|
|
|
|
|
|
by woodruffw
1121 days ago
|
|
|
> Recently I've seen someone on Reddit trying to automate the creation of PyPI projects through GitHub Actions. The person was complaining that the first deployment couldn't use an API key for that project since it didn't exist. So I'm not surprised some people are trying to do the same for malicious purposes. Sorry for the tangent, but: you can do this now! If you use trusted publishing, you can register a "pending publisher" for a project that doesn't exist yet. When the trusted publisher (like GitHub Actions) is used, it'll create the project[1]. All of this is supported transparently by the official publishing action for GitHub Actions[2]. [1]: https://docs.pypi.org/trusted-publishers/creating-a-project-... [2]: https://github.com/pypa/gh-action-pypi-publish |
|
|