Buildkite OIDC support #14814
Buildkite OIDC support #14814
Conversation
sj26
force-pushed
the
buildkite-oidc
branch
3 times, most recently
from
57d5fc4 to
29635b4
Compare
|
Related: #14063 |
|
This flow works for me end-to-end. I built a little Buildkite plugin that makes it work: https://github.com/sj26/pypi-oidc-buildkite-plugin I can create a pending publisher, then using that plugin I can push a test package from a pipeline -- here using my local test version of the warehouse running this branch: steps:
- label: ":python: Publish package to PyPI"
plugins:
- sj26/pypi-oidc:
repository_url: http://web.warehouse.orb.local/legacy/
command: |
python3 setup.py sdist
python3 -m pip install --upgrade twine
twine upload --verbose --repository-url http://web.warehouse.orb.local/legacy/ dist/*https://buildkite.com/sj26/buildkite-test-python/builds/5#018ba431-aa12-451e-90a0-48072b987900 CRUD for pending publishers is pretty good, given the tabbed interface: 
but (project) publishers seem very GitHub specific: 
Should I extrapolate the design a little to make it tabbed or something? The table might be the trickiest part – publishers aren't always going to have equivalent claims. What's the intention for adding more publishers? @miketheman is that what you're driving at in #14063? |
|
Yeah tabs works great for the new project publisher forms: 
but claims are going to look a little gross with a naive 
Is there a nice visual pattern for this sort of thing? Perhaps a middle ground — a "Subject" column (linked; the github repo+workflow, or buildkite pipeline) and then "Conditions" (Environment, or Build Branch/Tag/Step Key). |
|
Hi @sj26, are you still working on this, or should we close this PR? |
I'm sketching out support for Buildkite OIDC tokens as an avenue for trusted publishing into PyPI. Still WIP, but sharing early for feedback 🙏