I was looking into trusted publishing just now - good to know that Iceberg is also using it!
-Adnan On Wed, Apr 15, 2026 at 4:55 PM Kevin Liu <[email protected]> wrote: > Setting up trusted publishing is fairly easy; I recommend it over using > tokens. > > For example, pyiceberg is done using > https://test.pypi.org/manage/project/pyiceberg/settings/publishing/ > > https://github.com/kevinjqliu/iceberg-python/blob/536a7d07100251fbe3f1074b9f5e7cf82a548d02/.github/workflows/nightly-pypi-build.yml#L68-L73 > > > > > On Wed, Apr 15, 2026 at 4:15 PM Yufei Gu <[email protected]> wrote: > > > Release managers need be a maintainer of the project on both > test.pypi.org > > and pypi.org. So that you got the credentials to publish them. > > > > Please share your IDs from both sites. I can add you there. > > > > > > Yufei > > > > > > On Wed, Dec 3, 2025 at 8:32 PM Yufei Gu <[email protected]> wrote: > > > > > I’ve just sent the invite. You should now be all set to publish to the > > > project with your API token. > > > > > > Yufei > > > > > > > > > On Wed, Dec 3, 2025 at 6:11 PM Honah J. <[email protected]> wrote: > > > > > >> Hi Yufei, > > >> > > >> Thank you very much for creating that. My test PyPi id is: HonahX. > > >> > > >> Best regards, > > >> Jonas > > >> > > >> On Wed, Dec 3, 2025 at 7:40 PM Yufei Gu <[email protected]> wrote: > > >> > > >> > Hi everyone, > > >> > > > >> > Here is the Polaris CLI Nighty project, > > >> > https://test.pypi.org/project/apache-polaris/. Please share your > IDs > > in > > >> > test.pypi.org, so that I can add you to the project as maintainer > or > > >> > admin. > > >> > Please be aware that you will need to register a new user in > > >> test.pypi.org > > >> > , > > >> > as it doesn't share the users with the site pypi.org. > > >> > > > >> > Yufei > > >> > > > >> > > > >> > On Thu, Nov 20, 2025 at 2:46 AM Robert Stupp <[email protected]> > wrote: > > >> > > > >> > > Hi all, > > >> > > > > >> > > It's great to focus on nightly/snapshot publications to > > test.pypi.org > > >> > > first! > > >> > > Can we change the scope of the PR [1] to just this and leave > > >> > > release-candidates and SVN out? > > >> > > > > >> > > Robert > > >> > > > > >> > > [1] https://github.com/apache/polaris/pull/3036 > > >> > > > > >> > > On Thu, Nov 20, 2025 at 3:38 AM Honah J. <[email protected]> > wrote: > > >> > > > > > >> > > > Hi everyone, > > >> > > > > > >> > > > Thanks for all the great points and suggestions! These are key > > >> elements > > >> > > for > > >> > > > a robust release process of Python CLI. Given the number of > > missing > > >> > > pieces > > >> > > > and to move this forward enough parallelization, I think we > could > > >> have > > >> > > the > > >> > > > following three tracks: > > >> > > > 1. Have a formalized way to build release artifacts (wheels) > that > > >> will > > >> > > > later be released to PyPI for users to install. > > >> > > > 2. Have ASF-compliant LICENSE/NOTICE/DISCLAIMER > > >> > > > 3. Have a formalized way to build and upload release candidate > > that > > >> > > include > > >> > > > proper signature and checksum of release artifacts (release > > >> automation > > >> > > > pipeline) > > >> > > > > > >> > > > Track 1's PR is out for review:[1] . Once merged, we’ll have CI > > >> > coverage > > >> > > to > > >> > > > ensure that future Python CLI changes don’t break the release > > >> > artifacts, > > >> > > > preventing delays in our release cycle. This will also allow us > to > > >> > enable > > >> > > > nightly builds to test.pypi.org as JB mentioned. My proposal > > >> document > > >> > > > includes an example from PyIceberg as well: [2]. > > >> > > > > > >> > > > I've also created an issue for 3: [3] > > >> > > > > > >> > > > Thanks again also the generous offers to help. Looking forward > to > > >> > getting > > >> > > > the full publication workflow in place as a community! > > >> > > > > > >> > > > [1]: https://github.com/apache/polaris/pull/3036 > > >> > > > [2]: > > >> > > > > > >> > > > > >> > > > >> > > > https://docs.google.com/document/d/1gbKYnFftpq884GhJ59waHdfoQG6MrevVAVCspf3hbrk/edit?tab=t.0#heading=h.4vtad7spzmcr > > >> > > > [3]: https://github.com/apache/polaris/issues/3098 > > >> > > > > > >> > > > On Wed, Nov 19, 2025 at 4:55 PM Jean-Baptiste Onofré < > > >> [email protected]> > > >> > > > wrote: > > >> > > > > > >> > > > > Hi, > > >> > > > > > > >> > > > > I have a proposal regarding the use of PyPI for our Python CLI > > >> > > publishing. > > >> > > > > > > >> > > > > To facilitate nightly builds and staging of release candidates > > for > > >> > > > > voting, I propose we utilize test.pypi.org. This platform is > > >> > > > > specifically designed for testing and previewing packages, and > > >> > several > > >> > > > > Apache projects are already using it for this purpose. > > >> > > > > > > >> > > > > For example, you can see how the Apache OpenDAL project > utilizes > > >> it > > >> > > > > here: https://test.pypi.org/project/opendal/ > > >> > > > > > > >> > > > > This approach would provide an appropriate environment for > > nightly > > >> > and > > >> > > > > pre-release artifacts. > > >> > > > > > > >> > > > > Regards, > > >> > > > > JB > > >> > > > > > > >> > > > > On Wed, Nov 19, 2025 at 12:25 PM Robert Stupp <[email protected] > > > > >> > wrote: > > >> > > > > > > > >> > > > > > Hi all, > > >> > > > > > > > >> > > > > > +1 to what JB said. > > >> > > > > > > > >> > > > > > Want to emphasize that it's not only about the presence and > > >> > > > > > correctness of the LICENSE/NOTICE/DISCLAIMER files, but also > > >> quite > > >> > a > > >> > > > > > few process and technical details. > > >> > > > > > Following the rules [1] is also a hard requirement [2], > > >> including > > >> > the > > >> > > > > > implicit technical requirements including, but not limited > to, > > >> > > > > > signatures, checksums and the artifact contents. > > >> > > > > > Especially for releases we, as the project, have to make > sure > > to > > >> > > stage > > >> > > > > > artifacts to start the vote, that every committer can verify > > all > > >> > > > > > artifacts for the release vote and that exactly the same > > >> artifacts > > >> > > are > > >> > > > > > eventually published. > > >> > > > > > Even small technical and legal mistakes in the staged > > artifacts > > >> or > > >> > of > > >> > > > > > the vote itself have led to "failed" release votes in many > ASF > > >> > > > > > projects in the past. > > >> > > > > > > > >> > > > > > I am happy to help with that from the release automation > side > > of > > >> > > things! > > >> > > > > > > > >> > > > > > Robert > > >> > > > > > > > >> > > > > > [1] https://www.apache.org/legal/release-policy.html > > >> > > > > > [2] > > >> > https://lists.apache.org/thread/djfpls35shngokr4rkp3m9s71qs366w5 > > >> > > > > > [3] https://polaris.apache.org/community/release-guide/ > > >> > > > > > > > >> > > > > > > > >> > > > > > On Wed, Nov 19, 2025 at 8:48 PM Jean-Baptiste Onofré < > > >> > > [email protected]> > > >> > > > > wrote: > > >> > > > > > > > > >> > > > > > > Hi folks, > > >> > > > > > > > > >> > > > > > > I want to reiterate the importance of ensuring legal > > >> compliance > > >> > > before > > >> > > > > > > publishing any public artifacts. As packages on PyPI are > > >> > considered > > >> > > > > > > release artifacts, we must confirm that the Python CLI > > >> adheres to > > >> > > all > > >> > > > > > > ASF policies, especially regarding incubation status. > > >> > > > > > > > > >> > > > > > > I have addressed the LICENSE/NOTICE requirement on the > > GitHub > > >> > > project > > >> > > > > > > board ( > https://github.com/orgs/apache/projects/540/views/1) > > >> by > > >> > > > > > > assigning the relevant issue. We must also confirm that > the > > >> > > Incubator > > >> > > > > > > DISCLAIMER is included and that the package name and > version > > >> > > clearly > > >> > > > > > > reflect the incubating status. > > >> > > > > > > > > >> > > > > > > Legal correctness is a hard requirement and a necessary > > >> blocker > > >> > > before > > >> > > > > > > we proceed with publishing any public artifacts. I will > > >> perform a > > >> > > > > > > complete pass and review of these details. > > >> > > > > > > > > >> > > > > > > Thanks, > > >> > > > > > > Jean-Baptiste Onofré > > >> > > > > > > > > >> > > > > > > On Tue, Oct 14, 2025 at 9:17 AM Honah J. < > [email protected] > > > > > >> > > wrote: > > >> > > > > > > > > > >> > > > > > > > Hi everyone, > > >> > > > > > > > > > >> > > > > > > > I’d like to start a discussion about publishing the > Apache > > >> > > Polaris > > >> > > > > Python > > >> > > > > > > > CLI to PyPI and providing nightly builds (test PyPi). > > >> > > > > > > > > > >> > > > > > > > The main goal is to make the CLI easier to install (pip > > >> install > > >> > > > > > > > <package_name>) and to align its release and > distribution > > >> > process > > >> > > > > with ASF > > >> > > > > > > > guidelines. I’ve drafted a proposal [1] that outlines > the > > >> key > > >> > > > > requirements > > >> > > > > > > > and the high-level release process if we include the > > Python > > >> CLI > > >> > > in > > >> > > > > the next > > >> > > > > > > > release. The proposal also covers how we might set up > > >> nightly > > >> > > builds > > >> > > > > on > > >> > > > > > > > Test PyPI for early testing. > > >> > > > > > > > > > >> > > > > > > > While some details can be finalized later, I’d like to > > first > > >> > > gather > > >> > > > > > > > feedback on the overall direction — specifically, > whether > > >> the > > >> > > > > community > > >> > > > > > > > agrees with publishing to PyPI and providing nightly > > builds. > > >> > > > > > > > > > >> > > > > > > > If there’s general agreement, I plan to open two > separate > > >> > [VOTE] > > >> > > > > threads to > > >> > > > > > > > formalize these decisions: > > >> > > > > > > > 1. Whether to the Python CLI to PyPI > > >> > > > > > > > 2. Whether to provide nightly build (publish to test > PyPi) > > >> > > > > > > > > > >> > > > > > > > Please let me know what you think! > > >> > > > > > > > > > >> > > > > > > > [1] > > >> > > > > > > > > > >> > > > > > > >> > > > > >> > > > >> > > > https://docs.google.com/document/d/1gbKYnFftpq884GhJ59waHdfoQG6MrevVAVCspf3hbrk/edit?usp=sharing > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > Best regards, > > >> > > > > > > > Jonas > > >> > > > > > > >> > > > > >> > > > >> > > > > > >
