You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Breakout from #12465, which is closed now that the MVP is done.
The current trusted publisher implementation for GitHub supports an optional environment name which, if supplied, can be used to additional constrain the corresponding GitHub Actions workflow to only run after explicit approval (among other possible restrictions).
Some users have indicated a desire for a similar option tag pattern, which would then allow them to use tag protection rules. These would be similar in security model to the existing environment name support, but would make trusted publishers applicable to a larger number of CI-based publishing workflows without requiring them to loosen their protection rules.
Some design constraints:
We should make sure the role/value of tag patterns and/or environment names is communicated clearly, both on the publisher management pages and in the PyPI docs;
We should make it hard for users to shoot themselves in the foot with tag patterns, e.g. we should almost certainly reject patterns like * as effectively useless.
The text was updated successfully, but these errors were encountered:
Breakout from #12465, which is closed now that the MVP is done.
The current trusted publisher implementation for GitHub supports an optional environment name which, if supplied, can be used to additional constrain the corresponding GitHub Actions workflow to only run after explicit approval (among other possible restrictions).
Some users have indicated a desire for a similar option tag pattern, which would then allow them to use tag protection rules. These would be similar in security model to the existing environment name support, but would make trusted publishers applicable to a larger number of CI-based publishing workflows without requiring them to loosen their protection rules.
Some design constraints:
*as effectively useless.The text was updated successfully, but these errors were encountered: