Sounds good, I don't see a down side and "supply chain security" has been a big concern lately.
- ferruzzi ________________________________ From: Wei Lee <[email protected]> Sent: Tuesday, June 25, 2024 8:07 AM To: [email protected] Subject: RE: [EXT] [PROPOSAL] Use Trusted Publishing workflow for Airflow releases to PyPI CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. This proposal is great! PyPI security has been valued a lot these days. Glad we're also joining. Best, Wei > On Jun 25, 2024, at 8:01 PM, Jarek Potiuk <[email protected]> wrote: > > Yes and no :) > > We publish alpha/betas - yes. No change there. But for RCs what we publish > in SVN currently are the packages that are built fro RC tag but without rc > suffix - so that when they pass the voting we upload them to PyPI without > regenerating them (RC becomes final). > > But we do not publish the PYPI RCs - since PYPI uploads are immutable, we > need to publish PYPI RCs with the rc suffixes. So far we just generated > them and published to PyPI for testing but we did not upload them to SVN. > > > So if we want to pull RCs from SVN - we need to upload there both: the RC > version for PyPI (with RC suffix) and the no-suffix candidate that might > become the final version once voted. > > J --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
