Hello CIistas (I've just invented this term, probably not good, sorry).
Do we have something like encrypted secrets [0] for the Fedora CI?
I'd like to add CI tests for twine [1] that would:
- create a Python package named fedora-ci-canary, versioned as 0+<uuid> - upload the package to Test PyPI [2][3] - verify it is there
For this however, we would need to store credentials for a Test PyPI account. I don't mind if the credentials are compromised via malicious Pull Request (they are to a test environment only), but I don't feel comfortable to store them in git in plaintext (or obfuscated).
Thanks for hints.
[0] https://docs.travis-ci.com/user/encryption-keys/ [1] https://pypi.org/project/twine/ [2] https://test.pypi.org/ [3] https://packaging.python.org/guides/using-testpypi/
Hi,
On Tue, Apr 28, 2020 at 1:27 AM Miro Hrončok mhroncok@redhat.com wrote:
Hello CIistas (I've just invented this term, probably not good, sorry).
Sound like some worms or something :D
Do we have something like encrypted secrets [0] for the Fedora CI?
Unfortunately I am not aware of anything like this :(
I was trying to start a discussion with Packit folks about a similar use case, but seems there is no interest yet:
https://github.com/packit-service/packit-service/issues/400
It would be awesome if in the future we would have some solution for this, but I am not sure yet how would it exactly work. I would see somehow FAS involved ...
Any ideas are more than welcome ...
Best regards, /M
I'd like to add CI tests for twine [1] that would:
- create a Python package named fedora-ci-canary, versioned as 0+<uuid>
- upload the package to Test PyPI [2][3]
- verify it is there
For this however, we would need to store credentials for a Test PyPI account. I don't mind if the credentials are compromised via malicious Pull Request (they are to a test environment only), but I don't feel comfortable to store them in git in plaintext (or obfuscated).
Thanks for hints.
[0] https://docs.travis-ci.com/user/encryption-keys/ [1] https://pypi.org/project/twine/ [2] https://test.pypi.org/ [3] https://packaging.python.org/guides/using-testpypi/ -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ CI mailing list -- ci@lists.fedoraproject.org To unsubscribe send an email to ci-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ci@lists.fedoraproject.org
On Tue, Apr 28, 2020 at 1:27 AM Miro Hrončok mhroncok@redhat.com wrote:
Hello CIistas (I've just invented this term, probably not good, sorry).
Do we have something like encrypted secrets [0] for the Fedora CI?
I'd like to add CI tests for twine [1] that would:
- create a Python package named fedora-ci-canary, versioned as 0+<uuid>
- upload the package to Test PyPI [2][3]
- verify it is there
For this however, we would need to store credentials for a Test PyPI account. I don't mind if the credentials are compromised via malicious Pull Request (they are to a test environment only), but I don't feel comfortable to store them in git in plaintext (or obfuscated).
Hi,
If you can use Zuul, there is support for secrets: https://zuul-ci.org/docs/zuul/reference/secret_def.html
If you choose this road, let me know and I'll help you setup your job. -- Fred - May the Source be with you
On 28. 04. 20 8:04, Frederic Lepied wrote:
On Tue, Apr 28, 2020 at 1:27 AM Miro Hrončok <mhroncok@redhat.com mailto:mhroncok@redhat.com> wrote:
Hello CIistas (I've just invented this term, probably not good, sorry). Do we have something like encrypted secrets [0] for the Fedora CI? I'd like to add CI tests for twine [1] that would: - create a Python package named fedora-ci-canary, versioned as 0+<uuid> - upload the package to Test PyPI [2][3] - verify it is there For this however, we would need to store credentials for a Test PyPI account. I don't mind if the credentials are compromised via malicious Pull Request (they are to a test environment only), but I don't feel comfortable to store them in git in plaintext (or obfuscated).Hi,
If you can use Zuul, there is support for secrets: https://zuul-ci.org/docs/zuul/reference/secret_def.html
If you choose this road, let me know and I'll help you setup your job.
Awesome, thanks. Zuul would work.
I'll prep the actual test and will get back to you with a WIP PR.
Alternatively, if you want to go the extra mile, you could also use Zuul to deploy a test PyPI server using devpi, set up a user and its credentials on the go, and test the upload process on the test PyPI server. This would prevent side effects like networking problems from interfering with your testing, and solve the credentials problem. Of course, if the point is to test the upload to test PyPI itself, disregard my comment. :)
On Tue, Apr 28, 2020 at 9:43 AM Miro Hrončok mhroncok@redhat.com wrote:
On 28. 04. 20 8:04, Frederic Lepied wrote:
On Tue, Apr 28, 2020 at 1:27 AM Miro Hrončok <mhroncok@redhat.com mailto:mhroncok@redhat.com> wrote:
Hello CIistas (I've just invented this term, probably not good,sorry).
Do we have something like encrypted secrets [0] for the Fedora CI? I'd like to add CI tests for twine [1] that would: - create a Python package named fedora-ci-canary, versioned as0+<uuid>
- upload the package to Test PyPI [2][3] - verify it is there For this however, we would need to store credentials for a Test PyPIaccount.
I don't mind if the credentials are compromised via malicious PullRequest
(they are to a test environment only), but I don't feel comfortable tostore them in
git in plaintext (or obfuscated).Hi,
If you can use Zuul, there is support for secrets: https://zuul-ci.org/docs/zuul/reference/secret_def.html
If you choose this road, let me know and I'll help you setup your job.
Awesome, thanks. Zuul would work.
I'll prep the actual test and will get back to you with a WIP PR.
-- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok _______________________________________________ CI mailing list -- ci@lists.fedoraproject.org To unsubscribe send an email to ci-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ci@lists.fedoraproject.org
On 28. 04. 20 9:53, Matthieu Huin wrote:
Alternatively, if you want to go the extra mile, you could also use Zuul to deploy a test PyPI server using devpi, set up a user and its credentials on the go, and test the upload process on the test PyPI server. This would prevent side effects like networking problems from interfering with your testing, and solve the credentials problem. Of course, if the point is to test the upload to test PyPI itself, disregard my comment. :)
That is my backup plan, but I'd rather use a "real" testing PyPI in sch integration test. The unit tests already test against local PyPI-like things.
-
Frederic Lepied -
Matthieu Huin -
Miro Hrončok -
Miroslav Vadkerti