Open rsokl opened 1 year ago
I think that something similar was proposed by GitHub during the private beta. I think it was mostly concerning the PyPI side badges, not the embedded ones.
Would be nice to have something akin to Mastodon's "verified" checkmarks near the repo link. That way I can tell at a glance "this is really the project published from that repo".
I guess flagging all other projects linking the same repo would also be nice...
Triaging: this will happen with the completion of #15871 -- when a Trusted Publisher uploads an attestation alongside the normal package upload, we'll mark the project on PyPI's side with a little UI boondoggle.
(I'm not 100% how markdown badges are generated, though, or if PyPI even has any control over those...)
(I'm not 100% how markdown badges are generated, though, or if PyPI even has any control over those...)
We will likely not inject additional badges into a project description, since this is all user-supplied and we have no precedent for modifying it besides rendering it.
I think now that we have a "verified metadata" section, we can elevate the link to the source repository for projects that use trusted publishing for a release instead.
@woodruffw I don't think we need to wait for #15871 to do that though? We can verify the publisher was used without the attestation being present, and I wouldn't want to limit this only to projects that use trusted publishing AND publish attestations.
@woodruffw I don't think we need to wait for #15871 to do that though? We can verify the publisher was used without the attestation being present, and I wouldn't want to limit this only to projects that use trusted publishing AND publish attestations.
Yep -- this was based on an earlier misunderstanding of mine 🙂.
For others' visibility, the current WIP for this does not require #15781: https://github.com/pypi/warehouse/pull/16205
Context: the new trusted publishers method rocks, you all rock, and I want as many prominent pypi projects to adopt this as possible.
What's the problem this feature will solve?
Describe the solution you'd like Now that hydra-zen is using trusted publishers, I want my little pypi badge to display some kind of shield, letting my users know about the enhanced security / advertising to other projects that this is a thing
(gimme a shield with, like, some fierce looking snake on it!)
It would also be nice if hydra-zen's pypi page featured some Trusted Publishers checkmark. Namely, when I am doing a supply chain review, it would be great to see if a project is utilizing this at a glance.
Additional context Love this new capability! Awesome work!