CTTY commented on PR #2715:
URL: https://github.com/apache/iceberg-rust/pull/2715#issuecomment-4873161416

   I'm thinking that we should have release manager/maintainers trigger the 
pypi publish manually, or configure security_audit as a prerequisite of the 
publish workflow
   
   What usually happen in the release is:
   1. Upload artifacts to apache dev repo
   2. Push the new RC tag
   3. Two CIs will be triggered: security_audit and publish
   4. If security_audit failed, it won't fail publish, so we may end up 
publishing artifacts with security vulnerabilities
   
   Previously, since the auto-publish always fail due to reusable workflow 
issues (it's a feature, not a bug!), pypi publishing is always done manually, 
but after we inlining the pypi publish workflow, we may end up with 4. So I'm 
suggesting that we fix this in the current PR


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to