PyPI Trusted Publishing
PyPI Trusted Publishing
PPTP is an auth method that allows CI/CD platforms to publish software packages directly to the Python Package Index (PyPI) without using long-lived passwords or API tokens. Instead of storing sensitive credentials in your code repo, this feature leverages the OpenID Connect (OIDC) standard to establish direct machine-to-machine trust between PyPI and your build environment.
How It Works
The tool replaces manual secret management with an automated cryptographic exchange:
1) Pre-configuration: You link your specific code repository and workflow to your project settings on PyPI.
2) Identity Verification: When a deployment triggers, your CI/CD platform sends a short-lived OIDC identity token to PyPI.
3) Token Issuance: PyPI verifies that this token matches your pre-configured trust policy.
4) Scoped Upload: PyPI gives the CI/CD pipeline a temporary, single-use API token that expires quickly to complete the upload.
Key Benefits
1) No Long-Lived Secrets: Eliminates static API tokens that never expire, reducing the risk of credential leaks.
2) Automatic Rotation: Generates short-lived credentials dynamically for every single build run.
3) Tighter Scoping: Authenticates the specific CI workflow file and repository environment, restricting broad unauthorized usage.
4) Supply Chain Security: Reduces risk of malicious package takeovers via leaked tokens
Comments
Post a Comment