The Token Exchange

As a PyPI package maintainer, you are tasked with using the new, secure publishing method that leverages OpenID Connect. But when a shady third-party identity provider approaches you with an offer to exchange your identity token for a larger, more powerful token, you must decide whether to trust them in order to gain greater control over your packages. Will you take the risk and become a master token manipulator or stick to the security of the trusted publisher?