Make "Trusted Publishing" works for our PyPI releasing #41937
Labels
area:dev-env
CI, pre-commit, pylint and other changes that do not change the behavior of the final code
area:dev-tools
Comments
potiuk
added
the
area:dev-env
|
Just to add - example changes in workflows proposed by |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We already agreed with the ASF infrastrucutre that it would be great to use Trusted publishing to publish packages to PyPI. Curently we are using "twine" and local API keys by release managers - but https://docs.pypi.org/trusted-publishers/ allows to configure our PyPI organisation to accept "Github Actions" workflows publishing to PyPI via dedicated workflows - where GitHub Actions is a trusted publisher.
The documentation explains how to do it - we will need to involve INFRA to configure it for our repository.
The idea to implement is is that Github Actions workflow should not "build" the packages to publish in PyPI - but they should download them from "https://downloads.apache.org/" and "https://dist.apache.org/repos/dist/dev/airflow/" for RC/Alpha/Beta packages, verify their integrity (checksums/signatures) similarly to https://github.com/apache/airflow/blob/main/dev/README_RELEASE_AIRFLOW.md and publishing those packages.
Intead of "twine upload", release manager should just run a workflow in GitHub Actions that should download packages from apache svn/downloads and publish them in PyPI after verification.
The text was updated successfully, but these errors were encountered: