Trusted publishing without access tokens

[rkaminsk]

Npm and pypi support trusted publishing (and probably cargo as well), which is easier to setup and safer than access tokens. I experimented a bit and this does not seem to work with reusable workflows. Is support for this on your agenda?

[ObserverOfTime]

We've been looking into it.

[rkaminsk]

With classic tokens to stop working soon, this becomes more of an issue: https://github.com/orgs/community/discussions/178140. At least for npm.