Add JFrog publish workflow for pyiceberg#45
Add JFrog publish workflow for pyiceberg#45robreeves wants to merge 5 commits intolinkedin:li-0.11from
Conversation
Publishes pyiceberg to the openhouse-pypi JFrog repository on each push to li-0.11, auto-incrementing the patch version via git tags.
robreeves
requested review from
ShreyeshArangath,
cbb330,
Copilot and
sumedhsakdeo
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to automatically tag, build, and publish pyiceberg artifacts to the LinkedIn JFrog Artifactory PyPI repo (openhouse-pypi) on pushes to the li-0.11 branch.
Changes:
- Introduces a
tagjob that derives the initial version frompyproject.toml, bumps the patch version, and pushes a git tag. - Reuses the existing
pypi-build-artifacts.ymlreusable workflow to build sdist and multi-platform wheels for the computed version. - Publishes the built artifacts to JFrog Artifactory using
pypa/gh-action-pypi-publish.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| push: | ||
| branches: | ||
| - 'li-0.11' | ||
|
|
There was a problem hiding this comment.
The workflow performs a mutating operation (creating/pushing git tags) on every push to li-0.11, but there is no concurrency configured. If multiple pushes happen close together, concurrent runs can race and either fail to push the tag or publish artifacts for a different tag than expected. Consider adding a workflow-level concurrency group keyed by github.ref (and queue runs rather than cancel) to ensure tag/build/publish execute serially for the branch.
| concurrency: | |
| group: jfrog-publish-${{ github.ref }} | |
| cancel-in-progress: false |
| contents: write | ||
|
|
||
| jobs: | ||
| tag: |
There was a problem hiding this comment.
permissions: contents: write is set at the workflow level, so all jobs (including build/publish) receive write access to the repo contents. To follow least-privilege, consider setting workflow-level permissions to contents: read (or omit), and grant contents: write only on the tag job (where pushing tags is needed).
| contents: write | |
| jobs: | |
| tag: | |
| contents: read | |
| jobs: | |
| tag: | |
| permissions: | |
| contents: write |
Rationale for this change
Publish the pyiceberg package to the same JFrog Artifactory PyPI repository (
openhouse-pypi) used by the OpenHouse data loader.How it works
pyproject.tomlas the initial version, then auto-increments the patch via git tags on each push toli-0.11(e.g.v0.11.1,v0.11.2, ...)pypi-build-artifacts.ymlto build sdist and multi-platform wheels (Linux, Linux ARM, Windows, macOS Intel, macOS ARM) across Python 3.10–3.13 via cibuildwheel. Each wheel is validated by runningpytest tests/avro/test_decoder.py.pypa/gh-action-pypi-publish. Jobs are sequenced vianeeds:so publish waits for all matrix builds to complete.This does not publish to PyPI or TestPyPI. The existing upstream workflows (
nightly-pypi-build.yml,python-release.yml) are gated bygithub.repository == 'apache/iceberg-python'and will not run in this fork.Requires
JFROG_USERNAMEandJFROG_PYPI_API_TOKENsecrets to be configured in this repo.Are these changes tested?
Will be validated on the first push to
li-0.11after secrets are configured.Are there any user-facing changes?
No.