alt Hacker NewsWhich account is publishing the package, in a CI/CD context? It's not clear that any particular account is, since the set of people who can trigger a workflow in CI/CD aren't necessarily (and in fact aren't often) the same set of people who can create an API token on PyPI.
The user that owns the API key or whoever it already associates what account is doing the publishing. It isn't a new problem.