Just so I am aware of all the options, is there any way to publish package source code to PyPi withouttwine? Something like python setup.py bdist and then uploading that distribution manually or via CI?
Twine maintainer here, chiming in to say that while it does essentially wrap a POST request, Twine also reads the package metadata from the distribution, and formats it correctly for the POST. It also supports signing the uploaded files with GPG.
If you want to reliably prevent all PyPI uploads from individual or all machines on your network, regardless of mechanism, couldn’t you just block all requests to upload.pypi.org in your corporate firewall (or HOSTS file, etc)?
IMO A network level block is the right solution in your case, along with the use of whatever relevant corporate policy mechanisms you want to employ to incentivise not publishing your private code publicly. What you can do is make it difficult to do the wrong thing with a network-level block and the other mechanisms described in that thread and use the other social/organisational tools to disincentivise behaviours you don’t want.
At the end of the day, you can set up a basic roadblock that avoids doing the wrong thing by mistake, but you can’t really do much to prevent a malicious actor/motivated-to-solve-their-specific-problem-with-workarounds employee who has access to your source code from doing whatever they want with it.