Astral told you how they secure uv. Here's what to keep.
Astral published a detailed writeup of how they secure the org that ships uv, Ruff, and ty. It’s a good post. It’s also, for most readers, the wrong post.
Most of what Astral describes is team-scale GitHub hygiene: org-wide branch protection rulesets, workflow audits with zizmor, action pinning with pinact, isolated GitHub Apps for privileged operations. If you run a project with outside contributors, read the whole thing. If you’re one person shipping a Python package, a lot of it is overkill for the threat model you actually face.
Four practices translate cleanly. They’re the ones worth copying.
1. Turn on Trusted Publishing
The single highest-leverage change. A long-lived PyPI API token stored in GitHub Secrets is the exact credential a supply-chain attacker wants: steal it once, publish malware forever. Trusted Publishing replaces that token with a short-lived OIDC exchange scoped to a specific workflow in a specific repository. There is nothing to steal because there is nothing stored.
It takes about two minutes to configure on a new project and about fifteen on an existing one. Walk through it in how to publish to PyPI with Trusted Publishing, and if you want the rationale first, why use Trusted Publishing for PyPI covers the threat model.
2. Attach attestations to your releases
Once Trusted Publishing is on, PEP 740 digital attestations are almost free. They’re a signed statement from PyPI that ties your wheel to the specific GitHub Actions workflow run that built it. A reader of your package can verify that the artifact on PyPI came from the repository and commit you claim it did, without trusting PyPI or GitHub independently.
Astral’s post spends real ink on Sigstore attestations because they bind artifacts to workflows in a way nothing else does. You get the same guarantee on your own releases by adding one line to your publish workflow. See how to publish Python packages with digital attestations.
3. Turn on Ruff’s security rules
Astral’s writeup dwells on infrastructure, but it opens with a reminder that secure-by-default tooling catches real bugs in application code. Ruff’s S rules are a port of Bandit’s security checks: hardcoded passwords, unsafe yaml.load, shell=True in subprocess calls, weak hash functions, tempfile races. They cost you one line in pyproject.toml and they run on every save if you’ve wired Ruff into your editor.
This is the smallest action on the list and the one with the fastest feedback loop. How to enable Ruff’s security rules shows the config.
4. Scan your dependencies, then pin them
The last practice is really two: know what’s in your dependency tree, and make sure what you install matches what you audited.
Scanning tells you which of your transitive dependencies have known CVEs. Hash pinning makes sure the wheel pip or uv downloads tomorrow is bit-for-bit the same one you scanned today. Neither is useful alone. Together they close the window where a compromised upstream can ship a malicious version into your next uv sync.
Start with how to scan Python dependencies for vulnerabilities and how to pin dependencies with hashes in uv. For the broader picture of what uv does and doesn’t protect you from, how to protect against Python supply-chain attacks with uv is the deeper read.
What you’re skipping, and why it’s fine
The rest of Astral’s post is about running a multi-person organization: forbidding pull_request_target, pinning every third-party action to a commit hash, requiring two-person approval on release environments, isolating privileged bot operations into separate GitHub Apps. Those controls exist because Astral has contributors, maintainers, and bots all touching the same repositories, and any one of those surfaces could be the foothold for an attack on uv itself.
A solo maintainer shipping a package to PyPI has a smaller attack surface and a different threat model. The four actions above cover it. The rest of Astral’s checklist is what you grow into once you have a team, not a prerequisite to publishing a secure package today.
Read Astral’s post for the full picture of what a serious Python toolchain vendor does. Then go turn on Trusted Publishing.