It seems a bit previous to open a ticket. That will only be closed pending a discussion here.
Q: is there a list of PyPI Trusted Publishers available anywhere? As far as I can see, is it only GitHub? It’s not clear to me that it’s actually possible to become a Trusted Publisher unless you’re a public CI host of some renown. It looks like these PyPI advances are tied to GitHub, which is a shame if so.
I would sceptical about moving the release process to GitHub Actions. I understand the convenience if you’re using actions already, but it strikes me as less secure. (A breach via GitHub seems significantly more likely than capture of one of the small number tokens on releaser machines, not withstanding that the actual token used by the GHA to make the release is short lived.)
At the least we’d need an audit of permissions around the django/django repo. We have a very small number of known project managers on PyPI whereas the Django GitHub org has all number of members and teams, with not the cleanest permissions breakdown.
GH have also recently stopped taking contributions to their Actions components, citing a pending AI rewrite. We should see how it roles out before tying ourselves to that particular mast. “AI” and “secure” not being often seen together currently.
As an aside, I think we should seriously be considering moving off of GitHub, not committing ourselves more. The hosting is fine. The free CI is fine. Everything else is increasing problematic.