Problem Statement
As a JupyterHub admin, I want to trust that JupyterHub packages available on PyPI and NPM are securely published and not unnecessarily vulnerable to malicious uploads and credential stealing.
Proposed Solution
Our packages should be published to PyPI and NPM using Trusted Publishing, removing all use of long-lived tokens.
Proposed Implementation
Add a Trusted Publishing workflow to every Python package uploading to PyPI and Node.JS package uploading to NPM. Audit repo secrets for PyPI and NPM tokens and remove them. We should enable zizmor linting on at least the trusted publishing workflow, if not all workflows.
How will this fit in the ecosystem?
Trusted Publishing is already the existing best practice for publishing packages, and we use it in several of our repos. This is about committing to following this practice project-wide.
Endorsements
Problem Statement
As a JupyterHub admin, I want to trust that JupyterHub packages available on PyPI and NPM are securely published and not unnecessarily vulnerable to malicious uploads and credential stealing.
Proposed Solution
Our packages should be published to PyPI and NPM using Trusted Publishing, removing all use of long-lived tokens.
Proposed Implementation
Add a Trusted Publishing workflow to every Python package uploading to PyPI and Node.JS package uploading to NPM. Audit repo secrets for PyPI and NPM tokens and remove them. We should enable zizmor linting on at least the trusted publishing workflow, if not all workflows.
How will this fit in the ecosystem?
Trusted Publishing is already the existing best practice for publishing packages, and we use it in several of our repos. This is about committing to following this practice project-wide.
Endorsements