Pycon NL: Using PyPI trusted publishing for ansible releases - Anwesha Das

Tags: pycon, python

(One of my summaries of the one-day Pycon NL conference in Utrecht, NL).

Using software is easy, releasing software is harder.

Originally trained as a laywer, she wondered why software had to be released so often. As a lawyer, she had to work with laws sometimes already written in 1860 :-) Nowadays she is the release manager of ansible.

Ansible is ansible-core in combination with 95+ different python modules called collections.

Originally, releasing to the python package index, pypi, wasn’t really safe. Every person doing the release needed some __token__ in their ~/.pypirc. This can be compromised. And the token can be overscoped. And… can you be sure that every person doing the release is doing it in a safe way? That the person’s laptop is secure enough?

Pypi now allows you to use trusted publishing. OIDC, “openID connect”, is used behind the scenes to connect pypi to github/gitlab/etc. It is a way to create short-lived tokens to upload to pypi from a github/gitlab job.

A specific github repository and specific github action within that repository is set up as “trusted” by one of the maintainers of the project on pypi. The github action will, when uploading, use the OIDC mechanism to request a short-lived access token from pypi. It then uses the token to upload the release to pypi.

(Personal note: I’m using it myself for a couple of projects and it works like a charm).

Ansible’s own release github action is here: https://github.com/ansible-community/ansible-build-data/blob/main/.github/workflows/ansible-release.yml

 
vanrees.org logo

Reinout van Rees

My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):