PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent

PyPI's Trusted Publishing feature has expanded to include GitLab Self-Managed instances, further enhancing security by allowing CI platforms to publish packages without permanent API tokens through short-lived tokens issued via an OpenID Connect trust relationship. This extension, now in beta, follows the successful adoption by GitHub Actions and GitLab.com, with more than 45,000 projects enabled since its 2023 inception. The update also introduces organization-level ownership control, preventing ownership drift in multi-maintainer environments. Meanwhile, the Python Software Foundation (PSF) recently declined a $1.5M U.S. National Science Foundation grant due to conditions conflicting with its DEI mission, sparking community support that raised over $160,000 in donations. The PSF is at a "critical inflection point" regarding PyPI's sustainability, managing 2-3 billion daily requests, and is seeking multi-year infrastructure partnerships and optional paid features to support ongoing improvements in software supply chain security.