Add ci action for package build and pypi upload#28
Merged
leifdenby merged 2 commits intoJun 9, 2026
Merged
Conversation
observingClouds
approved these changes
Jun 9, 2026
observingClouds
left a comment
observingClouds
left a comment
Contributor
There was a problem hiding this comment.
I do not feel too strongly about my comments, so feel free to acts as you like
Comment on lines
+45
to
+48
| # Requires PyPI Trusted Publishing to be configured for this GitHub | ||
| # repository/workflow/environment on pypi.org. The `id-token: write` | ||
| # permission above lets this action request an OIDC token, in place of a | ||
| # PYPI_TOKEN repository secret. |
Contributor
There was a problem hiding this comment.
I would personally remove this comment
| @@ -0,0 +1,49 @@ | |||
| ### CI actions are pinned to immutable commit hashes, not mutable tags, to reduce supply-chain risk and help prevent LLM-based CI attacks. See https://github.com/lirantal/pypi-security-best-practices#13-secure-your-cicd-release-pipeline. | |||
Contributor
There was a problem hiding this comment.
Now we know why there are hashes, but I don't think this needs to be stated here.
Member
Author
|
Thanks @observingClouds :) I am going to leave both comments in because I am likely to forgot myself I think, and also I think is quite unusual still to use hashes rather than tags, and the trusted publishers thing is still quite new I think |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds github ci action that will build a package wheel for releases created on github and upload to pypi.org using Trusted Publisher based authentication. This is currently set up under my pypi.org account, but we could eventually apply for a organisation on pypi.org and I can transfer the ownership of the project on pypi.org to that organisation (that is what we did for MLCast, but the organisation took about a month to get approval).