Merge branch 'main' into merge-main-to-aio

Author: sfc-gh-pczajka

.github/CODEOWNERS

@@ -1 +1,5 @@
-@snowflakedb/snowpark-python-api
+* @snowflakedb/snow-drivers-warsaw
+/src/snowflake/connector/ocsp_* @snowflakedb/pki-oversight @snowflakedb/snow-drivers-warsaw
+/src/snowflake/connector/crl.py @snowflakedb/pki-oversight @snowflakedb/snow-drivers-warsaw
+/src/snowflake/connector/crl_cache.py @snowflakedb/pki-oversight @snowflakedb/snow-drivers-warsaw
+/src/snowflake/connector/ssl_wrap_socket.py @snowflakedb/pki-oversight @snowflakedb/snow-drivers-warsaw

.github/workflows/build_test.yml

@@ -63,9 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        # TODO: temporarily reduce number of jobs: SNOW-2311643
-        # python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
-        python-version: ["3.9", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -96,9 +94,7 @@ jobs:
             id: macosx_x86_64
           - image: macos-latest
             id: macosx_arm64
-        # TODO: temporarily reduce number of jobs: SNOW-2311643
-        # python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
-        python-version: ["3.9", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         exclude:
           - os:
               image: windows-11-arm
@@ -158,9 +154,7 @@ jobs:
            download_name: win_amd64
          - image_name: windows-11-arm
            download_name: win_arm64
-        # TODO: temporarily reduce number of jobs: SNOW-2311643
-        # python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
-        python-version: ["3.9", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         cloud-provider: [aws, azure, gcp]
         exclude:
           - os:
@@ -211,9 +205,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -265,7 +259,7 @@ jobs:
         os:
          # Because old the version 3.0.2 of snowflake-connector-python depends on oscrypto which causes conflicts with higher versions of libssl
          # TODO: It can be changed to ubuntu-latest, when python sf connector version in tox is above 3.4.0
-         - image_name: ubuntu-20.04
+         - image_name: ubuntu-22.04
            download_name: linux
         python-version: [3.9]
         cloud-provider: [aws]
@@ -287,9 +281,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Upgrade setuptools, pip and wheel
         run: python -m pip install -U setuptools pip wheel
@@ -355,9 +349,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -398,9 +392,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # TODO: temporarily reduce number of jobs: SNOW-2311643
-        # python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
-        python-version: ["3.9", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         cloud-provider: [aws]
     steps:
       - name: Set shortver
@@ -419,9 +411,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -500,9 +492,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -518,12 +510,6 @@ jobs:
         run: python -m pip install tox>=4
       - name: Run tests
         run: python -m tox run -e aio
-        env:
-          PYTHON_VERSION: ${{ matrix.python-version }}
-          cloud_provider: ${{ matrix.cloud-provider }}
-          PYTEST_ADDOPTS: --color=yes --tb=short
-          TOX_PARALLEL_NO_SPINNER: 1
-        shell: bash
       - name: Combine coverages
         run: python -m tox run -e coverage --skip-missing-interpreters false
         shell: bash
@@ -566,6 +552,56 @@ jobs:
           TOX_PARALLEL_NO_SPINNER: 1
         shell: bash
 
+  test-rockylinux9:
+    name: Test Rocky Linux 9 rockylinux9-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
+    needs: lint
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Rocky Linux 9 has Python 3.9, 3.11, and 3.12 available
+        python-version: ["3.9", "3.11", "3.12"]
+        cloud-provider: [aws, azure, gcp]
+    steps:
+      - name: Set shortver
+        run: echo "shortver=${longver//./}" >> $GITHUB_ENV
+        env:
+          longver: ${{ matrix.python-version }}
+        shell: bash
+      - uses: actions/checkout@v4
+      - name: Build wheel for Rocky Linux
+        uses: pypa/cibuildwheel@v2.21.3
+        env:
+          CIBW_BUILD: cp${{ env.shortver }}-manylinux_x86_64
+          MACOSX_DEPLOYMENT_TARGET: 10.14
+        with:
+          output-dir: dist
+      - name: Show wheels built
+        run: ls -lh dist
+        shell: bash
+      - name: Setup parameters file
+        shell: bash
+        env:
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
+          .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Setup private key file
+        shell: bash
+        env:
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
+          .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
+      - name: Run tests
+        run: ./ci/test_rockylinux9_docker.sh ${PYTHON_VERSION}
+        env:
+          PYTHON_VERSION: ${{ matrix.python-version }}
+          cloud_provider: ${{ matrix.cloud-provider }}
+          PYTEST_ADDOPTS: --color=yes --tb=short
+          TOX_PARALLEL_NO_SPINNER: 1
+        shell: bash
+
   combine-coverage:
     if: always()
     name: Combine coverage

.github/workflows/jira_issue.yml

@@ -37,7 +37,7 @@ jobs:
           summary: '${{ github.event.issue.title }}'
           description: |
             ${{ github.event.issue.body }} \\ \\ _Created from GitHub Action_ for ${{ github.event.issue.html_url }}
-          fields: '{"customfield_11401":{"id":"14586"},"assignee":{"id":"61027a237ab143006ecfb9a2"},"components":[{"id":"16413"}]}'
+          fields: '{"customfield_11401":{"id":"14723"},"assignee":{"id":"712020:e527ae71-55cc-4e02-9217-1ca4ca8028a2"},"components":[{"id":"16413"}], "labels": ["oss"], "priority": {"id": "10001"} }'
 
       - name: Update GitHub Issue
         uses: ./jira/gajira-issue-update

.github/workflows/parameters/public/rsa_keys/rsa_key_python_aws.p8.gpg

@@ -7,7 +7,16 @@ https://docs.snowflake.com/
 Source code is also available at: https://github.com/snowflakedb/snowflake-connector-python
 
 # Release Notes
-- v4.1.0(TBD)
+- v4.1.1(November 20,2025)
+  - Added the `SNOWFLAKE_AUTH_FORCE_SERVER` environment variable to force the use of the local-listening server when using the `externalbrowser` auth method.
+    - This allows headless environments (like Docker or Airflow) running locally to auth via a browser URL.
+  - Fix compilation error when building from sources with libc++.
+  - Pin lower versions of dependencies to oldest version without vulnerabilities.
+  - Added no_proxy parameter for proxy configuration without using environmental variables.
+  - Added OAUTH_AUTHORIZATION_CODE and OAUTH_CLIENT_CREDENTIALS to list of authenticators that don't require user to be set
+  - Added `oauth_socket_uri` connection parameter allowing to separate server and redirect URIs for local OAuth server.
+  - Made platform_detection logs silent and improved its timeout handling. Added support for ENV_VAR_DISABLE_PLATFORM_DETECTION environment variable.
+  - Fixed FIPS environments md5 hash issues with multipart upload on Azure.
 
 - v4.0.0(October 09,2025)
   - Added support for checking certificates revocation using revocation lists (CRLs)

.github/workflows/parameters/public/rsa_keys/rsa_key_python_azure.p8.gpg

@@ -33,7 +33,8 @@ timestamps {
         string(name: 'client_git_commit', value: scmInfo.GIT_COMMIT),
         string(name: 'client_git_branch', value: scmInfo.GIT_BRANCH),
         string(name: 'parent_job', value: env.JOB_NAME),
-        string(name: 'parent_build_number', value: env.BUILD_NUMBER)
+        string(name: 'parent_build_number', value: env.BUILD_NUMBER),
+        string(name: 'USE_PASSWORD', value: 'true')
       ]
       parallel(
       'Test': {

.github/workflows/parameters/public/rsa_keys/rsa_key_python_gcp.p8.gpg

@@ -4,7 +4,7 @@ include LICENSE.txt
 include NOTICE
 include pyproject.toml
 include src/snowflake/connector/nanoarrow_cpp/ArrowIterator/LICENSE.txt
-recursive-include src/snowflake/connector py.typed *.py *.pyx
+recursive-include src/snowflake/connector py.typed *.py *.pyx *.js
 recursive-include src/snowflake/connector/vendored LICENSE*
 
 recursive-include src/snowflake/connector/nanoarrow_cpp *.cpp *.hpp

DESCRIPTION.md

@@ -81,3 +81,28 @@ conn = snowflake.connector.connect(
 )
 conn.telemetry_enabled = False
 ```
+
+## Verifying Package Signatures
+
+To ensure the authenticity and integrity of the Python package, follow the steps below to verify the package signature using `cosign`.
+
+**Steps to verify the signature:**
+- Install cosign:
+  - This example is using golang installation: [installing-cosign-with-go](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign/#installing-cosign-with-go)
+- Download the file from the repository like pypi:
+  - https://pypi.org/project/snowflake-connector-python/#files
+- Download the signature files from the release tag, replace the version number with the version you are verifying:
+  - https://github.com/snowflakedb/snowflake-connector-python/releases/tag/v3.12.2
+- Verify signature:
+  ````bash
+  # replace the version number with the version you are verifying
+  ./cosign verify-blob snowflake_connector_python-3.12.2.tar.gz \
+  --key snowflake-connector-python-v3.12.2.pub \
+  --signature resources.linux.snowflake_connector_python-3.12.2.tar.gz.sig
+
+  Verified OK
+  ````
+
+## NOTE
+
+This library currently does not support GCP regional endpoints.  Please ensure that any workloads using through this library do not require support for regional endpoints on GCP.  If you have questions about this, please contact [Snowflake Support](https://community.snowflake.com/s/article/How-To-Submit-a-Support-Case-in-Snowflake-Lodge).