From 0811f991bd3b72bc79a131736a1966d9df922f60 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 24 Apr 2023 09:28:57 -0600 Subject: [PATCH] README: small doc tweaks Signed-off-by: William Woodruff --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 4876c94..302717e 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ tag, or a full Git commit SHA. > this is what they're referring to. This example jumps right into the current best practice. If you want to -go for less secure scoped PyPI API tokens, check out [how to specify -username and password]. +use API tokens directly or a less secure username and password, check out +[how to specify username and password]. This action supports PyPI's [trusted publishing] implementation, which allows authentication to PyPI without a manually @@ -230,9 +230,9 @@ In the past, when publishing to PyPI, the most secure way of the access scoping for automatic publishing was to use the [API tokens][PyPI API token] feature of PyPI. One would make it project-scoped and save as an environment-bound secret in their GitHub repository settings, naming it `${{ secrets.PYPI_API_TOKEN }}`, -for example. See [Creating & using secrets]. This is no longer encouraged when -publishing to PyPI or TestPyPI, in favor of [trusted publishing]. - +for example. See [Creating & using secrets]. While still secure, +[trusted publishing] is now encouraged over API tokens as a best practice +on supported platforms (like GitHub). ## License