HexDecimal
commented
7 months ago It's a long-lived API token created by me. I set that up before PyPI had trusted publishing. I use trusted publishing for all my other Python projects and I've considered setting it up here but doing so requires full access to this repo which I don't have since it's a personal repo.
@matthew-brett must setup a pypi GitHub Environment for me from the Settings -> Enviroments menu on the repo. The environment doesn't need any specific rules, it just has to exist. Once the environment is created I can handle the rest since I have enough access on PyPI.
As alarming as the current setup looks it isn't especially insecure. It's about as secure as an environment with no additional security options enabled would be. I've been paranoid enough to keep an eye on this projects releases just in case, but I've been the only one publishing releases ever since.
I was skimming through the recent changes as I was trying to figure out a new regression and noticed something that should probably be fixed — the GHA workflow calls Twine directly and uses a long-living API token or even a user-wide password (which is worse, security-wise).
There's a more secure and easier way of doing this now which my action (yes, it's a shameless plug!) has supported since the early spring, way before it's gone GA: https://github.com/marketplace/actions/pypi-publish#trusted-publishing.
My PyPUG guide is also updated with a full usage example of secretless publishing: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.
I suggest you upgrade the automation to be more in line with the modern practices :)