Put together a big upgrade to my python-lib cookiecutter template today: it now uses pyproject.toml rather than setup.py, and it configures a publish.yml workflow that publishes packages to PyPI without needing a password or authentication token using PyPI Trusted Publishers
@simon The Trusted Publishing part is very neat, thank you for sharing! 🙌
I wonder how this PyPI "pending publisher" feature works if you a) rename your github account or repo b) delete your github account and then someone else creates a new one with the same name.
Does GitHub notify PyPI about these changes? Because neither Github repo name nor account (or organization) name are guaranteed to be stable 🤔
@djh that's a great question! My hunch is that the OIDC stuff under the hood has been designed with that in mind, but I've not dug into the details.
@sethmlarson may know the answer!
@simon @djh Thanks for the tag Simon, indeed when a publisher is specifically in the "pending" state I believe there isn't any pinning to a specific "ID" until after first "use".
I wonder if it could be improved a bit by doing an initial request to GitHub's API and bind to the ID early? Might be worth opening an issue :)
@sethmlarson @djh that sounds good enough to me - I expect most pending publishers only exist for a short period of time, and their creators should stay very aware of renames to their own GitHub accounts
@simon @sethmlarson Gotcha thanks for the details! Sounds good, I was just wondering how these simple systems on their own interact in complex ways when plugged into each other.