Add PyPI Publishing to Automated Release

[adnanhemani]

Changes the PyPI nightly build script to use Trusted Publishers, as well as adding publishing scripts when generating a new release candidate and publishing new Polaris versions.

I've tested this from my fork: https://github.com/adnanhemani/polaris/actions/runs/24500027607/

I've already set up Trusted Publishers for both PyPI and TestPyPI:

Result:

Checklist

• 🛡️ Don't disclose security issues!
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[snazy]

Thanks for the effort here!

I cannot judge on the Python/Makefile specific changes.
The changes to the nightly.yml + release-3-... workflows look fine.

I do have two concerns about release-4-...:

The OIDC (id-token: write) permission for PyPi trusted publishing is exposed to all other steps that don't need it.

If, for example, everything but the PyPi publishing fails, it cannot be retried, and we have to re-roll a whole new release including all the vote-"ceremony". Not really new, as Docker-Hub publishing can also fail. I think it's better to have separate workflow-jobs for Maven publishing, Docker-Hub publishing and PyPi publising plus an "aggregator" job that depends on those. This gives us the ability to retry only a failed publishing job without failing a whole release.

(Preexisting) The contents: write permission is only needed to create the GH release. That permission can then also be limited to that "aggregator-job".

[snazy]

This permission isn't commonly known, please add a comment explaining what it's used for.

[adnanhemani]

Done!

[snazy]

Same here, deserves a comment.

[adnanhemani]

Done.

[snazy]

Nit: the list is growing, maybe migrate to one line per dependency.

[adnanhemani]

Done.

[snazy]

This one concerns me, because all steps now get access to OIDC/trusted-publishing.

[kevinjqliu]

+1 we can move this to the step that pushes to pypi

[adnanhemani]

Moved.

[HonahX]

@adnanhemani Thank you so much for adding this to our release process!

[HonahX]

Instead of making an internal one, could we re-use client-build and extend it to optionally set the version?
Currently, CLI's License & Notice are only valid if we only publish the wheel (it will be a universal wheel): #3891 (comment). So we probably need FORMAT=wheel when building artifacts

[adnanhemani]

Good call, changed.

[kevinjqliu]

Suggested change

	permissions:
	id-token: write
	permissions:
	# IMPORTANT: this permission is mandatory for Trusted Publishing
	id-token: write

https://docs.pypi.org/trusted-publishers/using-a-publisher/

[adnanhemani]

Done!

[kevinjqliu]

looks great, thanks!

for pyiceberg, we push RCs as pre-release to pypi. we should double check that its indeed labeled as pre-release. Otherwise, if it accidentally gets label as the normal release, we'd have to yank the entire version (and publish a patch release). very tedious!

[adnanhemani]

Thank you all for your reviews. At this time, I've only separated out the "publish-python-client" step in the release-4... script, as it is the smallest change relevant to this PR. We should continue the refactor as @snazy suggests in a different PR.

[adnanhemani]

Done!

[adnanhemani]

Done!

[adnanhemani]

Done.

[adnanhemani]

Done.

[adnanhemani]

Moved.

[adnanhemani]

Good call, changed.

[adnanhemani]

@kevinjqliu - we are pushing RCs to TestPyPI and only pushing the released versions to PyPI. I believe this should be good enough to not cause errant versions?

[kevinjqliu]

Minor bug when passing the format arg, otherwise LGTM

Applied the fix locally and tested:

make client-nightly-build
RC_VERSION=1.4.0 RC_NUMBER=1 make client-rc-build                                                                    
RELEASE_VERSION=1.4.0 make client-release-build

[snazy]

The recent Polaris 1.4.0 release workflow failed quite early during the changes to Apache SVN, before it handles Helm charts, Docker images or Nexus or even create the GitHub release. I think, Helm charts, Docker images and Nexus jobs would have worked fine during that workflow run, if those would have been separate jobs in the workflow.

The unsolvable issue with release-related workflows is that those steps cannot be integration tested. This is why I think splitting the work across multiple jobs reduces the amount of non-executed steps, that require manual work later.

Adding PyPi publishing adds another step that can potentially fail a whole release, but having that as a separate workflow job reduces the risk of affecting other parts of the release automation.

[adnanhemani]

@snazy I agree with you - that's why I separated the PyPI uploads into separate Jobs. Did I miss something there?

I also don't disagree with your comments that we should separate all these steps into different jobs - but I don't find that necessary in this PR. I would highly prefer to do that in a follow up PR to reduce the scope of this PR. Is this a blocker for you?