Consider OIDC / Trusted Publishing for this (and other) OME repositories

[lubianat]

I was taking a look at https://github.com/pypa/gh-action-pypi-publish for #66 and noticed we use password authentication on this repository:

        uses: pypa/gh-action-pypi-publish@v1.8.14
        with:
          password: ${{ secrets.PYPI_PASSWORD }}

This seems to be the standard for all python packages in OME repositories, i.e.:
https://github.com/search?q=org%3Aome%20%24%7B%7B%20secrets.PYPI_PASSWORD%20%7D%7D&type=code

Including omero-web, omero-iviewer, omero-figure, omero-py and so on.

Using the Trusted Publishing mechanism (short lived token + config on PyPI) seems to provide several security/maintenance benefits and is the best practice on GitHub.

I am not sure on the burden to set it up, though. Maybe @pwalczysko would have thoughts there (for the larger OME ecosystem)?

We could pilot it for this repo. Set up on PyPI needs definitely high persmissions (in this case, @joshmoore).

[pwalczysko]

I am not sure on the burden to set it up, though. Maybe @pwalczysko would have thoughts there (for the larger OME ecosystem)?

Few things to consider:

1. Burden to maintain >>>>>> Burden to set it up. Does your suggested workflow need a frequent human intervention ? (...short lived token... sounds worrying)
2. Set up on PyPI - does your workflow mean that we will have to set it on each repo in the new way at the same time ? Or can there be some repos which are still on the previous style and some which are on the new one ?
3. Let us include @jburel in the discussion -> very probably he was involved in the original setup and did the planning.

[lubianat]

As far as I can tell:

(1) Token is short-lived but auto-generated every time, indefinetly, as the particular GitHub repository/workflow gets registered on PyPI. So only one set up needed for each repository.

(2) each repo should be able to update separately, as the Trusted Publishing system is configured per project

[pwalczysko]

(2) each repo should be able to update separately, as the Trusted Publishing system is configured per project

This clearly need an opinion from @joshmoore and @jburel . From this initial discussion, it looks like the main burden of setting things up would fall on them.

[pwalczysko]

This seems to be the standard for all python packages in OME repositories, i.e.: https://github.com/search?q=org%3Aome%20%24%7B%7B%20secrets.PYPI_PASSWORD%20%7D%7D&type=code

Including omero-web, omero-iviewer, omero-figure, omero-py and so on.

Found a template for it, https://github.com/ome/.github/blob/master/workflow-templates/publish_pypi.yml

[joshmoore]

I feel like I'm missing something here. Perhaps on call would be easier. I'm happy to configure things as necessary.

[pwalczysko]

I feel like I'm missing something here. Perhaps on call would be easier. I'm happy to configure things as necessary.

Sorry for the confusion, deleted my comments, they were regarding #66

[pwalczysko]

I feel like I'm missing something here. Perhaps on call would be easier. I'm happy to configure things as necessary.

Yes, happy to call on that one (== the big re-config of all repos).