You shouldn't trust Trusted Publishing
Summary
Trusted Publishing is a machine-to-machine authentication mechanism used by PyPI and other package indices. It is not a signal of package safety or quality, and the article discusses its limitations and risks, particularly for CI/CD workflows and Open Source ecosystems.