|
| 1 | +# Trusted Publishing for artifact packages |
| 2 | +## |
| 3 | + |
| 4 | +Trusted publishing uses [OpenID Connect (OIDC)](https://openid.net/connect/) to publish artifact packages directly from your |
| 5 | +CI/CD workflows without the need for long-lived API credentials. Trusted publishing is an [industry standard](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
| 6 | +defined by the Open Source Security Foundation (OpenSSF) and implemented by various package registries that host package artifacts like PyPI and RubyGems. |
| 7 | + |
| 8 | +## How does it work? |
| 9 | + |
| 10 | +OIDC identity providers (in this context CI services like GitHub Actions), can issue short-lived credentials (OIDC tokens), that Private Packagist can verify came from a trusted CI service run. |
| 11 | +Organizations on Private Packagist can configure a trusted publisher to trust a workflow in a repository to publish a package. |
| 12 | +The workflow sends an OIDC token to Private Packagist, where the token is matched against configured trusted publishers. |
| 13 | +If there is a match, Private Packagist will issue a short-lived API credential with limited scope. |
| 14 | +The issued API credential is valid for 15 minutes and can only access endpoints required to publish the artifact. |
| 15 | + |
| 16 | +## Supported CI/CD providers |
| 17 | + |
| 18 | +Private Packagist currently supports the following CI/CD providers: |
| 19 | +* GitHub Actions |
| 20 | + |
| 21 | +## Configure trusted publishing |
| 22 | + |
| 23 | +Organization owners and admins can configure a trusted publisher on the API access settings page. A configured trusted publisher |
| 24 | +will allow one package to be published from a single CI/CD workflow. If a repository publishes multiple packages or if a |
| 25 | +package gets published from multiple workflows or repositories, then multiple publishers need to be configured. |
| 26 | + |
| 27 | +If you previously used API credentials to interact with the Private Packagist API to upload artifacts, make sure you take |
| 28 | +a look at the API credentials section on the same page to see if you have any credentials that are no longer needed. |
| 29 | + |
| 30 | +### GitHub Actions |
| 31 | + |
| 32 | +Fill in the form fields to configure the publisher: |
| 33 | +* Package name: The name of the existing package or the package that will be created when this publisher is used. |
| 34 | +* Owner name: The GitHub user or organization name that owns the repository. |
| 35 | +* Repository name: The name of the GitHub repository that contains the publishing workflow. |
| 36 | +* Continuous integration file: The filename of the publishing workflow, e.g. `publish.yaml`. The file must exist in the `.github/workflows/` directory. |
| 37 | +* Continuous integration environment name (optional): The name of the [GitHub Actions environment](https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments) that the workflow uses. |
| 38 | + |
| 39 | +## Configure your CI/CD workflow |
| 40 | + |
| 41 | +### GitHub Actions |
| 42 | + |
| 43 | +Private Packagist provides a GitHub Action [packagist/artifact-publish-github-action](https://github.com/packagist/artifact-publish-github-action), |
| 44 | +that takes care of publishing the artifact for you. Just build the artifact and hand its path over to the action. The action |
| 45 | +requires the `id-token: write` permission to generate OIDC tokens, more info about this in [GitHub's OIDC documentation](https://docs.github.com/en/actions/concepts/security/openid-connect). |
| 46 | + |
| 47 | +```yaml |
| 48 | +name: Private Packagist Publish Artifact |
| 49 | + |
| 50 | +on: # Define when to run this workflow, e.g. when a new tag is pushed |
| 51 | + |
| 52 | +permissions: |
| 53 | + id-token: write # Required for OIDC |
| 54 | + contents: read # Required to checkout the repository |
| 55 | + |
| 56 | +jobs: |
| 57 | + publish_artifact: |
| 58 | + runs-on: "ubuntu-latest" |
| 59 | + |
| 60 | + steps: |
| 61 | + - uses: actions/checkout@v5 |
| 62 | + |
| 63 | + # Create your artifact file here |
| 64 | + |
| 65 | + - name: "Publish artifact" |
| 66 | + uses: packagist/artifact-publish-github-action@v1 |
| 67 | + with: |
| 68 | + package_name: 'acme/package' |
| 69 | + organization_url_name: 'acme-org' |
| 70 | + artifact: '/full/path/to/artifact.zip' |
| 71 | +``` |
| 72 | +
|
0 commit comments