For pure Python projects, it doesn't matter which OS is on the runner that deploys, as it builds a universal wheel. If there are OS specific binaries to be included, there will need to be a separate deploy step for Windows/Mac/Linux.
The values of the Gitlab variables aren't visible to 'normal' users, only Admins and Repository Maintainers, but by default any user can call the variable in a script.
For extra security, in sckit-surgeryimage they are set as 'Protected Variables', which means that they can only be accessed from Protected Branches (i.e. master) or Protected Tags. I also set it so that only Admins/Maintaners can create tagged releases, or merge to master, which should prevent the unlikely scenario of someone abusing the credentials.
Manually pushing a package to PyPI
Create a ~./pypirc file specifying the distribution servers and login information e.g.:
However, in the case of scikit-surgery, this actually fails, as the installation process tries to satisfy the dependencies in setup.py by looking for an appropriate version on the testpypi server, rather than on the 'proper' PyPI server, which fails for numpy. As such, I don't see that much benefit in pushing to the test server first, but it could be useful in some situations.