GitLab as Trusted Publisher for pypi?

Questions about Python Packaging & Code
1

Dear all,
I’ve recently started a new position and my first task is packaging a python tool developed by the team.
So first of all let me say thanks to Leah and to all the contributors to the pyOpensci packaging guide, it really made my life easier! :pray:
The source of this project is hosted on gitlab.com.
Now I would like to automatize the release process, and on the long term I would rather use a mechanism like a trusted publisher than tokens.
Gitlab is not registered as trusted publisher for now.

Does someone on this forum know if and how pypi and gitlab may reach an agreement and implement the infrastructure to make gitlab a trusted publisher?
Note that I don’t know which kind of infrastructure is necessary for that, sorry if I am being naive…

Thanks for reading me!
Chiara

2 Likes
2

let’s see if @pradyun can help us with this. i don’t think they are here so i’ll ask in slack and but try to get a response here. i’m curious about your findings. @cmarmo i am working on a tutorial now but it’s github centric.

not to change the subject, but if you work through this with gitlab can we please use your project as a gitlab example? Also i’m curious why you chose gitlab (just curious)

3

Hi there! I have been summoned. :genie:

The relevant PyPI-side issue seems to be:

It is probably reasonable to ping over there and politely ask if this is something that’s still on the cards and whether there is existing funding to explore adding this support. To be clear, asking for an ETA from an unfunded group of volunteers is probably not going to be received well and PyPI has in the recent past had funding directed towards it by the PSF’s various fundraising initiatives.

If you do ask there, please also link back to this topic, for posterity and cross-linking fun. :slight_smile:

4 Likes
4

It will be an honor of being used as an example in your wonderful documentations! :blush:

The project is on gitlab because is the product of a collaboration between people in universities who were using on-premises gitlab installations. When they decided to merge and share the code, the most effective solution seemed to migrate on gitlab, in order to keep the history, the links to issues and merge requests, tasks …

1 Like
5

Thank you @pradyunsg for your answer and for the link. :pray:
I’m going to dig a bit deeper in that direction … and yes I will link this discussion in any possible follow-up.

1 Like
6

@pradyunsg :genie: :laughing:
thank you so much for the guidance here!! :sparkles:

7

ok wonderful - thank you @cmarmo !! i think we can likely learn a bunch from your gitlab adventures!! :pyos_animated:

8

For posterity and cross-linking fun … :slightly_smiling_face: … I’m linking here the post announcing three new Trusted Publishers for pypi

The discussion about self-hosted instances is still ongoing

A big thank you to all the people involved in the development of this feature! :pray:

9

I’d like to keep everyone posted here about some work the gitlab community is putting into the issue.
There is an open merge request that should open the path for a possible implementation for Trusted Publishing: Support self-hosted GitLab instances · Issue #15838 · pypi/warehouse · GitHub