Trusted Publishing: The Game

You play as a PyPI package maintainer who must navigate the complexities of trusted publishing using OIDC. Manage your time, resources, and relationships with external systems to ensure the security and success of your package releases. Will you choose the PyPA's GitHub Action or manually exchange tokens? Will you trust a third-party IdP or set up a specific GitHub Actions environment? Make strategic decisions and earn the trust of the PyPI community.