Audit the PyPI API token in the CI/CD

Question

Audit the PyPI API token in the CI/CD

webknjaz opened this issue 3 years ago · 4 comments

@asvetlov I noticed that this project is not managed by the bot account in the CI like others. Normally, I'd create a project-scoped token under https://pypi.org/user/aio-libs-bot/ for use in CI.

Could you confirm that:

the token used is scoped to just one project on PyPI (frozenlist)
the token belongs to a user without "Owner" privileges
you don't want to switch it over to be aligned with the rest of packages

Answer 1 · 2021-10-24T10:42:39.000Z

What's wrong if I use a project-scoped token generated from my personal account?
Permissions are restricted to upload only anyway, isn't it?
From my understanding, the aio-libs-bot user is not required anymore after switching to token-based upload and getting rid of user/password logins.

Answer 2 · 2021-12-07T00:42:07.000Z

@webknjaz don't get me wrong please.
If you want to setup https://pypi.org/user/aio-libs-bot/ generated token -- please do.
I just don't want to spend my personal time on it and I think that the current token provides the same security level.

Answer 3 · 2022-08-02T20:36:25.000Z

I was thinking along the lines of having all the tokens in one place/account so it wouldn't be necessary to guess whose token is in use and which accesses to revoke or where to regenerate it if necessary.

Answer 4 · 2023-12-14T18:14:17.000Z

The bot no longer has access to this project. There's no long-living API token in the repo secrets.
The project was migrated to use secretless publishing 5 months ago via #498.