Hypothesis also has a weekly automated PR, and “auto-merge if CI passes” is an obvious extension. I’d highly recommend both auto-releases and auto-weekly-maintainence to anyone, they’re lovely workflows.
Personally I’d like to keep using long-lived and non-interactive tokens, but would be happy to adopt other restrictions like “only allowed to publish new package versions with a later version number” to exclude attacks which add new wheels, or
.post1 versions, or
1.9999 to get anyone who has pinned to
pkg < 2.
More broadly, it sounds like we have a couple of good ideas that are largely blocked on (funding for) implementation in Warehouse. In particular, I don’t see much point discussing whether we should require MFA when projects can’t yet opt-in to enforcement!
I do strongly support blocking uploads from passwords or user-scope tokens, especially but not only for users with MFA enabled. Valuable even as an opt-in.
@pradyunsg - can I suggest adding MFA-and-token-related enhancements to the fundables page? They do seem to meet the criteria, and e.g. the OpenSSF might be interested.