Trusted Publishing episode artwork

EPISODE · Jun 9, 2026 · 59 MIN

Trusted Publishing

from vBrownBag · host vBrownBag

Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number. Timestamps 0:00 Welcome & Introduction 4:00 Mike's PyCon US World Tour Recap 8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption 12:09 Why Long-Lived Tokens Fail: Four Attack Models 16:47 Case Study: The 2024 Ultralytics Compromise 21:44 What is Trusted Publishing? OIDC Explained 27:04 How the GitHub Actions Flow Actually Works 34:12 Other Registries: npm, RubyGems, crates.io, NuGet 36:34 Common Pitfalls & Debugging Tips 42:29 Provenance & Sigstore Attestations 44:22 The Step Everyone Forgets: Delete Your Old Token 47:06 Migration Guide & Getting Started This Week How to find Mike: https://www.linkedin.com/in/miketheman/ https://www.python.org/psf-landing/ Links from the show:

Episode metadata supplied by the publisher feed · Published Jun 9, 2026

Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number. Timestamps 0:00 Welcome & Introduction 4:00 Mike's PyCon US World Tour Recap 8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption 12:09 Why Long-Lived Tokens Fail: Four Attack Models 16:47 Case Study: The 2024 Ultralytics Compromise 21:44 What is Trusted Publishing? OIDC Explained 27:04 How the GitHub Actions Flow Actually Works 34:12 Other Registries: npm, RubyGems, crates.io, NuGet 36:34 Common Pitfalls & Debugging Tips 42:29 Provenance & Sigstore Attestations 44:22 The Step Everyone Forgets: Delete Your Old Token 47:06 Migration Guide & Getting Started This Week How to find Mike: https://www.linkedin.com/in/miketheman/ https://www.python.org/psf-landing/ Links from the show:

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Trusted Publishing

0:00 59:11

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of vBrownBag?

This episode is 59 minutes long.

When was this vBrownBag episode published?

This episode was published on June 9, 2026.

What is this episode about?

Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world...

Can I download this vBrownBag episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!