trusted-publishing
Safeguard articles tagged "trusted-publishing" — guides, analysis, and best practices for software supply chain and application security.
8 articles
How to publish a secure Python package: signing, SBOMs, and trusted publishing
PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.
npm Trusted Publishing walkthrough: retiring long-lived publish tokens
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap
NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.
Ruby Gems Security: Signing, Yanking and Trusted Publishing
Gem signing never took off, yanking is weaker than people assume, and trusted publishing finally fixes the credential problem. What to actually rely on in a Ruby pipeline.
PyPI Trusted Publishing Token Leaks in 2025
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing
By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.
PyPI Trusted Publishing Common Pitfalls
PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.
PyPI Trusted Publishing: An Adoption Guide
Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.