validate-pyproject icon indicating copy to clipboard operation
validate-pyproject copied to clipboard
verified publisher icon abravalheri

TODO: Consider Trusted Publishing

Open abravalheri opened this issue 1 year ago • 0 comments

The benefits of PEP 740 are you get SigStore attestations for the artifacts on PyPI & there's no password or long-lived token to leak. You just set it up on PyPI and then use the action.

  • https://docs.pypi.org/trusted-publishers/
  • https://learn.scientific-python.org/development/guides/gha-pure/ (near bottom of page)
  • https://sethmlarson.dev/python-and-sigstore

Originally posted by @henryiii in https://github.com/abravalheri/validate-pyproject/pull/237#discussion_r1994044340

abravalheri avatar Mar 13 '25 18:03 abravalheri