Python Starter Kit: Trusted publishing

[ingyhere]

Checked for duplicates

Yes - I've already checked

Best Practice Guide Category

Software Lifecycle

Best practice guide URL

Python Starter Kit

Describe the improvement

Python Package Index (PyPi) publishing has transitioned to Trusted Publishing in an implementation step en route to PEP 740 adoption. This ticket is to implement Trusted Publishing (TP).

What does TP provide? It guarantees the provenance of software published from your organization. When that provenance is validated, the details and package origins of your published software is "verified" rather than reported as "unverified" in the package index.

Moreover, the publishing process has changes to isolate the actual delivery to package indices with the option for different signature validation and publishing keys, depending on the target index.

[yunks128]

@ingyhere This is great! Thanks for your contribution. slim-cli (https://pypi.org/project/slim-cli/) would benefit directly from TP. I'd be happy to be a tester for your documentation.

A few questions:

• Have you considered integrating TP into your CI/CD pipelines for automated and secure package publishing? That would be great!
• How do you plan to structure the updated documentation? Will you provide a specific section that explains the changes related to Trusted Publishing, key management, and workflow automation?

[jpl-jengelke]

Excellent. I'm still testing, waiting for a break in my project when we have resources available to troubleshoot if there are any issues. We should have it wrapped up within two weeks.

• Have you considered integrating TP into your CI/CD pipelines for automated and secure package publishing? That would be great!

Yes, that's the plan. It will be integrated with the Python Starter Kit as soon as it's tested.

• How do you plan to structure the updated documentation? Will you provide a specific section that explains the changes related to Trusted Publishing, key management, and workflow automation?

I haven't thought much yet about it. I suspect it could be a separate guide. But I plan to modify the Python Starter Kit docs to integrate it.

[ingyhere]

Testing complete. I have created a PR in the slim-starterkit-python project. Please feel free to review.

[ingyhere]

A PR in SLIM (here) will also be created shortly to add this to the documentation stack.