One example: for my personal Python projects, I use two GitHub actions named `pypa/gh-action-pypi-publish` [0] and `sigstore/gh-action-sigstore-python` [1] to sign my wheels, publish my wheels to PyPI, and have PyPI attest (and publicly display via check mark [2]) that the uploaded package is tied to my GitHub identity.
How would I even begin migrating this to another forge?
And that’s just a small part of the pipeline.
This is only a small part, but FWIW: you don’t need gh-action-sigstore-python to do the signing; gh-action-pypi-publish will do it automatically for you now.
(Source: I maintain the former and contributed the attestations change to the latter.)
sigstore is not a github action specific tool, you can use the python client with any CI/CD tool runner. You can attest with py_pi attestations and publish with twine.
When migrating the steps don't have to use the same syntax and tools, but for each step you can identify the desired outcome and create it without actions from the gh marketplace on a different CI/CD.
More importantly, you consciously decided to make your pipeline not portable by using gh actions from the marketplace. This is not a requirement nor inevitable.
How would I even begin migrating this to another forge? And that’s just a small part of the pipeline.
[0]: https://github.com/marketplace/actions/pypi-publish
[1]: https://github.com/marketplace/actions/gh-action-sigstore-py...
[2]: https://pypi.org/project/itchcraft/