Trail of Tokens

As a PyPI package maintainer, you need to publish new releases securely without the need for long-lived passwords or API tokens. Adopt the new trusted publishing method using OpenID Connect (OIDC) standard to exchange short-lived identity tokens between a trusted third-party service and PyPI. Configure PyPI to trust GitHub repository and workflow to generate API tokens that never need to be stored or shared. Release only from a specific GitHub Actions environment for added security.