Add permissions note to README.md #205
Conversation
There was a problem hiding this comment.
Thank you for wanting to help! However, I passionately disagree with suggesting unsafe ideas to the end users. Perhaps, a note explaining the dangers of the privilege escalation would be a better improvement to this document.
I'm going to close this pull request, but would be open to improvements related to explaining why building must be separate from uploading, in this document and/or
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.
| @@ -55,6 +55,7 @@ jobs: | |||
| url: https://pypi.org/p/<your-pypi-project-name> | |||
| permissions: | |||
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |||
| # NOTE: setting this permission will remove all other permissions. If you need to do a actions/checkout, for example, you will need to set the "contents" permission to "read" | |||
There was a problem hiding this comment.
The only steps in this job must be downloading the pre-built dists and uploading them. Invoking git clone implies that one would perform building right in this job, which is a dangerous idea due to opening up an attack surface for the privilege escalation through dependency poisoning.
I got stuck on this for a little bit. It's not super clear that setting some of the permissions will reset the remainder, so a note like this would be helpful!