dongjoon-hyun opened a new pull request, #57180: URL: https://github.com/apache/spark/pull/57180
### What changes were proposed in this pull request? This PR changes the `finalize` step of `dev/create-release/release-build.sh` to pass the PyPI API token to `twine` via the `TWINE_PASSWORD` environment variable instead of the `-p $PYPI_API_TOKEN` command-line argument. The `export` statement is wrapped with a `set +x` guard so the token is not printed when `DEBUG_MODE=1` enables shell tracing. ### Why are the changes needed? On Linux, `/proc/<pid>/cmdline` is world-readable, so passing the token with `-p` exposes it to every user on the host during the upload. Running inside Docker (`do-release-docker.sh`) does not help: container processes are still visible to the host's `ps`. With `DEBUG_MODE=1`, the `set -x` trace also prints the token expanded in the command line into the console output and logs. Environment variables avoid both exposure paths and are the twine-recommended way to supply credentials non-interactively. ### Does this PR introduce _any_ user-facing change? No. This only affects the release scripts. ### How was this patch tested? Manual review. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Fable 5 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
