Secure your Python SDK publishing with PyPI trusted publishing

Publishing Python SDKs to PyPI has become more secure and efficient with the introduction of trusted publishing, which utilizes OpenID Connect (OIDC) to establish a trust relationship between PyPI and GitHub Actions workflows. Unlike traditional methods that rely on long-lived API tokens prone to leaks and requiring manual rotation, trusted publishing generates short-lived tokens at publish time, reducing security risks and maintenance efforts. Speakeasy supports PyPI trusted publishing through either an automatic setup using its CLI, which simplifies the process, or a manual configuration for those who prefer detailed control. This approach ties each publish to a specific commit, workflow run, and repository, enhancing auditability and eliminating the need to manage or rotate stored credentials. Setting up trusted publishing involves configuring the GitHub workflow permissions and adding a publish-pypi job, with further configuration needed on PyPI to designate GitHub Actions as the trusted publisher. The transition to trusted publishing not only simplifies the workflow but also aligns with the Python packaging ecosystem's move towards improved security practices.