Open consideRatio opened 1 year ago
Sounds good to me. It's using OIDC, which is the same process that GitHub workflows use to authenticate with public cloud providers with a temporary token instead of using fixed secret credentials. When we're migrating existing workflows we should also delete the original tokens from PyPI.
In this PyPI blog post we learn about a new feature that makes us no longer need to setup PyPI projects with maintainer rights to
jupyterhub-bot
account and then generate a scoped deployment token. Instead, we can just declare a github project's workflow to be trusted, addpermissions.id-token: write
, and finally use thepypa/gh-action-pypi-publish
action.To me, this sounds great! I intend to pilot use of this in jupyterhub/tmpauthenticator
Related