The announcement notes authentication and publishing options will be changed to include local publishing with required 2FA, granular tokens with a seven-day expiration date, and Trusted Publishing.
Furthermore, GitHub announced it would deprecate legacy classic tokens, as well as time-based one-time password (TOTP) 2FA, forcing users to migrate to FIDO-based 2FA. It will also limit granular tokens with publishing permissions to a shorter expiration, and set publishing access to disallow tokens by default (this should make users go for trusted publishers or 2FA enforced local publishing).
The option to bypass 2FA for local package publishing will be removed, while the list of eligible providers for trusted publishing will be expanded.
2 Likes