[ollien]

I'm relatively uneducated here, but doesn't OIDC still require some kind of secret to be posessed? What's the upside you're excited about?

[Aeolun]

Yeah, but the secret in question is possessed by Github, not you or your source.

PyPi will be able to verify that the id-token was signed with the Github secret, and therefore trust that the person described in the token is who they say they are.