A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023. OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.
I'm reporting to all projects I find still relying on the token-based strategy, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.
The PyPI token stored as a secret associated to this repo should be revoked (i.e., removed) in order to minimize the risk of it being stolen. I advise taking this action immediately (this takes only a minute) even if maintainers don't have time to set up trusted publishing just yet.
A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023.
OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.I'm reporting to all projects I find still relying on the token-based strategy, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.
The PyPI token stored as a secret associated to this repo should be revoked (i.e., removed) in order to minimize the risk of it being stolen. I advise taking this action immediately (this takes only a minute) even if maintainers don't have time to set up trusted publishing just yet.