Skip to content

Add python release build #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Jun 21, 2023
Merged

Add python release build #57

merged 18 commits into from
Jun 21, 2023

Conversation

wallies
Copy link
Collaborator

@wallies wallies commented Aug 7, 2022

No description provided.

@wallies
Copy link
Collaborator Author

wallies commented Aug 7, 2022

So what this does is adds SHAs as the github actions which is one of the steps the open security foundation. I used https://app.stepsecurity.io/ for this as this is the recommended approach by openssf.

The other thing this does is add a publish step on workflow dispatch, so manual run. We can change it to be based on tags if you wish

@fulmicoton
Copy link
Contributor

Thank you! let me see if I can find someone to review this

@kapilt
Copy link
Contributor

kapilt commented Sep 1, 2022

Re action locking, I’d rather see use of open source for security purposes.. https://github.com/sethvargo/ratchet is one such alternative. Use of such tool should be in its own pr, no commingled. It also avoids polluting every single job with extraneous steps. I’ll also note while it is a good practice, it is very rare in the wild to see action locking.

kapilt
kapilt reviewed Sep 1, 2022
View reviewed changes
@kapilt
Copy link
Contributor

kapilt commented Sep 1, 2022

It feels odd doing automation on a single old version of python on a single set of architecture, ideally this would be a matrix build with arch support for at least x86_64 and aarch64

@kapilt
Copy link
Contributor

kapilt commented Sep 1, 2022

I used https://app.stepsecurity.io/ for this as this is the recommended approach by openssf.

could you clarify where you see/found this recommendation?, the only reference I can find to it, is a pr announce from step security itself.

@wallies
Copy link
Collaborator Author

wallies commented Sep 1, 2022

I used https://app.stepsecurity.io/ for this as this is the recommended approach by openssf.

could you clarify where you see/found this recommendation?, the only reference I can find to it, is a pr announce from step security itself.

https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

@cjrh cjrh mentioned this pull request Sep 4, 2022
Closed
@Sidhant29
Copy link
Collaborator

@wallies is this PR good to go ?

@wallies
Copy link
Collaborator Author

wallies commented Mar 18, 2023

@Sidhant29 no needs to pull across changes from Kapiche fork

@kapilt
Copy link
Contributor

kapilt commented Mar 18, 2023 via email

@github-advanced-security
Copy link

You have successfully added a new CodeQL configuration /language:python. As part of the setup process, we have scanned this repository and found no existing alerts. In the future, you will see all code scanning alerts on the repository Security tab.

Sidhant29 pushed a commit to Sidhant29/tantivy-py that referenced this pull request Apr 17, 2023
@dependabot
build(deps): bump messense/maturin-action from 1.36.0 to 1.37.2 (quic…
3ae67cf 
…kwit-oss#57)

Bumps [messense/maturin-action](https://github.com/messense/maturin-action) from 1.36.0 to 1.37.2.
- [Release notes](https://github.com/messense/maturin-action/releases)
- [Commits](PyO3/maturin-action@7c85798...59e476b)

---
updated-dependencies:
- dependency-name: messense/maturin-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@wallies wallies merged commit c737b51 into quickwit-oss:master Jun 21, 2023
@wallies wallies deleted the github-action-wheels branch August 29, 2024 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt kapilt left review comments

@cjrh cjrh cjrh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wallies @fulmicoton @kapilt @Sidhant29 @cjrh