Skip to content

[CI/CD] Insecure pypi-publish setup and other packaging problems #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
webknjaz opened this issue Feb 20, 2025 · 0 comments
Open

[CI/CD] Insecure pypi-publish setup and other packaging problems #22

webknjaz opened this issue Feb 20, 2025 · 0 comments

Comments

@webknjaz
Copy link
Member

Here's two immediate problems I noticed:

  1. python -m build is invoked in a job with access to OIDC. This is an attack surface for the workflow identity impersonation through transitive build deps with possible privilege elevation on external systems.
  2. --sdist --wheel are passed to pypa/build which makes it create both artifacts from Git checkout. The installers actually build sdist from wheel and not from Git. These args should be dropped and pypa/build will exercise the same flow automatically, and this will be a good smoke test for whether anything is missing from sdist (Git -> sdist -> wheel).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@webknjaz