Document additional Trusted Publishers (#15192)

* docs/user: empty sections for more publishers

Signed-off-by: William Woodruff <william@trailofbits.com>

* Fix headings

* Add provider TODOs to using-a-publisher.md

* Move images into provider-specific directories

* Update GitHub screenshots

* Fix asset links

* Update admonition to match

* Remove unnecessary quoting

* Google Trusted Publishing docs (#15195)

* Google Trusted Publishing docs

* Update docs/user/trusted-publishers/security-model.md

Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

* Update docs/user/trusted-publishers/security-model.md

Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>

* Apply suggestions from code review

Co-authored-by: William Woodruff <william@yossarian.net>

* Apply suggestions from code review

---------

Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: William Woodruff <william@yossarian.net>

* Add Google screenshots

* Fix provider-specific screenshots

* Add GitLab Trusted Publishing docs (#15283)

* Add GitLab Trusted Publishing docs

* Add screenshots to GitLab Trusted Publishing docs

* Fix instructions for GitLab CI with Trusted Publishing

* Add activestate OIDC docs (#15548)

* First draft of ActiveState Trusted Publishing docs

* Add ActiveState Security Model and Considerations

* Adding examples

* Add link to ActiveState hosted OIDC docs

* Add updated docs from Andrew

* MD tweaks and some images

* Add remaining screenshots and embbed them in MD

* Tweaking instructions for publishing

* Update warehouse/templates/manage/account/publishing.html

Co-authored-by: William Woodruff <william@yossarian.net>

* Review edit

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Review edits

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Review edits

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Review edits

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Review edits

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Translations

* Fix build script tokens, link to supported platforms

* Revise and reformat ActiveState using instructions

---------

Co-authored-by: Pete Garcin <peteg@activestate.com>
Co-authored-by: William Woodruff <william@yossarian.net>
Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Slugify tab anchors

* Add blogpost announcing more trusted publishers (#15656)

* Fix old byline

* Add blogpost announcing more trusted publishers

* Update docs/blog/posts/2024-04-20-expanding-trusted-publisher-support.md

Co-authored-by: Mike Fiedler <miketheman@gmail.com>

* Apply suggestions from code review

---------

Co-authored-by: Mike Fiedler <miketheman@gmail.com>

* Updating ActiveState publishing docs (#15739)

* Updating ActiveState publishing docs

* Update docs/user/trusted-publishers/using-a-publisher.md

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

---------

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update publish date

* Update line for consistency

* Update tabbed headings to not appear in ToC

* Wrap long lines

* Consistency fix

* Line break

* Strip out leading $

* Make note conform

* Translations

* Add border to images

* Update screenshot

* Dark mode CSS doesn't work as expected

* Add alt text

* Update publication date

* Fix ActiveState getting started Trusted Publisher links (#15801)

* Fix ActiveState getting started Trusted Publisher links

* REALLY fix ActiveState getting started Trusted Publisher links

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: William Woodruff <william@yossarian.net>
Co-authored-by: Carey Hoffman <careyh@activestate.com>
Co-authored-by: Pete Garcin <peteg@activestate.com>
Co-authored-by: Mike Fiedler <miketheman@gmail.com>
Co-authored-by: Pete Garcin <14925581+rawktron@users.noreply.github.com>

docs/blog/posts/2023-04-20-introducing-trusted-publishers.md

@@ -112,8 +112,7 @@ providing valuable feedback to improve this feature along the way.
 
 ---
 
-_Dustin Ingram is a maintainer of the Python Package Index and a director of
-the Python Software Foundation._
+_Dustin Ingram is a maintainer of the Python Package Index._
 
 [^1]: Currently, information such as this are provided by the uploader and are not verified as accurate by PyPI.
 [OpenID Connect (OIDC)]: https://openid.net/connect/

docs/blog/posts/2024-04-17-expanding-trusted-publisher-support.md

@@ -0,0 +1,66 @@
+---
+title: Expanding Trusted Publisher Support
+description: Announcing additional Trusted Publishing providers
+authors:
+  - di
+date: 2024-04-17
+tags:
+  - publishing
+  - security
+  - oidc
+---
+
+Starting today, PyPI package maintainers can publish via Trusted Publishing
+from three additional providers:
+
+ * GitLab CI/CD
+ * Google Cloud
+ * ActiveState
+
+These providers join existing support for publishing from GitHub Actions without
+long-lived passwords or API tokens, which [we announced last year], and bring
+support for Trusted Publishing to even more hosted providers.
+
+<!-- more -->
+
+### About Trusted Publishing
+
+Trusted Publishing is our term for using the [OpenID Connect (OIDC)] standard
+to exchange short-lived identity tokens between a trusted third-party service
+and PyPI. This method can be used in automated environments and eliminates the
+need to use username/password combinations or long-lived, manually generated
+API tokens to authenticate with PyPI when publishing.
+
+Instead, maintainers can configure PyPI to trust an identity provided by a
+given OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify
+and delegate trust to that identity, which is then authorized to request
+short-lived, tightly-scoped API tokens from PyPI. These API tokens never need
+to be stored or shared, rotate automatically by expiring quickly, and provide a
+verifiable link between a published package and its source.
+
+### Get started today
+
+To get started with using trusted publishers on PyPI, see our documentation
+here: <https://docs.pypi.org/trusted-publishers/>.
+
+### Acknowledgements
+
+Funding for work implementing Google Cloud and GitLab support was provided by
+the Google Open Source Security Team, and much of the development work was
+performed by [Trail of Bits], with special thanks to contributors [William
+Woodruff] and [Facundo Tuesca].
+
+ActiveState support was provided by ActiveState, with special thanks to
+contributors [Carey Hoffman] and [Pete Garcin].
+
+---
+
+_Dustin Ingram is a maintainer of the Python Package Index._
+
+[we announced last year]: 2023-04-20-introducing-trusted-publishers.md
+[William Woodruff]: https://github.com/woodruffw
+[Facundo Tuesca]: https://github.com/facutuesca
+[Carey Hoffman]: https://github.com/th3coop
+[Pete Garcin]: https://github.com/rawktron
+[OpenID Connect (OIDC)]: https://openid.net/connect/
+[Trail of Bits]: https://www.trailofbits.com/

docs/mkdocs-user-docs.yml

@@ -14,6 +14,7 @@ markdown_extensions:
   - pymdownx.superfences
   - pymdownx.tabbed:
       alternate_style: true
+      slugify: !!python/object/apply:pymdownx.slugs.slugify {kwds: {case: lower}}
   - tables
 theme:
   name: material

docs/user/stylesheets/extra.css

@@ -2,4 +2,12 @@
   --md-primary-fg-color: #0073b7;
 }
 
+.md-content img {
+  padding: 10px;
+  border-width: 1px;
+  border-style: solid;
+  border-color: black;
+  background: white;
+}
+
 readthedocs-flyout { display: none; }

docs/user/trusted-publishers/adding-a-publisher.md

@@ -9,11 +9,11 @@ Adding a trusted publisher to a PyPI project only requires a single setup step.
 On the ["Your projects" page](https://pypi.org/manage/projects/), click "Manage" on any project you'd like to
 configure:
 
-![](/assets/manage-link.png)
+![Image showing the 'Your Projects' page](/assets/trusted-publishing/manage-link.png)
 
 Then, click on "Publishing" in the project's sidebar:
 
-![](/assets/project-publishing-link.png)
+![Image showing the 'Publishing' link in the project sidebar](/assets/trusted-publishing/project-publishing-link.png)
 
 That link will take you to the publisher configuration page for the project,
 which will allow you to configure trusted publishers for the different
@@ -34,7 +34,7 @@ each.
     that uses a publishing workflow defined in `.github/workflows/release.yml`
     and a custom environment named `release`, then you'd do the following:
 
-    ![](/assets/project-publishing-form.png)
+    ![Image showing adding a new GitHub publisher](/assets/trusted-publishing/github/project-publishing-form.png)
 
     !!! note
 
@@ -43,15 +43,96 @@ each.
         your trusted workflow, such as requiring manual approval on each run
         by a trusted subset of repository maintainers.
 
+    Once you click "Add", your publisher will be registered and will appear
+    at the top of the page:
 
-Once you click "Add", your publisher will be registered and will appear
-at the top of the page:
+    ![Image showing a newly added GitHub publisher](/assets/trusted-publishing/github/project-publisher-registered.png)
 
-![](/assets/project-publisher-registered.png)
+    From this point onwards, the `release.yml` workflow on `octo-org/sampleproject` will
+    be able to generate short-lived API tokens from PyPI for the project you've registered
+    it against.
 
-From this point onwards, the `release.yml` workflow on `octo-org/sampleproject` will
-be able to generate short-lived API tokens from PyPI for the project you've registered
-it against.
+=== "Google Cloud"
+
+    For Google Cloud, you **must** provide the email address of the account or
+    service account used to publish. [You can learn more about Google Cloud
+    service accounts
+    here](https://cloud.google.com/iam/docs/service-account-overview).
+
+    For example, if you have created a service account named
+    "SERVICE_ACCOUNT_NAME" in the project "PROJECT_NAME" which is in use by
+    the environment where you would like to publish to PyPI from, your service
+    account email would take the form
+    `SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com`, and you would do
+    the following:
+
+    ![Image showing adding a new Google Cloud publisher](/assets/trusted-publishing/google/project-publishing-form.png)
+
+    !!! warning
+
+        Google Cloud also provides [default service
+        accounts](https://cloud.google.com/iam/docs/service-account-types#default)
+        for various products:
+
+          *  Compute Engine: `PROJECT_ID-compute@developer.gserviceaccount.com`
+          *  App Engine: `PROJECT_NAME@appspot.gserviceaccount.com`
+
+        However it is **not** recommended that these be used for publishing, as
+        they are provided by default to every service when they are created.
+
+    !!! note
+
+        Configuring the subject is optional. The subject is the numeric ID that
+        represents the principal making the request. While not required, providing the
+        subject further restricts the identity which is used for publishing, ensuring
+        that only a specific instance of a service account can publish, not any service
+        account with the configured email. See
+        <https://cloud.google.com/docs/authentication/token-types#id-contents>
+        for more details
+
+    Once you click "Add", your publisher will be registered and will appear
+    at the top of the page:
+
+    ![Image showing a newly added Google Cloud publisher](/assets/trusted-publishing/google/project-publisher-registered.png)
+
+=== "ActiveState"
+
+    For ActiveState, you must provide the name of the ActiveState project,
+    the ActiveState organization that project belongs to, and the ActiveState user performing
+    the publish action. Learn more about getting set up on the ActiveState Platform [here](https://docs.activestate.com/platform/start/pypi/).
+    ![Image showing adding a new ActiveState publisher](/assets/trusted-publishing/activestate/project-publishing-form.png)
+    Once you click "Add", your publisher will be registered and will appear at the top of the page:
+    ![Image showing a newly added ActiveState publisher](/assets/trusted-publishing/activestate/project-publisher-registered.png)
+
+=== "GitLab CI/CD"
+
+    For GitLab CI/CD, you **must** provide the repository's namespace, the
+    repository's name, and the filepath of the GitLab CI/CD workflow that's
+    authorized to upload to PyPI. In addition, you may **optionally**
+    provide the name of a
+    [GitLab CI/CD environment](https://docs.gitlab.com/ee/ci/environments/).
+
+    For example, if you have a project at `https://gitlab.com/namespace/sampleproject`
+    that uses a publishing workflow defined in `release.yml` and a custom
+    environment named `release`, then you'd do the following:
+
+    ![Image showing adding a new GitLab publisher](/assets/trusted-publishing/gitlab/project-publishing-form.png)
+
+    !!! note
+
+        Configuring an environment is optional, but **strongly** recommended:
+        with a GitLab environment, you can apply additional restrictions to
+        your trusted workflow, such as requiring manual approval on each run
+        by a trusted subset of repository maintainers.
+
+    Once you click "Add", your publisher will be registered and will appear
+    at the top of the page:
+
+    ![Image showing a newly added GitLab publisher](/assets/trusted-publishing/gitlab/project-publisher-registered.png)
+
+    From this point onwards, the `release.yml` workflow on `namespace/sampleproject`
+    will be able to generate short-lived API tokens from PyPI for the project you've
+    registered it against.
 
 A publisher can be registered against multiple PyPI projects (e.g. for a
 multi-project repository), and a single PyPI project can have multiple

docs/user/trusted-publishers/creating-a-project-through-oidc.md

@@ -18,7 +18,7 @@ The steps for configuring a "pending" publisher are similar to those for
 a normal publisher, except that the page is under your account sidebar
 instead of any project's sidebar (since the project doesn't exist yet):
 
-![](/assets/publishing-link.png)
+![Image showing the 'Publishing' link in the account sidebar](/assets/trusted-publishing/publishing-link.png)
 
 Clicking on "publishing" will bring you to a page with different potential
 trusted publishers. The forms on this page behave
@@ -32,17 +32,66 @@ provide the name of the PyPI project that will be created.
     `release.yml` and an environment named `release` that you would like to publish
     to PyPI as `sampleproject`, then you would do the following:
 
-    ![](/assets/pending-publisher-form-filled.png)
+    ![Image showing adding a new GitHub publisher](/assets/trusted-publishing/github/pending-publisher-form-filled.png)
 
     !!! note
 
         Like with "normal" trusted publishers, configuring a GitHub Actions
         environment is **optional but strongly recommended**.
 
+    Clicking "Add" will register the "pending" publisher, and show it to you:
+
+    ![Image showing a newly added GitHub publisher](/assets/trusted-publishing/github/pending-publisher-registered.png)
+
+=== "Google Cloud"
+
+    If you have a service account named
+    `SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com`, which is in use by
+    the environment where you would like to publish to PyPI from, then you would do
+    the following:
+
+    ![Image showing adding a new Google Cloud publisher](/assets/trusted-publishing/google/pending-publisher-form-filled.png)
+
+    !!! note
+
+        Like with "normal" trusted publishers, configuring the subject is optional.
+
+    Clicking "Add" will register the "pending" publisher, and show it to you:
+
+    ![Image showing a newly added Google Cloud publisher](/assets/trusted-publishing/google/pending-publisher-registered.png)
+
+=== "ActiveState"
+
+    Setting up ActiveState to create a PyPI project is the same as
+    updating a project. You need to provide the name of the ActiveState project,
+    the ActiveState organization that project belongs to, and the ActiveState user who will be performing
+    the publish action. Learn more about getting set up on the ActiveState Platform [here](https://docs.activestate.com/platform/start/pypi/).
+
+    ![Image showing adding a new ActiveState publisher](/assets/trusted-publishing/activestate/pending-publisher-form-filled.png)
+
+    Clicking "Add" will register the "pending" publisher, and show it to you:
+
+    ![Image showing a newly added ActiveState publisher](/assets/trusted-publishing/activestate/pending-publisher-registered.png)
+
+=== "GitLab CI/CD"
+
+     If you have a repository at
+    `https://gitlab.com/namespace/sampleproject` with a release workflow at
+    `release.yml` and an environment named `release` that you would like to publish
+    to PyPI as `sampleproject`, then you would do the following:
+
+    ![Image showing adding a new GitLab publisher](/assets/trusted-publishing/gitlab/pending-publisher-form-filled.png)
+
+    !!! note
+
+        Like with "normal" trusted publishers, configuring a GitLab CI/CD
+        environment is **optional but strongly recommended**.
+
+    Clicking "Add" will register the "pending" publisher, and show it to you:
+
+    ![Image showing a newly added GitLab publisher](/assets/trusted-publishing/gitlab/pending-publisher-registered.png)
 
-Clicking "Add" will register the "pending" publisher, and show it to you:
 
-![](/assets/pending-publisher-registered.png)
 
 From this point on, the "pending" publisher can be used exactly like a
 "normal" publisher, and after first use it will convert it into a "normal"