Apply suggestions from code review

woodruffw · webknjaz · web-flow · commit 3f814840911d · 2023-03-15T16:48:19.000-04:00
Co-authored-by: Sviatoslav Sydorenko &lt;wk.cvs.github@sydorenko.org.ua&gt;
diff --git a/README.md b/README.md
@@ -61,11 +61,12 @@ PyPI, which is recommended to restrict the access the action has.
 The secret used in `${{ secrets.PYPI_API_TOKEN }}` needs to be created on the
 settings page of your project on GitHub. See [Creating & using secrets].
 
+
 ### Publishing with OpenID Connect
 
-**IMPORTANT**: This functionality is in beta, and will not work for you
-unless you're a member of the PyPI OIDC beta testers' group. For more
-information, see [warehouse#12965].
+> **IMPORTANT**: This functionality is in beta, and will not work for you
+> unless you're a member of the PyPI OIDC beta testers' group. For more
+> information, see [warehouse#12965].
 
 This action supports PyPI's [OpenID Connect publishing]
 implementation, which allows authentication to PyPI without a manually
@@ -99,6 +100,13 @@ Other indices that support OIDC publishing can also be used, like TestPyPI:
     repository-url: https://test.pypi.org/legacy/
 ```
 
+> **Pro tip**: only set the `id-token: write` permission in the job that does
+> publishing, not globally. Also, try to separate building from publishing
+> — this makes sure that any scripts maliciously injected into the build
+> or test environment won't be able to elevate privileges while flying under
+> the radar.
+
+
 ## Non-goals
 
 This GitHub Action [has nothing to do with _building package
diff --git a/oidc-exchange.py b/oidc-exchange.py
@@ -16,12 +16,14 @@
 
 This generally indicates a workflow configuration error, such as insufficient
 permissions. Make sure that your workflow has `id-token: write` configured
-at either the workflow or job level, e.g.:
+at the job level, e.g.:
 
 ```yaml
 permissions:
   id-token: write
 ```
+
+Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
 """
 
 # Rendered if the package index refuses the given OIDC token.
@@ -97,7 +99,7 @@ def assert_successful_audience_call(resp: requests.Response, domain: str):
             )
 
 
-repository_url = get_normalized_input("repository-url") or "https://pypi.org/legacy/"
+repository_url = get_normalized_input("repository-url")
 repository_domain = urlparse(repository_url).netloc
 token_exchange_url = f"https://{repository_domain}/_/oidc/github/mint-token"
 
