CI: remove dead upload_pypi job from reusable workflow, rename to lib-build.yml#825
Draft
nikagra wants to merge 2 commits intoscylladb:masterfrom
Draft
CI: remove dead upload_pypi job from reusable workflow, rename to lib-build.yml#825nikagra wants to merge 2 commits intoscylladb:masterfrom
nikagra wants to merge 2 commits intoscylladb:masterfrom
Conversation
…-build.yml Closes scylladb#824. Follow-up to scylladb#820. The upload_pypi job in lib-build-and-push.yml was never reachable: none of the four caller workflows pass upload: true. build-push.yml and publish-manually.yml already publish from their own separate jobs (necessary due to how PyPI Trusted Publishing embeds the caller workflow path in the OIDC token). Because the reusable workflow declared 'permissions: id-token: write' for upload_pypi, GitHub's static permission validation forced build-test.yml (a pull_request workflow, which defaults to id-token: none) to also declare id-token: write — granting unnecessary privileges to a job that only builds wheels. Changes: - Rename lib-build-and-push.yml -> lib-build.yml (it only builds now) - Remove upload input and upload_pypi job from the reusable workflow - Remove 'permissions: id-token: write' and 'with: upload: false' from build-test.yml (no longer needed) - Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml) to reference the new workflow path and drop upload: false from with: blocks - Replace TODO comments in build-push.yml and publish-manually.yml with an explanatory comment: the separate publish job is now intentional design, not a temporary workaround
… steps GITHUB_WORKFLOW_REF was set as a shell env var prefix on the cibuildwheel invocations as an attempted workaround for pypa/gh-action-pypi-publish#166 (reusable workflows not supported by PyPI Trusted Publishing). The workaround does not work for two reasons: 1. GITHUB_WORKFLOW_REF is a GitHub runner-provided variable used to populate the OIDC token. Setting it in a child process's environment has no effect on the token GitHub's infrastructure mints. 2. The OIDC token is minted when pypa/gh-action-pypi-publish runs (in the publish job), not when cibuildwheel runs (in build-wheels). The variable was set in the wrong job entirely. The actual working workaround is running pypa/gh-action-pypi-publish directly in the caller workflow (build-push.yml, publish-manually.yml), which is already done. This variable override is dead code with no effect.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #824. Follow-up to #820, addressing @Lorak-mmk's review concern.
The
upload_pypijob inlib-build-and-push.ymlwas never reachable: none of the four caller workflows passupload: true.build-push.ymlandpublish-manually.ymlalready publish from their own separate jobs — this is required by how PyPI Trusted Publishing works: the OIDC token embeds the caller workflow path, so thepypa/gh-action-pypi-publishaction must run in the caller, not inside a reusable workflow (see pypa/gh-action-pypi-publish#166).Because the reusable workflow declared
permissions: id-token: writeforupload_pypi, GitHub's static permission validation (which runs before evaluating anyif:conditions) forcedbuild-test.yml— apull_requestworkflow, whereid-tokendefaults tonone— to also declareid-token: write. This granted unnecessary privileges to a job that only builds wheels.Changes
Commit 1: remove dead upload_pypi job, rename to lib-build.yml
lib-build-and-push.yml→lib-build.yml(it only builds now)uploadinput andupload_pypijob from the reusable workflowpermissions: id-token: writeandwith: upload: falsefrombuild-test.yml— no longer needed, principle of least privilege restoredbuild-push.yml,publish-manually.yml,build-pre-release.yml) to reference the new workflow path and drop the now-nonexistentupload: falsefromwith:blocksbuild-push.ymlandpublish-manually.yml: the separate publish job is now intentional design, not a temporary workaround pending an upstream fixCommit 2: remove ineffective
GITHUB_WORKFLOW_REFoverrideGITHUB_WORKFLOW_REFwas set as a shell env var prefix on thecibuildwheelinvocations, introduced in #439 as a workaround for the same issue #166. It does not work for two reasons:GITHUB_WORKFLOW_REFis set by GitHub's runner infrastructure to populate the OIDC token — overriding it in a child process's environment has no effect on the token GitHub's servers mint.pypa/gh-action-pypi-publishruns (in thepublishjob), not whencibuildwheelruns (inbuild-wheels). The variable was being set in the wrong job entirely.The actual working workaround is already in place:
pypa/gh-action-pypi-publishruns directly in the caller workflows (build-push.yml,publish-manually.yml). This variable override was dead code with no effect.Result
build-test.ymlpermissionsid-token: write(unnecessary)lib-build-and-push.ymlupload_pypijobGITHUB_WORKFLOW_REFenv var