Trustworthy Publishing

You play as a hacker who has stumbled upon a vulnerability in PyPI's trusted publishing system. With the ability to generate identity tokens and API tokens, you must decide whether to use your newfound power for good or evil. Will you expose the flaw to PyPI or use it to your advantage?