vBrownBag
vBrownBag
vBrownBag
Trusted Publishing
59 minutes Posted Jun 9, 2026 at 12:40 am.
Welcome & Introduction
Mike's PyCon US World Tour Recap
The Scale of PyPI: 13B Requests/Day & 36% Adoption
Why Long-Lived Tokens Fail: Four Attack Models
Case Study: The 2024 Ultralytics Compromise
What is Trusted Publishing? OIDC Explained
How the GitHub Actions Flow Actually Works
Other Registries: npm, RubyGems, crates.io, NuGet
Common Pitfalls & Debugging Tips
Provenance & Sigstore Attestations
The Step Everyone Forgets: Delete Your Old Token
Migration Guide & Getting Started This Week
0:00
59:11
Download MP3
Show notes
Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you.
Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number.
Timestamps
How to find Mike:
https://www.linkedin.com/in/miketheman/
https://www.python.org/psf-landing/
Links from the show: