security: adopt Trusted Publishing to PyPi #182
Description
Is your feature request related to a problem? Please describe.
The problem is that https://pypi.org/project/langfair/ shows that multiple aspects of the project's metadata is currently unverified. https://docs.pypi.org/project_metadata/#via-trusted-publishing suggests that if the project adopts Trusted Publishing that we can increase PyPi and end-user confidence that the artifacts we are providing are legitimately coming from the LangFair project contributors/community.
There are additional problems in the form of security risks associated with long lived API tokens granting access to the project's PyPi presence/account.
From https://docs.pypi.org/trusted-publishers/
- Usability: with Trusted Publishing, users no longer need to manually create API tokens on PyPI and copy-paste them into their CI provider. The only manual step is configuring the publisher on PyPI.
- Security: PyPI's normal API tokens are long-lived, meaning that an attacker who compromises a package's release token can use it until its legitimate user notices and manually revokes it. Trusted Publishing avoids this problem because the tokens minted expire automatically.
Describe the solution you'd like
Adopt PyPi Trusted Publishing using GitHub Actions workflows
Describe alternatives you've considered
None - the security and end user trust benefits seem pretty incontrovertible
Also with the introduction of offerings like https://astral.sh/pyx it becomes increasingly important to modernize the package metadata and publishing processes to ensure the project fully communicates its security and compliance posture and value to end users.
Additional context
See