This is an automated email from the ASF dual-hosted git repository.
dongjoon-hyun pushed a commit to branch branch-4.x
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-4.x by this push:
new d38fde87ca91 [SPARK-58083][INFRA] Pass PyPI token to twine via
environment variable in `release-build.sh`
d38fde87ca91 is described below
commit d38fde87ca91e8ad5b5af3bac6d8e19ca849882c
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Fri Jul 10 09:32:52 2026 -0700
[SPARK-58083][INFRA] Pass PyPI token to twine via environment variable in
`release-build.sh`
### What changes were proposed in this pull request?
This PR changes the `finalize` step of
`dev/create-release/release-build.sh` to pass the PyPI API token to `twine` via
the `TWINE_PASSWORD` environment variable instead of the `-p $PYPI_API_TOKEN`
command-line argument. The `export` statement is wrapped with a `set +x` guard
so the token is not printed when `DEBUG_MODE=1` enables shell tracing.
### Why are the changes needed?
On Linux, `/proc/<pid>/cmdline` is world-readable, so passing the token
with `-p` exposes it to every user on the host during the upload. Running
inside Docker (`do-release-docker.sh`) does not help: container processes are
still visible to the host's `ps`. With `DEBUG_MODE=1`, the `set -x` trace also
prints the token expanded in the command line into the console output and logs.
Environment variables avoid both exposure paths and are the twine-recommended
way to supply credentials no [...]
### Does this PR introduce _any_ user-facing change?
No. This only affects the release scripts.
### How was this patch tested?
Manual review.
### Was this patch authored or co-authored using generative AI tooling?
Generated-by: Claude Fable 5
Closes #57180 from dongjoon-hyun/SPARK-58083.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
(cherry picked from commit 24f08f2cf353295166b130d43a62fd3c397c0019)
Signed-off-by: Dongjoon Hyun <[email protected]>
---
dev/create-release/release-build.sh | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/dev/create-release/release-build.sh
b/dev/create-release/release-build.sh
index bdae5ff69351..20b9d08bae56 100755
--- a/dev/create-release/release-build.sh
+++ b/dev/create-release/release-build.sh
@@ -103,6 +103,12 @@ if [[ "$1" == "finalize" ]]; then
error 'The environment variable PYPI_API_TOKEN is not set. Exiting.'
fi
+ # Pass the token to twine via an environment variable to keep it out of
+ # the process command line, which is visible to other users via ps.
+ { set +x; } 2>/dev/null
+ export TWINE_PASSWORD="$PYPI_API_TOKEN"
+ [ "$DEBUG_MODE" = 1 ] && set -x
+
git config --global user.name "$GIT_NAME"
git config --global user.email "$GIT_EMAIL"
@@ -128,19 +134,19 @@ if [[ "$1" == "finalize" ]]; then
PYSPARK_VERSION=`echo "$RELEASE_VERSION" | sed -e "s/-/./" -e
"s/preview/dev/"`
svn update "pyspark-$PYSPARK_VERSION.tar.gz"
svn update "pyspark-$PYSPARK_VERSION.tar.gz.asc"
- twine upload -u __token__ -p $PYPI_API_TOKEN \
+ twine upload -u __token__ \
--repository-url https://upload.pypi.org/legacy/ \
"pyspark-$PYSPARK_VERSION.tar.gz" \
"pyspark-$PYSPARK_VERSION.tar.gz.asc"
svn update "pyspark_connect-$PYSPARK_VERSION.tar.gz"
svn update "pyspark_connect-$PYSPARK_VERSION.tar.gz.asc"
- twine upload -u __token__ -p $PYPI_API_TOKEN \
+ twine upload -u __token__ \
--repository-url https://upload.pypi.org/legacy/ \
"pyspark_connect-$PYSPARK_VERSION.tar.gz" \
"pyspark_connect-$PYSPARK_VERSION.tar.gz.asc"
svn update "pyspark_client-$PYSPARK_VERSION.tar.gz"
svn update "pyspark_client-$PYSPARK_VERSION.tar.gz.asc"
- twine upload -u __token__ -p $PYPI_API_TOKEN \
+ twine upload -u __token__ \
--repository-url https://upload.pypi.org/legacy/ \
"pyspark_client-$PYSPARK_VERSION.tar.gz" \
"pyspark_client-$PYSPARK_VERSION.tar.gz.asc"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]