Nudge users to use Trusted Publishers when publishing to PyPI and TestPyPI

[sethmlarson]

We can use a GitHub Action workflow command to send warnings to users in their workflows to nudge users towards enabling Trusted Publishers instead of username/password and API tokens.

• We would show the warning only when users are using a username+password or API token instead of a trusted publisher.
• Since this GHA can be used to publish to any index we should limit this warning message to appearing only for indices that we know support Trusted Publishers (ie PyPI and TestPyPI) and shouldn't show when using an unknown index.

How warnings appear in GitHub Actions

This warning message appears in the workflow execution and in the summary screen and can point users at the exact workflow file they need to modify in addition to linking out to documentation on how to use Trusted Publishers.

A hypothetical warning message being:

Upgrade to Trusted Publishers

Trusted Publishers allows publishing packages to PyPI from GitHub Actions securely without managing credentials like passwords and API keys. Read more: https://docs.pypi.org/trusted-publishers

The warning shows up on the summary page for the GitHub Action execution:

The warning shows up inline in the logs as well:

[webknjaz]

I like this idea, thanks 🙏

@woodruffw @di any comments/objections? I'm pretty much in favor unless there's something I overlooked..

[di]

I'm overall in favor, I think the message could be slightly improved, maybe something like:

Trusted Publishers allows publishing packages to PyPI from automated environments like GitHub Actions without needing to use username/password combinations or API tokens to authenticate with PyPI. Read more: https://docs.pypi.org/trusted-publishers

[woodruffw]

Sounds good to me as well!

[woodruffw]

I'm willing to quickly knock this out, unless @sethmlarson is already planning on it 😉

[sethmlarson]

@woodruffw Please go ahead! 🚀