Comment by larusso
4 days ago
The trusted publishing is rather new or? Awesome to see that they implemented it. Just saying that maven central required it already years ago.
4 days ago
The trusted publishing is rather new or? Awesome to see that they implemented it. Just saying that maven central required it already years ago.
Maven Central does not currently support OIDC-based authentication (commonly called "Trusted Publishing").
Didn’t know this term. After reading I wonder why short lived tokens get this monocle. But yeah I prefer OIDC over token based access as well. Only small downside I see is the setup needed for a custom OIDC provider. Don’t know the right terms out of my head but we had quite the fun to register our internal Jenkins to become a create valid oidc tokens for AWS. GitHub and GitHub Actions come with batteries included. I mean the downside that a huge vendor can easily provide this and a custom rolled CI needs extra steps / infrastructure.