Merge pull request ossf#44 from sethmlarson/trusted-publisher-nits

di · web-flow · commit 8ccb8a6973be · 2024-07-11T13:46:42.000-04:00
Add byline, link in README, fix ordering
diff --git a/README.md b/README.md
@@ -29,6 +29,8 @@ The working group may create:
 
 See also https://repos.openssf.org/
 
+* **[Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories)** - July 2024
+  > Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
 * **[Principles for Package Repository Security](https://repos.openssf.org/principles-for-package-repository-security)** - February 2024
   > A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
 * **[Build Provenance and Code-signing for Homebrew](https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew)** - July 2023
diff --git a/docs/index.md b/docs/index.md
@@ -9,16 +9,15 @@ This is a list of materials (surveys, documents, proposals, and so on) released
 
 ## Documents
 
+* [Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) - July 2024
+  > Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
+
 * [Principles for Package Repository Security](https://repos.openssf.org/principles-for-package-repository-security) - February 2024
   > A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
 
 * [Build Provenance for All Package Registries](https://repos.openssf.org/build-provenance-for-all-package-registries) - July 2023
   > Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.
 
-* [Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) - July 2024
-  > Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
-
-
 ## Proposals
 
 * [Build Provenance and Code-signing for Homebrew](https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew) - July 2023
diff --git a/docs/trusted-publishers-for-all-package-repositories.md b/docs/trusted-publishers-for-all-package-repositories.md
@@ -1,5 +1,9 @@
 # Trusted Publishers for All Package Repositories
 
+Authors: [Seth Michael Larson (Python Software Foundation)](https://github.com/sethmlarson)
+
+Last updated: July 2024
+
 Trusted Publishers is a new authentication method that builds on the existing OpenID Connect standard (OIDC) for user infrastructure publishing to public package repositories (e.g. CI publishing to PyPI, as opposed to maintainers publishing from their system or Homebrew's centralized builds). Authentication is performed by exchanging OIDC identity tokens for short-lived and tightly scoped API tokens for authenticating with package repository publishing APIs. Using short-lived API tokens removes the need to share long-lived and potentially highly privileged API tokens with external systems when publishing software.
 
 ## Why Trusted Publishers?
