Problem is that you might want to have the tests run before even looking at it. I think the mistak...

LtWorf • yesterday at 10:16 PM • 1 reply • view on HN

Problem is that you might want to have the tests run before even looking at it.

I think the mistake was to put secrets in there and allow publishing directly from github's CI.

Hilariously the people at pypi advise to use trusted publishers (publishing on pypi from github rather than local upload) as a way to avoid this issue.

https://blog.pypi.org/posts/2025-11-26-pypi-and-shai-hulud/

Replies

mulmboy • today at 12:57 AM

It does largely avoid the issue if you configure to allow only specific environments AND you require reviews before pushing/merging to branches in that environment.

https://docs.pypi.org/trusted-publishers/adding-a-publisher/

For a malicious version to be published would then require full merge which is a fairly high bar.

AWS allows similar

➕ show 1 reply

alt Hacker News

Replies