Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider switching to TrustedPublishing for PyPI uploads #927

Open
grst opened this issue Dec 10, 2024 · 0 comments
Open

Consider switching to TrustedPublishing for PyPI uploads #927

grst opened this issue Dec 10, 2024 · 0 comments

Comments

@grst
Copy link
Contributor

grst commented Dec 10, 2024

Squidpy still uses PyPI tokens for uploading releases

- name: Publish on PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.PYPI_TOKEN }}
skip_existing: true
verbose: true

Consider switching to trusted publishing which is nowadays the recommended way to connect to PyPI

This confers significant usability and security advantages when compared to PyPI's traditional authentication methods:

Usability: with trusted publishing, users no longer need to manually create API tokens on PyPI and copy-paste them into their CI provider. The only manual step is configuring the publisher on PyPI.
Security: PyPI's normal API tokens are long-lived, meaning that an attacker who compromises a package's release token can use it until its legitimate user notices and manually revokes it. Trusted publishing avoids this problem because the tokens minted expire automatically.

For an example, see our cookiecutter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant