Skip to content

Mitigate the PyPI API token #7731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maresb opened this issue Mar 20, 2025 · 9 comments
Closed

Mitigate the PyPI API token #7731

maresb opened this issue Mar 20, 2025 · 9 comments

Comments

@maresb
Copy link
Contributor

maresb commented Mar 20, 2025
edited
Loading

Description

(See also pymc-devs/pytensor#1306)

Description

There's currently an API token for PyPI in the secrets that we're no longer using since we migrated to trusted publishing in #7622. (Project admins can see the token here, but I don't have access.)

While we could and should delete this token from this repo's secrets, it would be much better if we could deactivate the token first. (Otherwise there's a perpetual risk that the token unexpectedly exists somewhere and could still be compromised.)

As far as I can tell, the only way to figure out the provenance of a PyPI token is for an admin to examine the project's Security history page and look at the logs from before we enabled trusted publishing to see whose account controls the token. (I don't have access.)

CC @twiecki, @fonnesbeck, @michaelosthege
@michaelosthege
Copy link
Member

  • I created the token.
  • Last used 2024-12-05.
  • Removed the token in PyPI

In GitHub we have multiple candidates for deletion...

Image

@maresb
Copy link
Contributor Author

maresb commented Mar 20, 2025

I guess we should check the security history of all the following PyPI repositories:

https://pypi.org/project/pymc-nightly/
https://pypi.org/project/pymc3/
https://pypi.org/project/pymc/

Not sure what's up with the 4th one. 🤦‍♂

@maresb
Copy link
Contributor Author

maresb commented Mar 20, 2025
edited
Loading

PYPI_TOKEN: #3954 (@michaelosthege added PYPI_TOKEN)

@maresb
Copy link
Contributor Author

maresb commented Mar 20, 2025
edited
Loading

PYPI_TOKEN_PYMC: #5265 (PYPI_TOKEN was updated by @fonnesbeck to PYPI_TOKEN_PYMC after migrating from the pymc3 PyPI package to pymc)

@maresb
Copy link
Contributor Author

maresb commented Mar 22, 2025

PYPI_TOKEN_PYMC3: I don't see any search results for this one.

PYPI_TOKEN_PYMC_NIGHTLY: #5548 A deleted user created this one. @theorashid, do you know who this might be?

@theorashid
Copy link
Contributor

I checked my email for the PYPI_TOKEN_PYMC_NIGHTLY. It was @fonnesbeck. I don't know why it's coming up as deleted user ghost on the issue

@maresb
Copy link
Contributor Author

maresb commented May 19, 2025

@fonnesbeck, could you please log in to PyPI and revoke any tokens associated with your account? Everything should now be using trusted publishing, so any tokens you might still have are a security liability.

@fonnesbeck
Copy link
Member

All tokens removed.

@maresb
Copy link
Contributor Author

maresb commented May 19, 2025

Thanks @fonnesbeck!

@maresb maresb closed this as completed May 19, 2025
@maresb maresb mentioned this issue May 19, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fonnesbeck @michaelosthege @maresb @theorashid