di
commented
4 months ago Our recommendation is to use Trusted Publishing to create the project instead -- see https://github.com/pypi/warehouse/issues/6378.
Open Carreau opened 4 months ago
di
commented
4 months ago Our recommendation is to use Trusted Publishing to create the project instead -- see https://github.com/pypi/warehouse/issues/6378.
woodruffw
commented
4 months ago To add to what @di said: Trusted Publishing has a concept of "pending publishers" for this exact scenario: you can register a "pending publisher" for a project that doesn't exist yet, and it'll be turned into a full Trusted Publisher once you use it.
(You can also technically do this by manually attenuating a user-scoped API token locally, since it's a Macaroon under the hood. But I suspect that'll be much less beginner-friendly than Trusted Publishing 🙂)
What's the problem this feature will solve?
I want to create a token to upload a package that does not exist yet. I can only use a general token for the first upload and then need to change the token, which is annoying (as far as I can tel).
Describe the solution you'd like
Ability to create a "lazy" token, that once used to upload a given package can only be used for this package forward.
Additional context
I was helping someone upload their first package, and it was not super frictionless.