PyPI Token Publisher Setup
This file currently documents the implemented PyPI token setup and alpha package
registration cutline. Trusted publishing/OIDC migration is future work; the
current pypi-publish.yml workflow uploads with secrets.PYPI_API_TOKEN.
Prerequisites
Section titled “Prerequisites”- PyPI account with Owner/Maintainer role on the Obsidian Owl organisation
- GitHub environment
pypicreated onObsidian-Owl/floe(Settings > Environments) - Account-scoped PyPI API token stored as
PYPI_API_TOKENin thepypienvironment
Steps (per package)
Section titled “Steps (per package)”- Confirm the PyPI project is owned by the Obsidian Owl organisation or can be created by the first alpha upload.
- Confirm the
pypiGitHub environment has aPYPI_API_TOKENsecret that can publish the package. - Record the package in the checklist below.
Alpha Publish Checklist
Section titled “Alpha Publish Checklist”Register only the packages in python_packages.publish from
release/floe-release.yaml for the alpha release.
-
floe-core— Core plugin registry and interfaces for the Floe data platform -
floe-iceberg— IcebergTableManager utility for PyIceberg table operations -
floe-orchestrator-dagster— Dagster orchestrator plugin -
floe-catalog-polaris— Apache Polaris catalog plugin -
floe-storage-minio— MinIO object storage plugin -
floe-compute-duckdb— DuckDB compute plugin -
floe-dbt-core— DBT plugin using dbt-core Python API -
floe-ingestion-dlt— dlt ingestion plugin -
floe-telemetry-jaeger— Jaeger telemetry backend plugin (OTLP exporter) -
floe-rbac-k8s— Kubernetes RBAC plugin -
floe-network-security-k8s— Kubernetes Network Security plugin -
floe-lineage-marquez— Marquez lineage backend plugin (OpenLineage) -
floe-quality-gx— Great Expectations data quality plugin -
floe-storage-aws-s3— AWS S3 storage plugin -
floe-catalog-glue— AWS Glue catalog plugin
Excluded from alpha
Section titled “Excluded from alpha”These packages are listed under python_packages.exclude in
release/floe-release.yaml and must not be registered or published for alpha
until their composition path is proven.
floe-alert-slackfloe-alert-emailfloe-alert-alertmanagerfloe-alert-webhookfloe-identity-keycloakfloe-secrets-infisicalfloe-secrets-k8sfloe-semantic-cubefloe-dbt-fusionfloe-telemetry-consolefloe-quality-dbt
GitHub environment fields
Section titled “GitHub environment fields”Environment: pypiSecret name: PYPI_API_TOKENWorkflow file: pypi-publish.ymlPublishing package: pypa/gh-action-pypi-publishAfter all packages are registered
Section titled “After all packages are registered”- Verify all 15 alpha packages are covered by the PyPI account token and project ownership.
- A successful non-dry-run
prepare-release.ymlrun uploads release metadata. - The downstream
pypi-publish.ymlworkflow builds only the manifest package set and uploads artifacts withPYPI_API_TOKEN.
If the GitHub Release already exists and the downstream publish workflow needs
to be retried after a workflow fix, dispatch pypi-publish.yml manually with:
gh workflow run pypi-publish.yml \ -f release_tag=v0.1.0-alpha.1 \ -f dry_run=falseManual publishing must always provide an existing release_tag; manual runs
default to dry_run=true.
Metadata
Section titled “Metadata”Package metadata is read from each package’s pyproject.toml; the alpha release
version comes from release/floe-release.yaml.
| Field | Value |
|---|---|
| Author | Obsidian Owl |
| team@obsidianowl.dev | |
| License | Apache-2.0 |
| Python | >=3.10 |
| Homepage | https://github.com/Obsidian-Owl/floe |
| Repository | https://github.com/Obsidian-Owl/floe |
| Version | 0.1.0a1 |