"Trusted publishers" on the Python Package Index

Posted Apr 22, 2023 20:40 UTC (Sat) by stefanha (subscriber, #55072)
Parent article: "Trusted publishers" on the Python Package Index

Can someone explain the practical advantages compared to storing a token in GitHub secrets?

I guess it prevents an exposed token from being used outside of the CI system?

"Trusted publishers" on the Python Package Index

Posted Apr 23, 2023 12:21 UTC (Sun) by jtaylor (subscriber, #91739) [Link] (2 responses)

Generally you could still use these tokens outside of the CI system but compared to long lived stored api tokens, the openid connect token is very short lived. So if you accidentally leak it in for example a job log its not as big a problem as it usually will be expired by the time anyone would see it.

As there are no shared secrets you also don't need to change any stored tokens when for example a project member leaves.

"Trusted publishers" on the Python Package Index

Posted Apr 28, 2023 6:13 UTC (Fri) by LtWorf (subscriber, #124958) [Link] (1 responses)

But per their example you still need to use github secrets to store the credentials to login and obtain a short lived token…

"Trusted publishers" on the Python Package Index

Posted Apr 28, 2023 15:51 UTC (Fri) by jtaylor (subscriber, #91739) [Link]

I don't see that in the example?
Are you referring to https://github.com/marketplace/actions/pypi-publish#advan...
That section is indeed confusing but I assume it just states the action also supports password authentication if you can't use id tokens for your test pypi setup.

github itself will create the token and provide it to your action/job when it is run. The action then passes it on to PyPI which will verify that the token has been signed by a trusted source (with the public keys most likely from https://token.actions.githubusercontent.com/.well-known/o...) and that the signed token metadata matches what you configured in your PyPI project (github project, release environment etc.)