[EuroPython 2024 — South Hall 2B on 2024-07-12] Automatic trusted publishing with PyPI by Facundo Tuesca https://ep2024.europython.eu/session/automatic-trusted-publishing-with-pypi PyPI added support for “Trusted Publishing” last year, allowing package maintainers to create releases directly from their GitHub Actions pipelines without having to worry about token management. Trusted Publishing removes long-lived API tokens from the equation, removing a threat vector for supply chain attacks. In this talk, we’ll go through the details of how this works, how maintainers can easily take advantage of it with minimal changes to their existing setup, and the ongoing effort in the last 12 months to add support for publishers other than GitHub, such as GitLab, Google, and ActiveState. --- This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License: https://creativecommons.org/licenses/by-nc-sa/4.0/