Automatic trusted publishing with PyPI

Cite

Related Material

EuroPython

Tuesca, Facundo

Formal Metadata

Title

Automatic trusted publishing with PyPI

Title of Series

EuroPython 2024

Number of Parts

131

Author

Tuesca, Facundo

Contributors

N. N. (Moderation)

License

CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this

Identifiers

10.5446/69406 (DOI)

Publisher

EuroPython

Release Date

2024

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

PyPI added support for “Trusted Publishing” last year, allowing package maintainers to create releases directly from their GitHub Actions pipelines without having to worry about token management. Trusted Publishing removes long-lived API tokens from the equation, removing a threat vector for supply chain attacks. In this talk, we’ll go through the details of how this works, how maintainers can easily take advantage of it with minimal changes to their existing setup, and the ongoing effort in the last 12 months to add support for publishers other than GitHub, such as GitLab, Google, and ActiveState.