A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023. OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.
This repo uses https://github.com/tschm/token-mint-action + poetry for publishing, but the action is archived, with a recommendation to switch to trusted publishing.
I'm reporting to all projects I find still relying on a token-based strategy, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.
A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023.
OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.This repo uses https://github.com/tschm/token-mint-action + poetry for publishing, but the action is archived, with a recommendation to switch to trusted publishing.
I'm reporting to all projects I find still relying on a token-based strategy, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.