Switch to Trusted Publishing for package upload to PyPI in CI #4008
Description
Trusted publishing (with attestations) is currently suggested as good practice to ensure confidence that what users download from PyPI is the same artifact that was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing. It also avoids the presence of PyPI tokens as 'secrets' in the CI, which can be exfiltrated by bad actors.
Following the recent litellm supply chain attack this week, I would like to express my support for this*. The redis package is one of 16 packages in the top 500 PyPI packages (by downloads) which use the pypa/gh-action-pypi-publish action but have not yet upgraded it to use Trusted Publishing: this is 'low hanging fruit' in terms of making Python a more secure programming environment.
Instead of using the stored secret token, GitHub vouches for the upload, and PyPI checks the uploading CI workflow filename against a pre-declared filename you set ahead of time (in redis's case the filename is pypi-publish.yaml). It also requires creating an 'environment' for the repo on GitHub (suggested name "pypi") which you also register the package with on PyPI.
* Post-mortems of the litellm attack:
- https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
- https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/
Implementation (click to expand)
-
Configure (or use an existing) GitHub environment, and register with PyPI
-
Add the environment definition to the same
publishjob -
Add
id-token: write,contents: writeandpackages: writepermissions to the samepublishjob- specifying any permission restricts the token, and creating a GitHub release requires
contents: writeand potentiallypackages: write
- specifying any permission restricts the token, and creating a GitHub release requires
-
Remove
userandpasswordarguments in thePublish to Pypistep of thebuild_and_packagejob of the Publish tag to Pypi CI workflow -
Optionally remove the
PYPI_API_TOKENproject secret