Adding badges / indicators for Trusted Publishers

[rsokl]

Context: the new trusted publishers method rocks, you all rock, and I want as many prominent pypi projects to adopt this as possible.

What's the problem this feature will solve?

• Improve discoverability of the Trusted Publishers method
• Incentivize projects to migrate to Trusted Publishers
• Make it easier for people doing OSS supply chain assessments to see, at a glance, that a project is using Trusted Publishers

Describe the solution you'd like
Now that hydra-zen is using trusted publishers, I want my little pypi badge to display some kind of shield, letting my users know about the enhanced security / advertising to other projects that this is a thing

(gimme a shield with, like, some fierce looking snake on it!)

It would also be nice if hydra-zen's pypi page featured some Trusted Publishers checkmark. Namely, when I am doing a supply chain review, it would be great to see if a project is utilizing this at a glance.

Additional context
Love this new capability! Awesome work!

[webknjaz]

I think that something similar was proposed by GitHub during the private beta. I think it was mostly concerning the PyPI side badges, not the embedded ones.

[tmr232]

Would be nice to have something akin to Mastodon's "verified" checkmarks near the repo link.
That way I can tell at a glance "this is really the project published from that repo".

I guess flagging all other projects linking the same repo would also be nice...

[woodruffw]

Triaging: this will happen with the completion of #15871 -- when a Trusted Publisher uploads an attestation alongside the normal package upload, we'll mark the project on PyPI's side with a little UI boondoggle.

(I'm not 100% how markdown badges are generated, though, or if PyPI even has any control over those...)

[di]

(I'm not 100% how markdown badges are generated, though, or if PyPI even has any control over those...)

We will likely not inject additional badges into a project description, since this is all user-supplied and we have no precedent for modifying it besides rendering it.

I think now that we have a "verified metadata" section, we can elevate the link to the source repository for projects that use trusted publishing for a release instead.

@woodruffw I don't think we need to wait for #15871 to do that though? We can verify the publisher was used without the attestation being present, and I wouldn't want to limit this only to projects that use trusted publishing AND publish attestations.

[woodruffw]

@woodruffw I don't think we need to wait for #15871 to do that though? We can verify the publisher was used without the attestation being present, and I wouldn't want to limit this only to projects that use trusted publishing AND publish attestations.

Yep -- this was based on an earlier misunderstanding of mine 🙂.

For others' visibility, the current WIP for this does not require #15781: #16205