Expanding Trusted Publisher Support
These providers join existing support for publishing from GitHub Actions without long-lived passwords or API tokens, which we announced last year, and bring support for Trusted Publishing to even more hosted providers.
Trusted Publishing is our term for using the OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a trusted third-party service and PyPI. This method can be used in automated environments and eliminates the need to use username/password combinations or long-lived, manually generated API tokens to authenticate with PyPI when publishing.
Instead, maintainers can configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify and delegate trust to that identity, which is then authorized to request short-lived, tightly-scoped API tokens from PyPI. These API tokens never need to be stored or shared, rotate automatically by expiring quickly, and provide a verifiable link between a published package and its source.
Funding for work implementing Google Cloud and GitLab support was provided by the Google Open Source Security Team, and much of the development work was performed by Trail of Bits, with special thanks to contributors William Woodruff and Facundo Tuesca.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25425164/windows_split_view_1.png)
