Remove pgp signing for pypi artifacts

[gaiksaya]

Is your feature request related to a problem? Please describe

PyPi recently announced that they will be Removing PGP from PyPI. See https://blog.pypi.org/posts/2023-05-23-removing-pgp/

Even though the upload is allowed it will be silently ignored.

Describe the solution you'd like

Remove https://github.com/opensearch-project/opensearch-build-libraries/blob/main/vars/publishToPyPi.groovy#L19-L23

Describe alternatives you've considered

Continue publishing but it will throw an error then the support is completely removed.

Additional context

No response

[prudhvigodithi]

[Untriage]
Yes we can remove the .asc signing after confirming that if the uploaded tar package with twine does have some signing handled by PyPi.

[gaiksaya]

Maybe remove PyPi library completely https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

[rblcoder]

@gaiksaya Future implementation will be
https://docs.pypi.org/trusted-publishers/adding-a-publisher/
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi
as you have mentioned in opensearch-project/opensearch-build#3822

[zelinh]

Since Pypi no longer requires PGP signing, we plan to move the Pypi publishing from Jenkins to GHA.
According to my research, here are some steps:

• Added existing projects in our account to trusted publisher. https://docs.pypi.org/trusted-publishers/adding-a-publisher/
• Drafted GHA workflow yml with the same name we added in the step above.
• Use pypa/pypi-publish from https://github.com/marketplace/actions/pypi-publish to configure publishing.

[bbarani]

@zelinh can you please check all the repos publishing the signatures and create a campaign to on-board to new workflow?

[zelinh]

This task is completed. We have added onboarding doc here.

[gaiksaya]

We need to create a campaign for all existing pypi artifacts. Please keep this issue open until we have that.

We might also need to deprecate the library from the vars folder for upcoming versions.
Thanks!

[zelinh]

We need to create a campaign for all existing pypi artifacts. Please keep this issue open until we have that.

We might also need to deprecate the library from the vars folder for upcoming versions. Thanks!

I have created issue here in benchmark repo. opensearch-project/opensearch-benchmark#451

I think that's the only active pypi artifact we released using our jenkins library.

[gaiksaya]

I see few more: https://github.com/search?q=org%3Aopensearch-project+publishToPyPi&type=code
Maybe list down in this issue what are migrated to new process and remaining ones to be migrated.

[zelinh]

I see few more: https://github.com/search?q=org%3Aopensearch-project+publishToPyPi&type=code Maybe list down in this issue what are migrated to new process and remaining ones to be migrated.

We have addressed for migration on all repos from the link you shared. Not sure which else you talk about.

[gaiksaya]

If we have already migrated then we need to off-board all the repos. Remove webhooks to jenkins and related jenkins file from the repos.

[zelinh]

If we have already migrated then we need to off-board all the repos. Remove webhooks to jenkins and related jenkins file from the repos.

I think we should leave it to the repo owner. Neither of the team has released yet with the new onboarding GHA. We have done steps to help them onboard and they could remove it in the future since they won't be using it anymore.

[gaiksaya]

We will open new issue to track the lib removal and off-boarding existing components.