Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CD pipeline no longer works because of PyPi attestations enforcement for reusable workflow #12179

Closed
amaltaro opened this issue Nov 22, 2024 · 1 comment · Fixed by #12180, #12177 or #12178
Closed

CD pipeline no longer works because of PyPi attestations enforcement for reusable workflow #12179

amaltaro opened this issue Nov 22, 2024 · 1 comment · Fixed by #12180, #12177 or #12178
Assignees
@amaltaro @mapellidario
Labels
CI/CD

Comments

@amaltaro
Copy link
Contributor

Impact of the bug
WMCore in general

Describe the bug
We made a new tag yesterday and noticed that the CD pipeline failed to authenticate our package against PyPi, as seen in these logs:
https://github.com/dmwm/WMCore/actions/runs/11956233634/job/33390661595#step:8:182

This seems to be a recent (~3 weeks) change in PyPi; and we need to update our github action workflow to take this into consideration.

How to reproduce it
Just make a new WMCore tag with the current (reusable) CD workflow.

Expected behavior
Upon a new tag, all the expected WMCore packages should be built and uploaded to PyPi without any errors (in addition to the remaining CD pipeline actions).

We have tried many things so far, so probably what is left now is to transform our PyPi workflow from reusable to non-reusable.

Additional context and error message
History of events to try to resolve it:

  • 2.3.8rc1: we spotted this issue
  • 2.3.8rc2: we had a new trusted publisher configured in every single project in PyPi
  • 2.3.8rc3: we adopted an "attestation" step in our CD pipeline.
  • 2.3.8rc4: we enabled write access to store the attestation (which should have been provided in the previous tag).
@amaltaro amaltaro added the CI/CD label Nov 22, 2024
@amaltaro amaltaro moved this to In Progress in WMCore quarterly developments Nov 22, 2024
@mapellidario
Copy link
Member

mapellidario commented Nov 22, 2024
edited
Loading

We are not the only ones to face this problem [1].

Apparently it is a combination of many factors:

  • we use trusted publishing to pypi
  • pypi started supporting digital attestations
  • we use the github action github.com/pypa/gh-action-pypi-publish , which started enforcing digital attestations
  • we have a reusable workflow in our github actions to build and publish our packages to pypi
  • pypi does not properly support trusted publishing in reusable workflows [2] and it is suggested to use only non-reusable workflows [3]

Alan made some experiments with his own repo [4], but we are still not sure if we can

I would suggest to stop using the reusable workflow pypi_build_publish_template.yaml and move those steps in the parent workflow, replacing this uses:. Our github actions would be less clean and tidy, but at least they would be more compatible with the external tools that we use (aka pypi). [edit] thanks alan for #12180, it is exactly what i had in mind :)

[1] pypa/gh-action-pypi-publish#283
[2] pypi/warehouse#11096
[3] pypa/gh-action-pypi-publish#283 (comment)
[4] https://github.com/amaltaro/TestActions/actions

@amaltaro amaltaro mentioned this issue Nov 22, 2024
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in WMCore quarterly developments Nov 22, 2024
This was referenced Nov 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amaltaro amaltaro

@mapellidario mapellidario

Labels
CI/CD
Projects
WMCore quarterly developments
Status: Done
Milestone
No milestone
2 participants
@amaltaro @mapellidario