Y
Hacker News
new
|
ask
|
show
|
jobs
by
tedivm
90 days ago
This problem is solved by not having a token. Github and PyPI both support OIDC based workflows. Grant only the publish job access to OIDC endpoint, then the Trivy job has nothing it can steal.