Add documentation on removing human user from pypi

PyPI is safest when we leave the robots to release things; document this
in the guide.

Change-Id: I6e77c6a44e62caea4e63b01f9baf60b48a80a2d7

doc/source/creators.rst

@@ -115,12 +115,39 @@ If your project already exists on PyPI, update the roles for it so
 the "openstackci" user has "Maintainer" permissions. Visit
 ``https://pypi.org/manage/project/<projectname>/collaboration/``
 and add "openstackci" in the "User Name" field, set the role to
-"Maintainer", and click "Add Role".
+"Owner", and click "Add Role".
 
 .. image:: images/pypi-role-maintenance.png
    :height: 476
    :width: 800
 
+Give OpenDev Exclusive Permission to Publish Releases
+=====================================================
+
+In some cases, such as OpenStack governed projects, maintainers may want to
+give exclusive access to the package to the "openstackci" user. This ensures
+releases are always created by automation and not by humans.
+
+Update the roles for your project so the "openstackci" user has "Owner"
+permissions. Visit
+``https://pypi.org/manage/project/<projectname>/collaboration/``
+and add "openstackci" in the "User Name" field, set the role to
+"Owner", and click "Add Role".
+
+.. image:: images/pypi-role-maintenance.png
+   :height: 476
+   :width: 800
+
+After ensuring the "openstackci" user has owner access, you should also
+consider removing any remaining users, including your own, from the project.
+This will prevent accidental releases from being made and prevents compromise
+of the project if a your user account is compromised. You do this by clicking
+the remove button beside your username in the list.
+
+.. image:: images/pypi-role-remove.png
+   :height: 476
+   :width: 800
+
 Adding the Project to the CI System
 ===================================