[mhils]

Fantastic work, kudos! OIDC auth is so much nicer compared to any ad-hoc secrets management. Thank you for dealing with JWT for us. :)

As a small suggestion, it may make sense to move the "Create a token for ..." button to the new publishing page on PyPI? This way both options would be next to each other. I went straight to the settings page after reading your blog post, and was initially confused to only find the old token option there. Having both at the same place would maybe be more straightforward.

[woodruffw]

Thank you for the kind words, and thanks for pointing this out -- I agree that we improve the buttons and forms here!

There's a little bit of complexity around the underlying data model (since publishers correspond to projects, while even project-scoped tokens are fundamentally bound to users), but at minimum we could certainly add some language or a link nudging users towards "trusted publishers" next to the current token creation button. I'll file an issue for that tonight.

[ollien]

I'm relatively uneducated here, but doesn't OIDC still require some kind of secret to be posessed? What's the upside you're excited about?

[Aeolun]

Yeah, but the secret in question is possessed by Github, not you or your source.

PyPi will be able to verify that the id-token was signed with the Github secret, and therefore trust that the person described in the token is who they say they are.