Audit the PyPI API token in the CI/CD
webknjaz opened this issue · 4 comments
@asvetlov I noticed that this project is not managed by the bot account in the CI like others. Normally, I'd create a project-scoped token under https://pypi.org/user/aio-libs-bot/ for use in CI.
Could you confirm that:
- the token used is scoped to just one project on PyPI (
frozenlist
) - the token belongs to a user without "Owner" privileges
- you don't want to switch it over to be aligned with the rest of packages
What's wrong if I use a project-scoped token generated from my personal account?
Permissions are restricted to upload only anyway, isn't it?
From my understanding, the aio-libs-bot user is not required anymore after switching to token-based upload and getting rid of user/password logins.
@webknjaz don't get me wrong please.
If you want to setup https://pypi.org/user/aio-libs-bot/ generated token -- please do.
I just don't want to spend my personal time on it and I think that the current token provides the same security level.
I was thinking along the lines of having all the tokens in one place/account so it wouldn't be necessary to guess whose token is in use and which accesses to revoke or where to regenerate it if necessary.