Applying Trusted Publisher #64
Description
Applying Trusted Publisher to your PyPI projects is strongly recommended for the following reasons:
- Improved usability: Eliminates the manual creation and management of long-lived API tokens by leveraging OpenID Connect (OIDC) in your CI workflows, streamlining release automation and reducing human error in token handling .
- Enhanced security: Short-lived tokens (valid for a maximum of 15 minutes) drastically limit the attack window for credential theft, mitigating the risk of token leakage or unauthorized reuse
- Elimination of secret storage: You no longer need to store sensitive API tokens in environment variables or secret managers; OIDC tokens are issued on-demand and never persist beyond the publish operation
- Fine-grained trust controls: Configure which CI workflows or environments are allowed to publish, enabling least-privilege release setups and reducing the blast radius of any compromised workflow
- Automatic token revocation: Since tokens expire automatically, there is no need for manual revocation, ensuring that stale credentials cannot be exploited long after they were issued .