Mike Fiedler, Code GardenerOct 14

Does your org run a self-managed version of GitLab and publish your own #Python packages to @pypi ?

If you want to try out an alpha of Trusted Publishing for GitLab Self-Managed instances, let me know via DM - I'm collecting interest now, and should have something to show soon.

Show threadMatthias Mair

@miketheman @pypi Not a Gitlab user, just running a small gitea instance.

Is there an issue, blog or PR I could follow to read more about your approach once it is published?

Oct 14 at 7:30pmMastodon for iOS
Show threadMike Fiedler, Code GardenerOct 14

@matmair Sure! You could start with the intro to Trusted Publishers from back in 2023: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
And more:
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

For this specific work, I'm working on a lot in this issue: https://github.com/pypi/warehouse/issues/15838

Introducing 'Trusted Publishers' - The Python Package Index Blog

Announcing a new, more secure way to publish to PyPI

Show threadMatthias MairOct 14

@miketheman thank you for the link; I have been looking into adding “trusted publishing” as defined by the WG to a primarily self hosted platform and this will the final puzzle piece to make that reasonable for the deployment scenario.

Thank you for your effort and good luck for the work ahead!