Switch everything touching PyPi to OpenID connect

[IAlibay]

The recommend workflow for uploading things to PyPi is now through OpenID connect.

I've yet to get to grips with the full pipeline for this, so I'll slowly start doing migrations.

There's a bunch of things I don't have keys for, so I'll be pinging folks for access or to update things themselves as things progress.

[IAlibay]

MDA direct repos to update:

• Core library - PR Update deploy things for py312 + OpenID Connect publishing #4325
  • MDAnalysis testpypi trusted publisher
  • MDAnalysis pypi trusted publisher
  • MDAnalysisTests testpypi trusted publisher
  • MDAnalysisTests pypi trusted publisher
• PyTNG - PR Add a deployment pipeline pytng#107
  • testpypi trusted publisher - @orbeckst or @hmacdope for access
  • pypi trusted publisher - @orbeckst or @hmacdope for access
• panedr / pyedr Update deploy action for OIDC panedr#72
  • testpypi trusted publisher: pyedr - we don't own this
  • testpypi trusted publisher: panedr - we don't own this
  • pypi trusted publisher: pyedr
  • pypi trusted publisher: panedr
• mda-xdrlib Update deployment for OIDC mda-xdrlib#9
  • testpypi trusted publisher
  • pypi trusted publisher
• griddataformats Update deploy for OIDC credentials GridDataFormats#136
  • testpypi trusted publisher
  • pypi trusted publisher
• mdanalysis-sphinx-theme Update deploy.yaml for OIDC mdanalysis-sphinx-theme#72
  • testpypi trusted publisher @lilyminium @orbeckst @IAlibay for access
  • pypi trusted publisher @lilyminium @orbeckst @IAlibay for access

MDAKits under the org:

• mdaencore - @IAlibay @orbeckst or @ianmkenney for access
• PathSimAnalysis (needs update to pypi-deployment) - @orbeckst or @ianmkenney @IAlibay for access Update deploy.yaml for OIDC credentials PathSimAnalysis#7
• waterdynamics (needs update to pypi-deployment) - @orbeckst or @ianmkenney @IAlibay for access Update deploy.yaml for OIDC waterdynamics#17

MDAKits under the org that don't have deployment workflows but we should still know who has access:

• membrane-curvature - @ojeda-e for access
• transport-anslysis - @hmacdope or @orionarcher for access
• solvation-anlysis - @orionarcher for access

[orbeckst]

Thanks for collecting the list and getting the process started. Let me know if you need anything. I don't know what one has to do in order to enable OpenID on PyPi.

[IAlibay]

Thanks for collecting the list and getting the process started. Let me know if you need anything. I don't know what one has to do in order to enable OpenID on PyPi.

I've not tried a deployment yet, but it's not that much work, you just need to know the right yaml file & environment - https://docs.pypi.org/trusted-publishers/adding-a-publisher/

[IAlibay]

@jbarnoud I don't have management access to panedr on pypi - could you add the trusted publisher or add me as a manager?

[jbarnoud]

I just made you owner on pypi.

…

On 27 October 2023 19:06:13 CEST, Irfan Alibay ***@***.***> wrote: @jbarnoud I don't have management access to `panedr` on pypi - could you add the trusted publisher or add me as a manager? -- Reply to this email directly or view it on GitHub: #4326 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[IAlibay]

I just made you owner on pypi.
…
On 27 October 2023 19:06:13 CEST, Irfan Alibay @.> wrote: @jbarnoud I don't have management access to panedr on pypi - could you add the trusted publisher or add me as a manager? -- Reply to this email directly or view it on GitHub: #4326 (comment) You are receiving this because you were mentioned. Message ID: @.>

Thanks!

[IAlibay]

Putting on my coredev hat for a second - there are at least a couple of sole ownership projects across the org, that's rather dangerous.

Could I ask that anything which we end up having maintenance of have at least two coredevs in charge?

Pinging @lilyminium for the sphinx theme and @orbeckst for pathsimanalysis and waterdynamics.

Not sure what the deal is with maintenance of membrane-curvature and solvation-analysis, pinging @ojeda-e and @orionarcher for discussion.

[orbeckst]

@IAlibay (as IAlibay) was invited for pathsimanalysis but the invite expired. I re-invited you for pathsimanalysis and also for waterdynamics.

[orbeckst]

Added more invites for IAlibay:

• pypi: pytng
• testpypi: waterdynamics, pathsimanalysis, mdaencore

There's no testpypi pytng. — do you want to create it @IAlibay ?

[IAlibay]

There's no testpypi pytng. — do you want to create it @IAlibay ?

Yes, it's a good opportunity to test out the next "anticipated publishing" portion of PyPi!

[IAlibay]

Ok I'm stopping at the core library upstream dependencies for now - we haven't tried an actual deployment beyond the pypi-deployment tests, so it's possible that all the PRs I've opened aren't 100% correct.

I propose we merge the PyTNG one and then do a release and see how that goes?

[orbeckst]

sounds good, 🤞

[IAlibay]

pytng went up fine - everything else should work (assuming no typos).

[lilyminium]

I added GH as a trusted publisher and also @IAlibay and @orbeckst as owners to mda-sphinx-theme on pypi and testpypi.

[orbeckst]

thanks!