centraldogma-python icon indicating copy to clipboard operation
centraldogma-python copied to clipboard
verified publisher icon line

Applying Trusted Publisher

Open darjeeling opened this issue 7 months ago • 0 comments

Applying Trusted Publisher to your PyPI projects is strongly recommended for the following reasons:

  • Improved usability: Eliminates the manual creation and management of long-lived API tokens by leveraging OpenID Connect (OIDC) in your CI workflows, streamlining release automation and reducing human error in token handling .
  • Enhanced security: Short-lived tokens (valid for a maximum of 15 minutes) drastically limit the attack window for credential theft, mitigating the risk of token leakage or unauthorized reuse
  • Elimination of secret storage: You no longer need to store sensitive API tokens in environment variables or secret managers; OIDC tokens are issued on-demand and never persist beyond the publish operation
  • Fine-grained trust controls: Configure which CI workflows or environments are allowed to publish, enabling least-privilege release setups and reducing the blast radius of any compromised workflow
  • Automatic token revocation: Since tokens expire automatically, there is no need for manual revocation, ensuring that stale credentials cannot be exploited long after they were issued .

https://docs.pypi.org/trusted-publishers/

darjeeling avatar May 28 '25 09:05 darjeeling