Skip to content

Generalize trusted publishing emails #13872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 7, 2023
Merged

Generalize trusted publishing emails #13872

merged 7 commits into from
Jun 7, 2023

Conversation

woodruffw
Copy link
Member

This makes the trusted-publisher-added and
trusted-publisher-removed email structures a little more
generic, allowing them to be re-used over both
GitHub and Google publishers. Future publishers will require
additional accommodations.

See #13551.

Signed-off-by: William Woodruff [email protected]

woodruffw added 2 commits June 5, 2023 23:59
@woodruffw
oidc/models/google: add missing members
ebb4ad8 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests, warehouse: general publishing emails
c3cfc1b 
This makes the `trusted-publisher-added` and
`trusted-publisher-removed` email structures a little more
generic, allowing them to be re-used over both
GitHub and Google publishers. Future publishers will require
additional accommodations.

See pypi#13551.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from a team as a code owner June 6, 2023 04:30
@woodruffw woodruffw mentioned this pull request Jun 6, 2023
Closed
8 tasks
@woodruffw woodruffw self-assigned this Jun 6, 2023
woodruffw
woodruffw commented Jun 6, 2023
View reviewed changes
di
di approved these changes Jun 6, 2023
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from that one comment.

warehouse/oidc/models/google.py Outdated
Comment on lines 84 to 85
def publisher_url(self, claims=None):
return "https://accounts.google.com"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For GitHub, this ends up being a link to a specific repository or SHA. I'm not sure this is useful for Google accounts. If these were always true Google accounts, we could link to https://accounts.google.com/[email protected], but I don't think that will work for service accounts.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there may not be a great URL here. Perhaps we could link to Google's OIDC docs instead?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should really only provide this if it's specific to the identity used. I think it's probably fine for this to return None for now, and for the templates to handle this accordingly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, will update.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, updated -- I updated a handful of the uses of publisher_url() to prepare them for providers where it'll be None, but some rendering uses will require a more in-depth look with the view/form changes (e.g. the trusted publisher table on each user/project).

woodruffw added 2 commits June 6, 2023 09:52
@woodruffw
warehouse: make publisher_url optional
f2c721a 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse: make translations
f817a6f 
Signed-off-by: William Woodruff <[email protected]>
@di
Copy link
Member

di commented Jun 6, 2023

@woodruffw You've got a failing test here now.

@woodruffw
Copy link
Member Author

@woodruffw You've got a failing test here now.

Thanks, fixed!

@di di enabled auto-merge (squash) June 7, 2023 15:20
@di di merged commit 89d8458 into pypi:main Jun 7, 2023
@di di deleted the tob-google-publisher-emails branch June 7, 2023 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
trusted-publishing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @di