Switch to Trusted Publishing for package upload to PyPI in CI

[lmmx]

Trusted publishing (with attestations) is currently suggested as good practice to ensure confidence that what users download from PyPI is the same artifact that was generated in GitHub CI, meaning that what I see in GitHub is the same as what is installed - handy for auditing. It also avoids the presence of PyPI tokens as 'secrets' in the CI, which can be exfiltrated by bad actors.

Following the recent litellm supply chain attack this week, I would like to express my support for this^*. The httptools package is one of 16 packages in the top 500 PyPI packages (by downloads) which use the pypa/gh-action-pypi-publish action but have not yet upgraded it to use Trusted Publishing: this is 'low hanging fruit' in terms of making Python a more secure programming environment.

Instead of using the stored secret token, GitHub vouches for the upload, and PyPI checks the uploading CI workflow filename against a pre-declared filename you set ahead of time (in httptools's case the filename is release.yml). It also requires creating an 'environment' for the repo on GitHub (suggested name "pypi") which you also register the package with on PyPI.

^* Post-mortems of the litellm attack:

1. https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
2. https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/

Implementation (click to expand)

• Configure (or use an existing) GitHub environment, and register with PyPI

• Add the environment definition to the same publish job

• Add id-token: write, contents: write and packages: write permissions to the same publish job

  • specifying any permission restricts the token, and creating a GitHub release requires contents: write and potentially packages: write

• Remove password argument in the Upload to PyPI step of the publish job of the Release CI workflow

• Optionally remove the PYPI_API_TOKEN project secret