github
OIDC: add initial PyPI docs
This is a work in progress.
Why:
Closes #24594.
What's being changed (if available, include any code snippets, screenshots, or gifs):
This adds some documentation and a guide for OIDC federation between GitHub and PyPI, the Python Package Index. PyPI's OIDC publishing support is currently in a closed beta, so these changes are not 100% ready for public consumption yet; I'm just pushing this up for visibility + to get the ball rolling for when they become generally available đ
Check off the following:
- [ ] I have reviewed my changes in staging (look for the "Automatically generated comment" and click the links in the "Preview" column to view your latest changes).
- [ ] For content changes, I have completed the self-review checklist.
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Automatically generated comment âšī¸
This comment is automatically generated and will be overwritten every time changes are committed to this branch.
The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.
Content directory changes
You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
| Source | Preview | Production | What Changed |
|---|---|---|---|
actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md |
fpt ghec ghes@ 3.10 3.9 3.8 3.7 3.6 |
fpt ghec ghes@ 3.10 3.9 3.8 3.7 3.6 |
|
New file: actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi.md |
fpt ghec |
fpt ghec |
fpt: Free, Pro, Team ghec: GitHub Enterprise Cloud ghes: GitHub Enterprise Server ghae: GitHub AE
@woodruffw Thanks for the PR and for linking it to your issue! â¨
As this isn't ready yet, I'm going to triage it for review, but we won't merge this until you're ready. Please ping me again here when it's ready for merge âĄ
Thanks for triaging @cmwilson21! I think this can be considered ready for review; I see the CI is red but I assume that it's mostly just lints that I need to handle đ
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
Lintage fixed, but I'm not sure what's up with the link check -- perhaps that's failing because of the warnings about these files not being editable by third-party contributors? The path looks correct to me đ
@woodruffw does this need the updated "Trusted Publishers" terminology injected in some of the places in these docs?
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
does this need the updated "Trusted Publishers" terminology injected in some of the places in these docs?
Yep, I've made those changes -- I've preserved "OIDC" in places where we're talking about the GitHub functionality or IdP specifically, and changed the rest to "trusted publishing."
@cmwilson21 This should be good for another review! The only failures are in the unallowed files check and the link checker, both of which I believe are happening because I'm not technically allowed to modify these đ
CC @MylesBorins and @steiza for factual/style checks as well, since I know you're invested in this landing đ
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
Updated with feedback addressed! Please let me know if there's anything else I can do here đ
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
Is there any way we can suppress these bot comments? This PR intentionally modifies files (due to a request from GH for docs) that would otherwise be considered out of scope for a third-party contribution.
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
đ Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are: .devcontainer/** .github/actions-scripts/** .github/workflows/** .github/CODEOWNERS assets/fonts/** data/graphql/** Dockerfile* src/** lib/redirects/** package*.json scripts/** content/actions/deployment/security-hardening-your-deployments/**
You'll need to revert all of the files you changed in that list using GitHub Desktop or git checkout origin/main <file name>. Once you get those files reverted, we can continue with the review process. :octocat:
It looks like this could be merged. However, we can't do this here in this repo due to rules restricting changes to this part of the documentation in the OS repository. I'll create a new PR in our internal docs repo and move these changes over there so that we can get this merged.
@woodruffw - Many thanks for contributing to the docs.
@hubwriter I've found several improvement possibilities. Would you be open to incorporating them in follow-ups?
Thanks @webknjaz. If you could use the code review functionality for suggesting a specific change:
to indicate exactly what changes you would like to make to the Markdown I can transfer those suggestions to the new PR I've opened internally.