Skip to content
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.

Add PyPI API token to github secrets #62

Open
tristanlatr opened this issue Jun 15, 2021 · 3 comments
Open

Add PyPI API token to github secrets #62

tristanlatr opened this issue Jun 15, 2021 · 3 comments

Comments

@tristanlatr
Copy link
Collaborator

Hi @chorsley ,

Could you follow the following process in order to add PyPI key to the github secrets?

In your account settings, go to the API tokens section and select "Add API token"
Then in the github repo settings, add the value to a new secret named "PYPI_TOKEN"

Then the publication of the package should be automatic when new tags are pushed and the tests passes :D

Thank you!

@chorsley
Copy link
Owner

Hi @tristanlatr,

Before we line any of that automated publishing up, we'd want to be very careful that a random committer can't add malicious code in a commit, get us to trigger the Pypi publish step, then have unsuspecting people install a malicious version of the package.

We'd want to have some kind of final PR approval and review on any code to be introduced into the release before the package is published.

This becomes a release management issue. I'm happy to put in my 2c from successful patterns we've used previously, but what are you doing / thinking on that front at the moment?

@tristanlatr
Copy link
Collaborator Author

Hi @chorsley,

I agree that automated publishing is a security risk because what you’ve explained, the same risk is present when people install wappalyzer from sources, though.

I don’t want to over complexify the release process. Like getting approval on all PRs. This is becoming a challenge for me on other open source software, I’m waiting for months that my PRs get approved. So I don’t want to go this route for this repo.

So I’m ok with manual publishing for now.

@igibek
Copy link

igibek commented Jun 22, 2022

Hey, everyone

It is not totally related to the discussion above, but I decided to give you a heads up that PyPI still shows that the latest version is 0.3.1. Can someone publish the latest 0.4.0 version?

Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants