Put together a big upgrade to my python-lib cookiecutter template today: it now uses pyproject.toml rather than setup.py, and it configures a publish.yml workflow that publishes packages to PyPI without needing a password or authentication token using PyPI Trusted Publishers
The more experience I get with the new PyPI "trusted publishers" mechanism the more I love it - it's SUCH a low friction way to publish a package from GitHub to PyPI, and configuring it for a new project really is just a case of filling in a few form fields and dropping in a couple of lines of YAML https://til.simonwillison.net/pypi/pypi-releases-from-github
@simon that's as much low friction as being invisible gatekeeping (want to easily publish to pypi? use github); especially now with github buying into the ai hype with its full microsoft chest.
@simon @glyph Quick suggestion: instead of "pip install", "python -Im pip install" and "python -Im build" (etc.).
The "-I" (that's LATIN CAPITAL LETTER I, as in "Isolated", which is the mode it turns on) flag helps mitigate quite a few mailcious things people might try in pull requests, and so is something I always recommend for anything that'll run in CI.
@mawhrin interestingly development of the feature was funded by Google
It's built on top of OIDC, presumably to help facilitate adding other platforms in the future - but it would take coordinated work from those platforms https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/