Mitigate the PyPI API token

[maresb]

Description

(See also pymc-devs/pytensor#1306)

Description

There's currently an API token for PyPI in the secrets that we're no longer using since we migrated to trusted publishing in #7622. (Project admins can see the token here, but I don't have access.)

While we could and should delete this token from this repo's secrets, it would be much better if we could deactivate the token first. (Otherwise there's a perpetual risk that the token unexpectedly exists somewhere and could still be compromised.)

As far as I can tell, the only way to figure out the provenance of a PyPI token is for an admin to examine the project's Security history page and look at the logs from before we enabled trusted publishing to see whose account controls the token. (I don't have access.)

CC @twiecki, @fonnesbeck, @michaelosthege

[michaelosthege]

• I created the token.
• Last used 2024-12-05.
• Removed the token in PyPI

In GitHub we have multiple candidates for deletion...

[maresb]

I guess we should check the security history of all the following PyPI repositories:

https://pypi.org/project/pymc-nightly/
https://pypi.org/project/pymc3/
https://pypi.org/project/pymc/

Not sure what's up with the 4th one. 🤦‍♂

[maresb]

PYPI_TOKEN: #3954 (@michaelosthege added PYPI_TOKEN)

[maresb]

PYPI_TOKEN_PYMC: #5265 (PYPI_TOKEN was updated by @fonnesbeck to PYPI_TOKEN_PYMC after migrating from the pymc3 PyPI package to pymc)

[maresb]

PYPI_TOKEN_PYMC3: I don't see any search results for this one.

PYPI_TOKEN_PYMC_NIGHTLY: #5548 A deleted user created this one. @theorashid, do you know who this might be?

[theorashid]

I checked my email for the PYPI_TOKEN_PYMC_NIGHTLY. It was @fonnesbeck. I don't know why it's coming up as deleted user ghost on the issue