Closed blink1073 closed 3 months ago
FYI I opened a PR on jupyter_releaser to support this as well as NPM provenance: https://github.com/jupyter-server/jupyter_releaser/pull/511
I'm starting rolling that to the major JupyterLab packages for the next release.
All of the repositories that use Jupyter Releaser now use PyPI trusted publishing.
As mentioned in the meeting yesterday, we should consider using PyPI Trusted Publishers for Jupyter Projects.
I ran an experiment using my test-python-project repository. I made a release to the Test PyPI instance using my main account, and then one using a backup account, that does not have a login to Test PyPI.
Here is what the PyPI security log looks like:
Here is the deployment log from the repo:
The publish permissions would move from PyPI to the Environment Permissions on the repository: