potiuk opened a new issue, #41937: URL: https://github.com/apache/airflow/issues/41937
We already agreed with the ASF infrastrucutre that it would be great to use Trusted publishing to publish packages to PyPI. Curently we are using "twine" and local API keys by release managers - but https://docs.pypi.org/trusted-publishers/ allows to configure our PyPI organisation to accept "Github Actions" workflows publishing to PyPI via dedicated workflows - where GitHub Actions is a trusted publisher. The documentation explains how to do it - we will need to involve INFRA to configure it for our repository. The idea to implement is is that Github Actions workflow should not "build" the packages to publish in PyPI - but they should download them from "https://downloads.apache.org/"; and "https://dist.apache.org/repos/dist/dev/airflow/"; for RC/Alpha/Beta packages, verify their integrity (checksums/signatures) similarly to https://github.com/apache/airflow/blob/main/dev/README_RELEASE_AIRFLOW.md and publishing those packages. Intead of "twine upload", release manager should just run a workflow in GitHub Actions that should download packages from apache svn/downloads and publish them in PyPI after verification. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
