Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Handling for Simplified Workflow #423

Closed
blink1073 opened this issue Oct 5, 2022 · 0 comments · Fixed by #424 or #429
Closed

Security Handling for Simplified Workflow #423

blink1073 opened this issue Oct 5, 2022 · 0 comments · Fixed by #424 or #429
Labels
bug Something isn't working

Comments

@blink1073
Copy link
Contributor

blink1073 commented Oct 5, 2022
edited
Loading

It turns out that using tag protection doesn't work the way we'd hoped, but we can do the following instead to enforce admin-only publish:

  • Use the GITHUB_TOKEN for the workflows and add content:write permission
  • Enforce gh.repos.get_collaborator_permission_level(‘$GITHUB_ACTOR’)[‘permission’] is “admin”
  • Ensure we use the user name and email of the the $GITHUB_ACTOR to set up the git config

For the shared PyPI credentials, we can create a bot pypi user per org, and add a scoped release token per repo in the org.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@blink1073