typing-extensions is among the most widely used Python packages, and we should make sure we keep it secure.

I'd like to propose improvements in a few areas:

Better release process

The current release process involves the release manager (in practice, me) building an sdist and wheel on their laptop and uploading it to PyPI. This opens up a few possible issues: the release manager's laptop could be compromised; they could make a mistake in what files to upload; they could sneakily manipulate the contents of the files before they are uploaded.

We should instead use https://docs.pypi.org/trusted-publishers/ to publish directly from a GitHub Action to PyPI. This removes the release manager's machine from the loop and ensures the release matches what is in the repo. (Recall that the recent xz backdoor involved a tarball with contents different from the repo.)

Manage who has access

To reduce the risk of account compromise, we should limit access to the repo. I would like to propose:

• Remove commit (and PyPI maintainer) access from those who have not used it recently
• Ensure that every permission level (e.g., admin) has at least two people in it, so we don't rely on a single person who might disappear or lose interest

Ensure code is reviewed

We should ensure all code in the repo is reviewed. I would like to propose:

• Require reviews for all pull requests
• Require pull requests for all changes (since PRs have more visibility than direct commits to the repo)

Keep the repo simple

The less surface area, the less the chance of issues. We should commit to:

• Never add any non-stdlib dependencies to this repo
• Never add any non-Python code (e.g., C extensions)

I am happy to implement all of these if other maintainers agree.