From f6086af9082396f0c9d1326b481fd96fc4bf883d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 15 Jul 2022 08:41:53 +0200
Subject: Document package publishing with 2FA + API keys

This project has been marked as "critical" on the Python Package Index,
which has some implications on the way new versions should be published.
---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 02761da..542926f 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,18 @@ poetry install
 
 ## Publishing a New Release
 
+Since this project is considered critical on the Python Package Index,
+two-factor authentication is required. For uploading packages to PyPi, an API
+key is required; username+password will not work.
+
+First, generate an API token at https://pypi.org/manage/account/token/. Then,
+use this token when publishing instead of your username and password.
+
+As username, use `__token__`.
+As password, use the token itself, including the `pypi-` prefix.
+
+See https://pypi.org/help/#apitoken for help using API tokens to publish.
+
 ```
 . ./.venv/bin/activate
 poetry publish --build
-- 
cgit v1.2.1