Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oidc-exchange: warn on reusable workflow #306

Open
wants to merge 2 commits into
base: unstable/v1
Choose a base branch
from

Conversation

woodruffw
Copy link
Member

WIP; haven't tested this yet.

See #305 (comment).

Signed-off-by: William Woodruff <william@trailofbits.com>
@@ -95,6 +95,7 @@ repos:
WPS102,
WPS110,
WPS111,
WPS202,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: I disabled this check because it's noisy on what (IMO) are reasonable levels of complexity within files: it's unhappy that oidc-exchange.py contains 9 > 7 module members, but I think decomposing those members further would make the code harder, not easier to read.

I can re-enable this and figure out a workaround, but I figured I'd leave a rationale here 🙂

Copy link
Member

@webknjaz webknjaz Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woodruffw I prefer rationale as a code comment where it's disabled. Though, ideally, # noqas should be used in place rather than disabling rules globally. There's also per-file ignores in flake8. But if the complexity level is known to be higher across the project, there's --max-module-members that can be increased instead of disabling the rule too: https://wemake-python-styleguide.readthedocs.io/en/latest/pages/usage/violations/complexity.html#wemake_python_styleguide.violations.complexity.TooManyModuleMembersViolation

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As for decomposing the members, I don't think it'd make it harder to read. We just have to choose wisely. For example, the helpers for interfacing with GHA (like messages/warnings) could as well be put into a shared module that more scripts would reuse. This wouldn't make it harder to reason about.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, the helpers for interfacing with GHA (like messages/warnings) could as well be put into a shared module that more scripts would reuse. This wouldn't make it harder to reason about.

That's true, although in that case I think we need to switch to a whole package structure here, rather than just Python files in the repo root 🙂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I was going to look into it at some point. Although, having it in the root as the first step isn't half-bad. We may need to set a PYTHONPATH or turn the invocation into a python -m modulename for it to be importable until the structure is changed.

oidc-exchange.py Outdated
@@ -161,13 +191,15 @@ def assert_successful_audience_call(resp: requests.Response, domain: str):
)


def render_claims(token: str) -> str:
def extract_claims(token: str) -> dict[str, typing.Any]:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would object work here?

Suggested change
def extract_claims(token: str) -> dict[str, typing.Any]:
def extract_claims(token: str) -> dict[str, object]:

I learned recently that MyPy docs recommend this instead of Any, whenever possible.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so! TIL they recommend that, I've been using Any for years.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been exposed to more MyPy things this year, between observing what the pytest and aiohttp co-maintainers do, and experimenting a lot with MyPy coverage reports which I didn't know were a thing a few years ago — I even started uploading those to Codecov and will hopefully bring that practice here.

@woodruffw could you also apply object to other places that I didn't explicitly mark?

For more information, see:

* https://docs.pypi.org/trusted-publishers/troubleshooting/#reusable-workflows-on-github
* https://github.com/pypa/gh-action-pypi-publish/issues/166
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about asking the users to subscribe for updates. Can you think of some wording to communicated that?

Reusable workflows are **not currently supported** by PyPI's Trusted Publishing
functionality, and are subject to breakage. Users are **strongly encouraged**
to avoid using reusable workflows for Trusted Publishing until support
becomes official.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would

Suggested change
becomes official.
becomes official. Please, do not report bugs if this breaks.

make this message stronger?

# A reusable workflow is identified by having different values
# for its workflow_ref (the initiating workflow) and job_workflow_ref
# (the reusable workflow).
if claims.get('workflow_ref') == claims.get('job_workflow_ref'):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps, store these into vars and reuse below?

Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
@webknjaz
Copy link
Member

@woodruffw still WIP?

@woodruffw
Copy link
Member Author

Yes, sorry -- I haven't had the cycles to push this forwards recently. I'll try and circle back to it this coming week!

@webknjaz
Copy link
Member

No problem! Just trying to see if there's anything I should be doing here and if it's not forgotten :)

@webknjaz webknjaz added the enhancement New feature or request label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants