Skip to content

Hardening publishing pipeline#16

Merged
josejimenezluna merged 4 commits into
mainfrom
ms/hard-pipeline
Jun 12, 2026
Merged

Hardening publishing pipeline#16
josejimenezluna merged 4 commits into
mainfrom
ms/hard-pipeline

Conversation

@josejimenezluna

@josejimenezluna josejimenezluna commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Rotate CONDA_TOKEN secret, add environment guard to conda.yml workflow, restrict who can trigger the release workflow.

temporaer
temporaer requested changes Jun 12, 2026
View reviewed changes

@temporaer temporaer left a comment
edited
Loading

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe better:

name: conda

on:
  release:
    types:
      - published

permissions:
  contents: read

jobs:
  build-linux:
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash -l {0}
    steps:
      - uses: actions/checkout@v4

      - uses: conda-incubator/setup-miniconda@v3
        with:
          activate-environment: molskill
          environment-file: environment.yml
          condarc-file: conda-recipe/.condarc
          python-version: 3.9
          auto-activate-base: false

      - name: Build conda package
        run: |
          conda info
          conda install conda-build anaconda-client boa --yes
          boa build conda-recipe/

      - name: Collect packages
        run: |
          mkdir -p dist-conda
          find "$CONDA_PREFIX/../conda-bld" \
            \( -name '*.conda' -o -name '*.tar.bz2' \) \
            -type f \
            -print \
            -exec cp {} dist-conda/ \;

      - uses: actions/upload-artifact@v4
        with:
          name: conda-packages-linux
          path: dist-conda/*

  publish:
    needs: build-linux
    environment: conda-release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v4
        with:
          name: conda-packages-linux
          path: dist-conda

      - uses: conda-incubator/setup-miniconda@v3
        with:
          auto-activate-base: true

      - name: Install uploader
        run: conda install anaconda-client --yes

      - name: Publish to Anaconda
        env:
          ANACONDA_API_TOKEN: ${{ secrets.ANACONDA_API_TOKEN }}
        run: |
          shopt -s nullglob
          for pkg in dist-conda/*.conda dist-conda/*.tar.bz2; do
            anaconda -t "${ANACONDA_API_TOKEN}" upload -u msr-ai4science "${pkg}"
          done

this way, if malicious code in build step infects your runtime environment, it won't be able to leak the token later.

@josejimenezluna josejimenezluna merged commit 7a1bb67 into main Jun 12, 2026
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@temporaer temporaer temporaer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josejimenezluna @temporaer