@@ -13,6 +13,10 @@ walkthrough check out the [PyPA guide].
1313If you have any feedback regarding specific action versions, please leave
1414comments in the corresponding [ per-release announcement discussions] .
1515
16+ > [ !TIP]
17+ > A limited number of usage scenarios is supported, including the
18+ > [ PyPA guide] example. See the [ non-goals] for more detail.
19+
1620
1721## 🌇 ` master ` branch sunset ❗
1822
@@ -131,6 +135,9 @@ same identity.
131135This GitHub Action [has nothing to do with _building package
132136distributions_]. Users are responsible for preparing dists for upload
133137by putting them into the `dist/` folder prior to running this Action.
138+ They are typically expected to do this in a _separate GitHub Actions
139+ CI/CD job_ running before the one where they call this action and having
140+ restricted privileges.
134141
135142> [!IMPORTANT]
136143> Since this GitHub Action is docker-based, it can only
@@ -155,6 +162,72 @@ by putting them into the `dist/` folder prior to running this Action.
155162> sharing the built dists across stages and jobs. Then, use the `needs`
156163> setting to order the build, test and publish stages.
157164
165+ The expected environment for running `pypi-publish` is the
166+ GitHub-provided Ubuntu VM. We are running a smoke-test against
167+ ` ubuntu-latest` in CI but any currently available numbered versions
168+ should do. We'll consider them supported for as long as GitHub itself
169+ supports them.
170+
171+ Running the action in a job that has a `container:` set is not
172+ supported. It might work for you but you're on your own when it breaks.
173+ If you feel the need to use it, it's likely that you're not following
174+ the recommendation of invoking the build automation in a separate job,
175+ which is considered a security issue (especially, when using [Trusted
176+ Publishing][trusted publisher] that may cause privilege escalation and
177+ would enable the attackers to impersonate the GitHub-backed identity of
178+ the repository through transitive build dependency poisoning). The
179+ solution is to have one job (or multiple, in case of projects with
180+ C-extensions) for building the distribution packages, followed by
181+ another that publishes them.
182+
183+ Self-hosted runners are best effort, provided no other unsupported
184+ things influence them. We are unable to test this in CI and they may
185+ break. This is often the case when using custom runtimes and not the
186+ official GitHub-provided VMs. In general, if you follow the
187+ recommendation of building in a separate job, you shouldn't need to run
188+ this action within a self-hosted runner — it should be possible to
189+ build your dists in a self-hosted runner, save them as a GitHub Actions
190+ artifact in that job, and then invoke the publishing job that would run
191+ within GitHub-provided runners, downloading the artifact with the dists
192+ and publishing them. Such separation is the _recommended_/**supported**
193+ way of handling this scenario.
194+ Our understandng is that Trusted publishing is expected to work on
195+ self-hosted runners. It is backed by OIDC. If it doesn't work, you
196+ should probably ask GitHub if you missed something. We wouldn't be able
197+ to assist here.
198+
199+ Trusted Publishing cannot be tested in CI at the moment, sadly. It is
200+ supported and bugs should be reported but it may take time to sort out
201+ as it often requires cross-project collaboration to debug (sometimes,
202+ problems occur due to changes in PyPI and not in the action).
203+
204+ The only case that is explicitly unsupported at the moment is [Trusted
205+ Publishing][trusted publisher] in reusable workflows. This requires
206+ support on the PyPI side and is being worked on. Please, do not report
207+ bugs related to this case. The current recommendation is to put
208+ everything else you want into a reusable workflow but keep the job
209+ calling `pypi-publish` in a top-level one.
210+
211+ Invoking `pypi-publish` from composite actions is unsupported. It is not
212+ tested. GitHub Runners have limitations and bugs in this case. But more
213+ importantly, this is usually an indication of using it insecurely. When
214+ using [Trusted Publishing][trusted publisher], it is imperative to keep
215+ build machinery invocation in a separate job with restrictive priviliges
216+ as [Trusted Publishing][trusted publisher] itself requires elevated
217+ permissions to make use of OIDC. Our observation is that the users
218+ sometimes create in-project composite actions that invoke building and
219+ publishing in the same job. As such, we don't seek to support such a
220+ dangerous configuration in the first place. The solution is pretty much
221+ the same as with the previous problem — use a separate job with
222+ dedicated and scoped privileges just for publishing; and invoke that
223+ in-project composite action from a different job.
224+
225+ And finally, invoking `pypi-publish` more than once in the same job is
226+ not considered supported. It may work in a limited number of scenarios
227+ but please, don't do this. If you want to publish to several indexes,
228+ build the dists in one job and add several publishing jobs, one per
229+ upload.
230+
158231
159232# # Advanced release management
160233
@@ -294,6 +367,8 @@ https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
294367[per-release announcement discussions] :
295368https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements
296369
370+ [non-goals] : # Non-goals
371+
297372[Creating & using secrets] :
298373https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
299374[has nothing to do with _building package distributions_] :
0 commit comments