19 |
20 | ---
21 |
22 | ## Features
23 |
24 | * **:octocat: Github-hosted**
25 | * **🚀 Template ready to deploy**
26 | * **🔆 Easy to use** through Github Actions
27 | * **🚨 Secure** : Warns you if your package is vulnerable to supply chain attacks
28 |
29 | ## Description
30 |
31 | This repository is a Github page used as a PyPi index, conform to [PEP503](https://www.python.org/dev/peps/pep-0503/).
32 |
33 | You can use it to group all your packages in one place, and access it easily through `pip`, almost like any other package publicly available !
34 |
35 | ---
36 |
37 | _While the PyPi index is public, private packages indexed here are kept private : you will need Github authentication to be able to retrieve it._
38 |
39 | ## Try it !
40 |
41 | Visit [astariul.github.io/github-hosted-pypi/](http://astariul.github.io/github-hosted-pypi/) and try to install packages indexed there !
42 |
43 | ---
44 |
45 | Try to install the package `public-hello` :
46 | ```console
47 | pip install public-hello --extra-index-url https://astariul.github.io/github-hosted-pypi/
48 | ```
49 |
50 | It will also install the package `mydependency`, automatically !
51 |
52 | Try it with :
53 |
54 | ```python
55 | from public_hello import hi
56 | print(hi())
57 | ```
58 |
59 | You can also install a specific version :
60 |
61 | ```console
62 | pip install public-hello==0.1 --extra-index-url https://astariul.github.io/github-hosted-pypi/
63 | ```
64 |
65 | ---
66 |
67 | Now try to install the package `private-hello` :
68 | ```console
69 | pip install private-hello --extra-index-url https://astariul.github.io/github-hosted-pypi/
70 | ```
71 |
72 | _It will not work, because it's private and only me can access it !_
73 |
74 | ## Get started
75 |
76 | * Use this template and create your own repository :
77 |
78 |
79 |
80 |
81 |
82 | * Go to `Settings` of your repository, and enable Github Page
83 | * Customize `index.html` and `pkg_template.html` to your liking
84 | * You're ready to go ! Visit `.github.io/` to see your PyPi index
85 |
86 | ## Modify indexed packages
87 |
88 | Now that your PyPi index is setup, you can register / update / delete packages indexed.
89 | _Github actions are setup to do it automatically for you._
90 |
91 | You just have to :
92 | * Go to the `Actions` tab of your repository
93 | * Click the right workflow (`register` / `update` / `delete`) and trigger it manually
94 | * Fill the form and start the workflow
95 | * Wait a bit
96 | * Check the new PR opened (ensure the code added correspond to what you want)
97 | * Merge the PR
98 |
99 | ## FAQ
100 |
101 | #### Q. Is it secure ?
102 |
103 | As you may know, `pip` can install Github-hosted package if given in the form `pip install git+`. This PyPi index is just an index of links to other Github repository.
104 |
105 | Github pages are public, so this PyPi index is public. But it just contain links to other Github repositories, no code is hosted on this PyPi index !
106 |
107 | If the repository hosting code is private, you will need to authenticate with Github to be able to clone it, effectively making it private.
108 |
109 | ---
110 |
111 | If you wonder more specifically about supply chain attacks, check [the section about it](#a-word-about-supply-chain-attacks) !
112 |
113 | #### Q. What happen behind the scenes ?
114 |
115 | When running `pip install --extra-index-url https://astariul.github.io/github-hosted-pypi/`, the following happen :
116 |
117 | 1. `pip` will look at `https://pypi.org/`, the default, public index, trying to find a package with the specified name.
118 | 2. If it can't find, it will look at `https://astariul.github.io/github-hosted-pypi/`.
119 | 3. If the package is found there, the link of the package is returned to `pip` (`git+@`).
120 | 4. From this link, `pip` understand it's a Github repository and will clone the repository (at the specific tag) locally.
121 | 5. From the cloned repository, `pip` install the package.
122 | 6. `pip` install any missing dependency with the same steps.
123 |
124 | _Authentication happen at step 4, when cloning the repository._
125 |
126 | #### Q. What are the best practices for using this PyPi index ?
127 |
128 | The single best practice is using Github releases. This allow your package to have a version referred by a specific tag.
129 | To do this :
130 |
131 | * Push your code in a repository.
132 | * Create a new Github release. Ensure you follow [semantic versioning](https://semver.org/). It will create a tag.
133 | * Ensure you can install the package with `pip install git+@`
134 | * When putting the package on this index, put the full link (`git+@`).
135 |
136 | #### Q. What if the name of my package is already taken by a package in the public index ?
137 |
138 | You can just specify a different name for your indexed package. Just give it a different name in the form when registering it.
139 |
140 | For example if you have a private package named `tensorflow`, when you register it in this index, you can name it `my_cool_tensorflow`, so there is no name-collision with the public package `tensorflow`.
141 | Then you can install it with `pip install my_cool_tensorflow --extra-index-url https://astariul.github.io/github-hosted-pypi/`.
142 |
143 | Then from `python`, you can just do :
144 | ```python
145 | import tensorflow
146 | ```
147 |
148 | ---
149 |
150 | **But be careful about this !** While it's possible to handle it like this, it's always better to have a unique name for your package, to avoid confusion but also for [security](#a-word-about-supply-chain-attacks) !
151 |
152 | #### Q. How to download private package from Docker ?
153 |
154 | Building a Docker image is not interactive, so there is no prompt to type username and password.
155 | Instead, you should put your Github credentials in a `.netrc` file, so `pip` can authenticate when cloning from Github.
156 | To do this securely on Docker, you should use Docker secrets. Here is a quick tutorial on how to do :
157 |
158 | **Step 1** : Save your credentials in a secret file. Follow this example :
159 |
160 | ```
161 | machine github.com
162 | login
163 | password
164 | ```
165 |
166 | ⚠️ _Syntax is important : ensure you're using **tabulation**, and the line endings are **`\n`**.
167 | So careful if you're using a IDE that replace tabs by spaces or if you're on Windows (where line endings are `\r\n`) !_
168 |
169 | Let's name this file `gh_auth.txt`.
170 |
171 | **Step 2** : Create your Docker file. In the docker file you should mount the secret file in `.netrc`, and run the command where you need authentication. For example :
172 |
173 | ```dockerfile
174 | # syntax=docker/dockerfile:experimental
175 | FROM python:3
176 |
177 | RUN --mount=type=secret,id=gh_auth,dst=/root/.netrc pip install --extra-index-url https://astariul.github.io/github-hosted-pypi/
178 | ```
179 |
180 | **Step 3** : Build your Docker image, specifying the location of the secret created in step 1 :
181 |
182 | `sudo DOCKER_BUILDKIT=1 docker build --secret id=gh_auth,src=./gh_auth.txt .`
183 |
184 | ---
185 |
186 | **_If you have any questions or ideas to improve this FAQ, please open a PR / blank issue !_**
187 |
188 | ## A word about supply chain attacks
189 |
190 | As you saw earlier, this github-hosted PyPi index rely on the `pip` feature `--extra-index-url`. Because of how this feature works, it is vulnerable to supply chain attacks.
191 |
192 | For example, let's say you have a package named `fbi_package` version `2.8.3` hosted on your private PyPi index.
193 |
194 | An attacker could create a malicious package with the same name and a higher version (for example `99.0.0`).
195 | When you run `pip install fbi_package --extra-index-url my_pypi_index.com`, under the hood `pip` will download the latest version of the package, which is the malicious package !
196 |
197 | ---
198 |
199 | While this repository makes it very convenient to have your own PyPi index, be aware that the page is public, therefore anyone can see which package name you're using and create a malicious package with this same name...
200 |
201 | That's why we included automated checks into this private PyPi index. Whenever you access the page of your package, PyPi API is called, and if a package with the same name and a higher version is found, the install command is replaced with a warning.
202 |
203 | You can see a demo of such warning at [https://astariul.github.io/github-hosted-pypi/transformers/](https://astariul.github.io/github-hosted-pypi/transformers/).
204 |
205 | If you see this warning, don't install the package ! Instead, change the name of your package or upgrade the version above its public counterpart.
206 |
207 | Be careful out there !
208 |
209 | ## Contribute
210 |
211 | Issues and PR are welcome !
212 |
213 | If you come across anything weird / that can be improved, please get in touch !
214 |
215 | ## References
216 |
217 | **This is greatly inspired from [this repository](https://github.com/ceddlyburge/python-package-server).**
218 | It's just a glorified version, with cleaner pages and github actions for easily adding, updating and removing packages from your index.
219 |
220 | Also check the [blogpost](https://www.freecodecamp.org/news/how-to-use-github-as-a-pypi-server-1c3b0d07db2/) of the original author !
221 |
222 | ---
223 |
224 | _Icon used in the page was made by [Freepik](https://www.flaticon.com/authors/freepik) from [Flaticon](https://www.flaticon.com/)_
225 |
--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
18 |
19 |
21 |
22 | Pypi - YourCompany
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 | YourCompany own PyPi
33 |
34 |
35 |
36 |
37 | Welcome to the private Python package index of YourCompany !
38 |
39 | You can install packages with :
40 |
80 | 
29 |