Scene Image

The Secure Publish

Don't trust anyone, trust the code

As a PyPI package maintainer, you must navigate the complex world of cybersecurity to ensure your package is published securely. Configure PyPI to trust a given OpenID Connect Identity Provider (IdP) and verify and delegate trust to that identity. Eliminate the need for long-lived passwords or API tokens and request short-lived, tightly-scoped API tokens from PyPI. Add permissions to generate an identity token and increase the security of your release workflows by configuring trusted publishers to only release from a specific GitHub Actions environment.