In a lot of cases, it's not really clear whose second factor would authorize publishing a package that was uploaded from a CI/CD system. Is it any project owner? Anyone from the same GitHub organization? etc.

> An attacker compromising someone's CI should not give them free reign to publish malicious packages at any time they want.

Agreed, that's why a lot of packaging ecosystems (including PyPI) have moved towards schemes that involve self-scoping, self-expiring tokens. The CI can still publish, but the attacker can no longer exfiltrate the publishing credential and use it indefinitely later.

(These schemes are not mandatory, because they can't be.)

but then how can we deploy our vibe coded PRs we didn't review at a pace of 40 deploys per day?

Sounds like 2FA should be required for CI.