(One of my summaries of the one-day Pycon NL conference in Utrecht, NL).
Using software is easy, releasing software is harder.
Originally trained as a laywer, she wondered why software had to be released so often. As a lawyer, she had to work with laws sometimes already written in 1860 :-) Nowadays she is the release manager of ansible.
Ansible is ansible-core in combination with 95+ different python modules called collections.
Originally, releasing to the python package index, pypi, wasn’t really safe. Every
person doing the release needed some __token__
in their ~/.pypirc
. This can be
compromised. And the token can be overscoped. And… can you be sure that every person
doing the release is doing it in a safe way? That the person’s laptop is secure enough?
Pypi now allows you to use trusted publishing. OIDC, “openID connect”, is used behind the scenes to connect pypi to github/gitlab/etc. It is a way to create short-lived tokens to upload to pypi from a github/gitlab job.
A specific github repository and specific github action within that repository is set up as “trusted” by one of the maintainers of the project on pypi. The github action will, when uploading, use the OIDC mechanism to request a short-lived access token from pypi. It then uses the token to upload the release to pypi.
(Personal note: I’m using it myself for a couple of projects and it works like a charm).
Ansible’s own release github action is here: https://github.com/ansible-community/ansible-build-data/blob/main/.github/workflows/ansible-release.yml
My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.
Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):