Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update PYPI_TOKEN #150

Open
MattiSG opened this issue May 17, 2024 · 2 comments
Open

Update PYPI_TOKEN #150

MattiSG opened this issue May 17, 2024 · 2 comments
Assignees
Labels
kind:ci Changes to our CI configuration files and scripts

Comments

@MattiSG
Copy link
Member

MattiSG commented May 17, 2024

We have a PYPI_TOKEN secret defined at organisation level in GitHub Actions. It however does apparently not grant access for publishing packages on PyPI, as we discovered in #147.

If this value is simply improper, we should replace its content with a new token that enables PyPI publishing, so we can publish the latest version of the Country Template and check that CD works properly.
If it is right and has another use, a new token should be issued and stored with that same name in this repository secrets so that it shadows it.

In either case, after change, we should re-run the last Deploy workflow, so that we can check that the latest CD changes are operational.

@sandcha
Copy link
Contributor

sandcha commented May 21, 2024

In #147, the PyPi publishing issue was introduced by this action: Rename the GitHub secret PYPI_TOKEN_OPENFISCA_BOT used in deploy workflow to PYPI_TOKEN.

In the Settings page of the Country-Template, in the Secrets and variables section, PYPI_TOKEN is an Organization secrets but:

  • it does not grant access to all packages publications so it looks like, on PyPi's configuration side, it's not configured for all the PyPi projects
  • if we want to update the PyPi configuration, we need to identify the PyPi account where the token was created but this information is missing (on the GitHub interface and in the token name)
  • if tomorrow, we want to configure different PyPi accesses to different countries for example, a unique PyPi token might be a limitation to this configuration.

So, that's why we added a PYPI_TOKEN_OPENFISCA_BOT at the Repository secrets level. Its name comes with the name of the PyPi account where it's configured.

On PyPi, connected as openfisca-bot, we can see that there is 1 token by repository. For now, PyPi allows either 1 token for all repositories or 1 for each repository (aka PyPi project). As we have multiple teams and countries in openfisca, the decision was made to give 1 token per PyPi project.

If you agree with this solution, I think that we need to remove the PYPI_TOKEN and be careful to replace it with a token made specifically for every repository that is still calling the PYPI_TOKEN in its CI (mainly openfisca-france).

@MattiSG
Copy link
Member Author

MattiSG commented May 21, 2024

Thanks for these clarifications!

Issuing one token per repo sounds like a much safer option, it's great 🙂
The only issue I have is that I cannot create a new token to give publish access to this repo 😅 if we just create such a token and call it PYPI_TOKEN at repository secret level, it should shadow the organisation level one and then all problems would be solved, as I understand it 😉

@sandcha if you have the rights to issue such a token, could you set one up and store it as PYPI_TOKEN at repository secret level? 🙂

@bonjourmauko bonjourmauko added the kind:ci Changes to our CI configuration files and scripts label Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind:ci Changes to our CI configuration files and scripts
Projects
None yet
Development

No branches or pull requests

3 participants