ENH: Ensure PyPI marks URLs as "verified"

[MartinThoma]

Currently, pypdf on pypi looks like this:

I would like the project URLs to be marked by PyPI as "verified"

https://docs.pypi.org/project_metadata/ indicates that just a backlink is necessary. We have that, but just indirectly via https://badge.fury.io/py/pypdf. Instead, we should link directly to PyPI

[MartinThoma]

Hm. The version badge does directly link to https://pypi.org/project/pypdf/

[MartinThoma]

Let's see if somebody else has an idea: pypi/warehouse#16836

[stefan6419846]

I do not get the same results from the linked docs as you: If one of the listed URLs points to PyPI, they are automatically verified. For GitHub URLs, we would have to switch from the current token-based approach to trusted publishing. This matches the conclusions from the linked issue as well.

[MartinThoma]

I've now

Added publish-to-pypi.yaml in https://github.com/py-pdf/pypdf to pypdf

I haven't done this before. I guess we will see with the next release if it was done correctly :-)

[stefan6419846]

AFAIK this is not sufficient, as we still use a token-based PyPI upload.

[stefan6419846]

The changes where not sufficient as the latest release still does not show the values as verified.

To fix this, we would have to migrate the flit-based upload to real trusted publishing as I am using in my private projects for example: https://github.com/stefan6419846/license_tools/blob/main/.github/workflows/release.yml I am open to preparing the GitHub part, but this needs some configuration on PyPI as well and thus we will have to wait for Martin anyway.