dongjoon-hyun opened a new pull request, #57180:
URL: https://github.com/apache/spark/pull/57180

   ### What changes were proposed in this pull request?
   
   This PR changes the `finalize` step of `dev/create-release/release-build.sh` 
to pass the PyPI API token to `twine` via the `TWINE_PASSWORD` environment 
variable instead of the `-p $PYPI_API_TOKEN` command-line argument. The 
`export` statement is wrapped with a `set +x` guard so the token is not printed 
when `DEBUG_MODE=1` enables shell tracing.
   
   ### Why are the changes needed?
   
   On Linux, `/proc/<pid>/cmdline` is world-readable, so passing the token with 
`-p` exposes it to every user on the host during the upload. Running inside 
Docker (`do-release-docker.sh`) does not help: container processes are still 
visible to the host's `ps`. With `DEBUG_MODE=1`, the `set -x` trace also prints 
the token expanded in the command line into the console output and logs. 
Environment variables avoid both exposure paths and are the twine-recommended 
way to supply credentials non-interactively.
   
   ### Does this PR introduce _any_ user-facing change?
   
   No. This only affects the release scripts.
   
   ### How was this patch tested?
   
   Manual review.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Fable 5


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to