How many of you are publishing python packages to registries other than PyPI? I'm curious as I've only ever published to PyPI.
Toxygene 42 minutes ago [-]
At my job, we use AWS CodeArtifact to host a couple dozen internal libraries we use for Python and TypeScript projects. I suspect that this is a common use case for these kinds of artifact repositories.
neves 10 minutes ago [-]
what's your experience with AWS CodeArtifact? We are migrating to AWS and we are in doubt about using it or our internal Nexus server.
sergiolema 2 days ago [-]
Recently, I've been building a project in Python that doesn't have a Docker image as output. Instead, I need a runnable file. Why? Because I need to talk to the machine directly and not to Docker. Because I need to talk to the GPU drivers directly and not to another abstraction layer.
So, I needed to create a runnable file in Python. I needed to create a wheel file. All this with Poetry and integrate it into my CI/CD pipeline.
robertlagrant 2 hours ago [-]
Poetry has a command[0] to set a version in a pyproject.toml file. Why did you choose sed over that?
Someone needs to make a site like You Might Not Need jQuery but You Might Not Need Docker. It's unfortunate to me these days that putting everything into containers seems to be the default.
This is just a private PEP503 repository, your own private PyPI.
mountainriver 1 hours ago [-]
These aren’t normal containers, they are “artifacts” which are just the manifest and a single layer and a mime type.
OCI artifacts are one of the most under hyped technologies. Almost everyone already has an image registry, now that registry supports basically any kind of package and with nice versioning semantics.
Why wouldn’t you use it? I don’t want to auth again into something else and deal with different registries for every language I have.
jkingsman 21 minutes ago [-]
Definitely. OCI artifact repos are much closer to the Artifactories of yore (and today) than they are to "it's all docker".
Most major tech companies I've worked with have an internal OCI repo of some kind maintained; internal packages are available and external packages are cached (or blocklisted, in certain situations, which is its own flavor of helpful for security risks) and everything from Docker to Maven to Pip/Poetry/etc. Just Works.
Cedricgc 19 minutes ago [-]
The CUE configuration language uses OCI artifacts as the storage/distribution mechanism of its package manager
westurner 2 hours ago [-]
GCP Artifact Registry is an OCI Container Image Registry.
FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
So, I needed to create a runnable file in Python. I needed to create a wheel file. All this with Poetry and integrate it into my CI/CD pipeline.
[0] https://python-poetry.org/docs/cli/#version
https://cloud.google.com/artifact-registry/docs/python
This is just a private PEP503 repository, your own private PyPI.
OCI artifacts are one of the most under hyped technologies. Almost everyone already has an image registry, now that registry supports basically any kind of package and with nice versioning semantics.
Why wouldn’t you use it? I don’t want to auth again into something else and deal with different registries for every language I have.
Most major tech companies I've worked with have an internal OCI repo of some kind maintained; internal packages are available and external packages are cached (or blocklisted, in certain situations, which is its own flavor of helpful for security risks) and everything from Docker to Maven to Pip/Poetry/etc. Just Works.
It looks like there there are a few GitHub Actions for pushing container image artifacts to GCP Artifact Registry: https://github.com/marketplace?query=artifact+registry&type=...
FWIW, though it may not be necessary for a plain Python package, "pypa/cibuildwheel" is the easy way to build a Python package for various platforms in CI.
SLSA.dev, Sigstore;
GitHub supports artifact attestations and storing attestations in an OCI Image store FWIU. Does GCP Artifact Registry support attestations?
"Using artifact attestations to establish provenance for builds" https://docs.github.com/en/actions/security-for-github-actio...
That is one of the supported formats (and maybe most common), but not the only one.
https://cloud.google.com/artifact-registry/docs/supported-fo...
The Python one behaves just like PyPI, you just need to specify the URL provide credentials.