Its a bit weird that #GitHub spearheaded #OIDC based authentication to retrieve short lived tokens for cloud platforms and then #PyPi, #RubyGems and even #Dart went and used that to enable short lived tokens for publishing packages – but GitHub themselves haven't yet launched it for #npm

@openssf has even launched a #TrustedPublishers guideline: https://repos.openssf.org/trusted-publishers-for-all-package-repositories

https://blog.rubygems.org/2023/12/14/trusted-publishing.html

🥚🐰🛞🐍 Exciting!

I'm doing the first @pillow release using cibuildwheel + PyPI publish GitHub Action + Trusted Publishers!

It'll take just under three hours to build 68 wheels and an sdist, and then upload them automatically to @pypi 🤞

The matrix covers CPython 3.8-3.12, PyPy 3.9-3.10, manylinux, musllinux, macOS Intel + Apple Silicon, Windows 32-bit + 64-bit + ARM...

Follow along the Easter fun at https://github.com/python-pillow/Pillow/actions/runs/8506382482 !

#Python #Pillow #PythonPillow #PyPI #TrustedPublishers #cibuildwheel

I learned about two new things at #PyConUS2023 PyPI Organizations and #TrustedPublishers, but I got the feeling the needs have not been identified properly

1. Orgs - single organization might be the popular case, but the interface feels like that is the only case for now
2. Trusted Publishers - writing "like Github" while having only Github as an option is ridiculous, what about GitLab, Codeberg, sr.ht or self-hosted instances of any of them? what about dedicated CI services?

#PyConUS @ThePSF

Exciting news from #PyPI, just in time for @PyConUS:

"Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems."

I've been part of the private beta and it works really well!

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

#Python #PyConUS #TrustedPublishers