@djh that's a great question! My hunch is that the OIDC stuff under the hood has been designed with that in mind, but I've not dug into the details.

@sethmlarson may know the answer!

@simon @djh Thanks for the tag Simon, indeed when a publisher is specifically in the "pending" state I believe there isn't any pinning to a specific "ID" until after first "use".

I wonder if it could be improved a bit by doing an initial request to GitHub's API and bind to the ID early? Might be worth opening an issue :)

@sethmlarson @djh that sounds good enough to me - I expect most pending publishers only exist for a short period of time, and their creators should stay very aware of renames to their own GitHub accounts

@simon @sethmlarson Gotcha thanks for the details! Sounds good, I was just wondering how these simple systems on their own interact in complex ways when plugged into each other.