upstream to thrift project to be used (so whenever a maintainer > > pushes a tag to github, github actions auto publishes to pypi). Or others > > can contribute other solutions. > > > > On Sat, Jan 6, 2024 at 3:18 AM Jens Geyer <je...@apache.org> wrote: > > > >> @all, > >> > >> I just want to bring up that topic again. There is a rather frequent > >> stream of (absolutely legitimate) questions regarding the PyPi packages > >> not being published. > >> > >> So it seems fair to say that there is obviously a certain demand within > >> the community, which is super great. Now on the other hand we have no > >> noteworthy reactions from that very same community to help with that > topic. > >> > >> Let me put it bluntly. This is not your mothers supermarked where stock > >> refills almost like automagically overnight. This is open source. It > >> works as long as there are at least some people spending parts of their > >> valuable time supporting projects. It is about giving & taking. > >> > >> Thrift supports about 20+ target languages. So it is fair to say that > >> supporting packages for all of them (where approprate) is quite a bit of > >> work. > >> > >> Of course I can only speak for myself, but I personally maintain quite a > >> number of packages after each release. Thanks to the great work of other > >> people (e.g. @JimKing) who spent their time on that topic before me, > >> this became manageable by setting up and documenting a well-defined > >> process to follow which also does not eat too much additional release > time. > >> > >> If we can have such a process for PyPi that would be super awesome. > >> Right now this is not the case, unfortunately. This is where you could > >> chime in. > >> > >> See also > >> > https://protect.checkpoint.com/v2/___https://github.com/apache/thrift/pull/2555___.YzJ1OnJlZGRpdDpjOmc6ZGEyMWNiMjExZDEwMWVjZmIzNGI3MWIzMGFmMmEyZTY6Njo0ZDRjOmIyMTFmOWI4ODI2ZTJmZTIxMTQ0NmNhMmQ4M2I5M2EzNDBhY2VhOTVlOGE2YzVjZDgyNWZlMGVmZmZhMThhOWU6cDpU > >> > >> Happy New Year everybody, > >> JensG > >> > >> > >> >
