Trusted Publisher

Trusted Publisher is a cybersecurity game based on the PyPI's new trusted publishing method, where players take on the role of a PyPI package maintainer tasked with ensuring the security of the open-source community by verifying and delegating trust to a given OpenID Connect Identity Provider (IdP). The game's objective is to configure PyPI to trust only identity tokens exchanged with the trusted third-party service and eliminate the need to use long-lived passwords or API tokens to authenticate when publishing, which can leave open-source projects vulnerable to attacks. Further security measures include configuring trusted publishers to only release from a specific GitHub Actions environment and apply additional restrictions to the trusted GitHub Actions workflow, such as requiring approval on each run by a trusted subset of repository maintainers.