"Trusted publishers" on the Python Package Index
Instead, PyPI maintainers can configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify and delegate trust to that identity, which is then authorized to request short-lived, tightly-scoped API tokens from PyPI. These API tokens never need to be stored or shared, rotate automatically by expiring quickly, and provide a verifiable link between a published package and its source.
Posted Apr 22, 2023 20:40 UTC (Sat)
by stefanha (subscriber, #55072)
[Link] (3 responses)
I guess it prevents an exposed token from being used outside of the CI system?
Posted Apr 23, 2023 12:21 UTC (Sun)
by jtaylor (subscriber, #91739)
[Link] (2 responses)
As there are no shared secrets you also don't need to change any stored tokens when for example a project member leaves.
Posted Apr 28, 2023 6:13 UTC (Fri)
by LtWorf (subscriber, #124958)
[Link] (1 responses)
Posted Apr 28, 2023 15:51 UTC (Fri)
by jtaylor (subscriber, #91739)
[Link]
github itself will create the token and provide it to your action/job when it is run. The action then passes it on to PyPI which will verify that the token has been signed by a trusted source (with the public keys most likely from https://token.actions.githubusercontent.com/.well-known/o...) and that the signed token metadata matches what you configured in your PyPI project (github project, release environment etc.)
"Trusted publishers" on the Python Package Index
"Trusted publishers" on the Python Package Index
"Trusted publishers" on the Python Package Index
"Trusted publishers" on the Python Package Index
Are you referring to https://github.com/marketplace/actions/pypi-publish#advan...
That section is indeed confusing but I assume it just states the action also supports password authentication if you can't use id tokens for your test pypi setup.