Trusted Publishers: The Game

As a PyPI package maintainer, navigate the world of trusted publishing and protect your packages from malicious actors while avoiding common security pitfalls. Use your knowledge of OpenID Connect to exchange short-lived identity tokens and delegate trust to your chosen identity provider. Configure trusted publishers to only release from a specific GitHub Actions environment to further increase the security of your release workflows. Correlate more information about where a given file was published from and verify related metadata like the URL of a source repository for a project.