Add documentation on removing human user from pypi

PyPI is safest when we leave the robots to release things; document this in the guide. Change-Id: I6e77c6a44e62caea4e63b01f9baf60b48a80a2d7
2023-02-07 13:34:44 -08:00 · 2023-02-07 13:34:44 -08:00 · da2d9bd83a
commit da2d9bd83a
parent 5e063d7f1d
2 changed files with 27 additions and 0 deletions
--- a/doc/source/creators.rst
+++ b/doc/source/creators.rst
@ -121,6 +121,33 @@ and add "openstackci" in the "User Name" field, set the role to
   :height: 476
   :width: 800

+Give OpenDev Exclusive Permission to Publish Releases
+=====================================================
+
+In some cases, such as OpenStack governed projects, maintainers may want to
+give exclusive access to the package to the "openstackci" user. This ensures
+releases are always created by automation and not by humans.
+
+Update the roles for your project so the "openstackci" user has "Owner"
+permissions. Visit
+``https://pypi.org/manage/project/<projectname>/collaboration/``
+and add "openstackci" in the "User Name" field, set the role to
+"Owner", and click "Add Role".
+
+.. image:: images/pypi-role-maintenance.png
+   :height: 476
+   :width: 800
+
+After ensuring the "openstackci" user has owner access, you should also
+consider removing any remaining users, including your own, from the project.
+This will prevent accidental releases from being made and prevents compromise
+of the project if a your user account is compromised. You do this by clicking
+the remove button beside your username in the list.
+
+.. image:: images/pypi-role-remove.png
+   :height: 476
+   :width: 800
+
 Adding the Project to the CI System
 ===================================

--- a/doc/source/images/pypi-role-remove.png
+++ b/doc/source/images/pypi-role-remove.png