EPISODE · Jun 9, 2026 · 59 MIN
Trusted Publishing
from vBrownBag · host vBrownBag
Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number. Timestamps 0:00 Welcome & Introduction 4:00 Mike's PyCon US World Tour Recap 8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption 12:09 Why Long-Lived Tokens Fail: Four Attack Models 16:47 Case Study: The 2024 Ultralytics Compromise 21:44 What is Trusted Publishing? OIDC Explained 27:04 How the GitHub Actions Flow Actually Works 34:12 Other Registries: npm, RubyGems, crates.io, NuGet 36:34 Common Pitfalls & Debugging Tips 42:29 Provenance & Sigstore Attestations 44:22 The Step Everyone Forgets: Delete Your Old Token 47:06 Migration Guide & Getting Started This Week How to find Mike: https://www.linkedin.com/in/miketheman/ https://www.python.org/psf-landing/ Links from the show:
What this episode covers
Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number. Timestamps 0:00 Welcome & Introduction 4:00 Mike's PyCon US World Tour Recap 8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption 12:09 Why Long-Lived Tokens Fail: Four Attack Models 16:47 Case Study: The 2024 Ultralytics Compromise 21:44 What is Trusted Publishing? OIDC Explained 27:04 How the GitHub Actions Flow Actually Works 34:12 Other Registries: npm, RubyGems, crates.io, NuGet 36:34 Common Pitfalls & Debugging Tips 42:29 Provenance & Sigstore Attestations 44:22 The Step Everyone Forgets: Delete Your Old Token 47:06 Migration Guide & Getting Started This Week How to find Mike: https://www.linkedin.com/in/miketheman/ https://www.python.org/psf-landing/ Links from the show:
NOW PLAYING
Trusted Publishing
No transcript for this episode yet
Similar Episodes
Mar 27, 2017