Mitigate the PyPI API token #1306
Comments
This was referenced Mar 20, 2025
This should conclude the issue. Let me know if there's anything else I should do :) |
|
Perfect, thanks so much @michaelosthege for the rapid and unambiguous response! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
There's currently an API token for PyPI in the secrets that we're no longer using since we migrated to trusted publishing in #1135. (Project admins can see the token here.)
While we could and should delete this token from this repo's secrets, it would be much better if we could deactivate the token first. (Otherwise there's a perpetual risk that the token unexpectedly exists somewhere and could still be compromised.)
As far as I can tell, the only way to figure out the provenance of a PyPI token is for an admin to examine the project's Security history page and look at the logs from before we enabled trusted publishing to see whose account controls the token. (I don't have access.)
CC @twiecki, @fonnesbeck, @michaelosthege
The text was updated successfully, but these errors were encountered: