Additional authentication factor when packages are uploaded via GH Actions

[rht]

What's the problem this feature will solve?
Some projects automate the release to PyPI by GitHub Actions, e.g.

• using poetry publish: Poetry itself and projects that use this similar workflow.
• using twine upload: Black, etc
• using https://github.com/marketplace/actions/pypi-publish

But this means that these uploads bypass the 2FA requirement.

Describe the solution you'd like

Is it possible for PyPI to detect that the twine upload comes from a GitHub Actions process that is associated from the official GitHub repository of the project, and count this info as an extra authentication factor? I know not all projects host their code on GitHub, and even fewer of them publish from a GitHub Actions workflow, but this does cover a lot of the use cases.

[miketheman]

This is an ongoing project to add this kind of functionality using OpenID Connect (OIDC) with GitHub.
See https://github.com/pypi/warehouse/projects/4 for more.

cc @woodruffw for visibility

[rht]

I see, thank you! Is there a single meta issue that I can subscribe to, so that I can get notified once the project is completed?

[woodruffw]

Thanks for the ping @miketheman!

@rht: we don't have a meta-issue, but #10970 is the main feature issue for the work. Following that should give you most of the updates.