yunks128
commented
1 month ago @ingyhere This is great! Thanks for your contribution. slim-cli (https://pypi.org/project/slim-cli/) would benefit directly from TP. I'd be happy to be a tester for your documentation.
A few questions:
- Have you considered integrating TP into your CI/CD pipelines for automated and secure package publishing? That would be great!
- How do you plan to structure the updated documentation? Will you provide a specific section that explains the changes related to Trusted Publishing, key management, and workflow automation?
jpl-jengelke
ingyhere
Checked for duplicates
Yes - I've already checked
Best Practice Guide Category
Software Lifecycle
Best practice guide URL
Python Starter Kit
Describe the improvement
Python Package Index (PyPi) publishing has transitioned to Trusted Publishing in an implementation step en route to PEP 740 adoption. This ticket is to implement Trusted Publishing (TP).
What does TP provide? It guarantees the provenance of software published from your organization. When that provenance is validated, the details and package origins of your published software is "verified" rather than reported as "unverified" in the package index.
Moreover, the publishing process has changes to isolate the actual delivery to package indices with the option for different signature validation and publishing keys, depending on the target index.