This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v3-1-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit e5e8af5f540ad03fd2e2e5942a42325fbeb6ef24 Author: Bugra Ozturk <[email protected]> AuthorDate: Sun Feb 1 10:24:42 2026 +0100 [v3-1-test] Update pmc verification docs (#61271) (#61294) * Update Helm Chart release instructions for PMC Checks * Update KEY download instructions for PMC Checks * Update dev/README_RELEASE_HELM_CHART.md (cherry picked from commit c74b24ac9b133cc83af62ba35393b28efc7343cb) --- dev/README_RELEASE_AIRFLOW.md | 1 + dev/README_RELEASE_AIRFLOWCTL.md | 1 + dev/README_RELEASE_HELM_CHART.md | 92 +++++++++++++++++++++++++++---------- dev/README_RELEASE_PROVIDERS.md | 1 + dev/README_RELEASE_PYTHON_CLIENT.md | 1 + 5 files changed, 71 insertions(+), 25 deletions(-) diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md index 3f3bf2849c1..c1dd7e2155d 100644 --- a/dev/README_RELEASE_AIRFLOW.md +++ b/dev/README_RELEASE_AIRFLOW.md @@ -807,6 +807,7 @@ Make sure you have imported into your GPG the PGP key of the person signing the You can import the whole KEYS file: ```shell script +wget https://dist.apache.org/repos/dist/release/airflow/KEYS gpg --import KEYS ``` diff --git a/dev/README_RELEASE_AIRFLOWCTL.md b/dev/README_RELEASE_AIRFLOWCTL.md index 51592a6d398..73aa2b6f2bb 100644 --- a/dev/README_RELEASE_AIRFLOWCTL.md +++ b/dev/README_RELEASE_AIRFLOWCTL.md @@ -610,6 +610,7 @@ Download the KEYS file from the above link and save it locally. You can import the whole KEYS file into gpg by running the following command: ```shell script +wget https://dist.apache.org/repos/dist/release/airflow/KEYS gpg --import KEYS ``` diff --git a/dev/README_RELEASE_HELM_CHART.md b/dev/README_RELEASE_HELM_CHART.md index 1933236005d..d38fdbe2830 100644 --- a/dev/README_RELEASE_HELM_CHART.md +++ b/dev/README_RELEASE_HELM_CHART.md @@ -449,24 +449,6 @@ The following files should be present (7 files): * `airflow-{VERSION}.tgz` + .asc + .sha512 * `airflow-{VERSION}.tgz.prov` -As a PMC member, you should be able to clone the SVN repository: - -```shell -svn co https://dist.apache.org/repos/dist/dev/airflow -``` - -Or update it if you already checked it out: - -```shell -svn update . -``` - -While in the directory, save the path to the repository root: - -```shell -SVN_REPO_ROOT=$(pwd -P) -``` - ## Source tarball reproducibility check The source tarball should be reproducible. This means that if you build it twice, you should get @@ -485,12 +467,13 @@ AIRFLOW_REPO_ROOT=$(pwd -P) ```shell VERSION=12.0.1 VERSION_SUFFIX=rc1 +VERSION_RC=${VERSION}${VERSION_SUFFIX} ``` 3. Check-out the branch from which the release was made and cleanup dist folder: ```shell -git checkout helm-chart/${VERSION}${VERSION_SUFFIX} +git checkout helm-chart/${VERSION_RC} rm -rf dist/* ``` @@ -498,16 +481,37 @@ rm -rf dist/* check and skip tagging. There is no need to specify version as it is stored in Chart.yaml of the rc tag. ```shell -breeze release-management prepare-helm-chart-tarball --version-suffix rc1 --ignore-version-check --skip-tagging -breeze release-management prepare-helm-chart-package +breeze release-management prepare-helm-chart-tarball --version-suffix ${VERSION_SUFFIX} --ignore-version-check --skip-tagging +breeze release-management prepare-helm-chart-package --version-suffix ${VERSION_SUFFIX} ``` 5. Compare the produced tarball binary with ones in SVN: +As a PMC member, you should be able to clone the SVN repository: + +```shell script +cd .. +[ -d asf-dist ] || svn checkout --depth=immediates https://dist.apache.org/repos/dist asf-dist +svn update --set-depth=infinity asf-dist/dev/airflow +``` + +Or update it if you already checked it out: + +```shell script +cd asf-dist/dev/airflow +svn update . +``` + +Set an environment variable: SVN_REPO_ROOT to the root of folder where you have helm-chart + +```shell script +cd asf-dist/dev/airflow +export SVN_REPO_ROOT=$(pwd -P) +``` ```shell -diff ${AIRFLOW_REPO_ROOT}/dist/airflow-chart-${VERSION}-source.tar.gz ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION}${VERSION_SUFFIX}/airflow-chart-${VERSION}-source.tar.gz -diff ${AIRFLOW_REPO_ROOT}/dist/airflow-${VERSION}.tgz ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION}${VERSION_SUFFIX}/airflow-${VERSION}.tgz +diff ${AIRFLOW_REPO_ROOT}/dist/airflow-chart-${VERSION}-source.tar.gz ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION_RC}/airflow-chart-${VERSION}-source.tar.gz +diff ${AIRFLOW_REPO_ROOT}/dist/airflow-${VERSION}.tgz ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION_RC}/airflow-${VERSION}.tgz ``` There should be no differences reported. If you see "binary files differ" message, it means that @@ -519,7 +523,7 @@ and we need to fix it (so checking the differences would be helpful also to find Before proceeding next you want to go to the SVN directory ```shell -cd ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION}${VERSION_SUFFIX} +cd ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION_RC} ``` ## Licence check @@ -537,11 +541,48 @@ tar -xzf /tmp/apache-rat-0.17-bin.tar.gz -C /tmp * Enter the sources folder run the check ```shell -java -jar ${PATH_TO_RAT}/apache-rat-0.13/apache-rat-0.13.jar chart -E .rat-excludes +rm -rf /tmp/apache/airflow-src && mkdir -p /tmp/apache-airflow-src && tar -xzf ${SVN_REPO_ROOT}/dev/airflow/helm-chart/${VERSION_RC}/airflow-chart-*-source.tar.gz --strip-components 1 -C /tmp/apache-airflow-src +``` + +```shell +java -jar /tmp/apache-rat-0.17/apache-rat-0.17.jar --input-exclude-file /tmp/apache-airflow-src/.rat-excludes /tmp/apache-airflow-src/ | grep -E "! |INFO: " ``` where `.rat-excludes` is the file in the root of Chart source code. +You should see no files reported as Unknown or with wrong licence and summary of the check similar to: + +``` +INFO: Apache Creadur RAT 0.17 (Apache Software Foundation) +INFO: Excluding patterns: .git-blame-ignore-revs, .github/*, .git ... +INFO: Excluding MISC collection. +INFO: Excluding HIDDEN_DIR collection. +SLF4J(W): No SLF4J providers were found. +SLF4J(W): Defaulting to no-operation (NOP) logger implementation +SLF4J(W): See https://www.slf4j.org/codes.html#noProviders for further details. +INFO: RAT summary: +INFO: Approved: 15615 +INFO: Archives: 2 +INFO: Binaries: 813 +INFO: Document types: 5 +INFO: Ignored: 2392 +INFO: License categories: 2 +INFO: License names: 2 +INFO: Notices: 216 +INFO: Standards: 15609 +INFO: Unapproved: 0 +INFO: Unknown: 0 +``` + +There should be no files reported as Unknown or Unapproved. The files that are unknown or unapproved should be shown with a line starting with `!`. + +For example: + +``` +! Unapproved: 1 A count of unapproved licenses. +! /CODE_OF_CONDUCT.md +``` + ## Signature check Make sure you have imported into your GPG the PGP key of the person signing the release. You can find the valid keys in @@ -550,6 +591,7 @@ Make sure you have imported into your GPG the PGP key of the person signing the You can import the whole KEYS file: ```shell script +wget https://dist.apache.org/repos/dist/release/airflow/KEYS gpg --import KEYS ``` diff --git a/dev/README_RELEASE_PROVIDERS.md b/dev/README_RELEASE_PROVIDERS.md index 564b2cb8b71..427a10bfde4 100644 --- a/dev/README_RELEASE_PROVIDERS.md +++ b/dev/README_RELEASE_PROVIDERS.md @@ -1012,6 +1012,7 @@ Download the KEYS file from the above link and save it locally. You can import the whole KEYS file into gpg by running the following command: ```shell script +wget https://dist.apache.org/repos/dist/release/airflow/KEYS gpg --import KEYS ``` diff --git a/dev/README_RELEASE_PYTHON_CLIENT.md b/dev/README_RELEASE_PYTHON_CLIENT.md index c38200a4f29..8815f9da8c0 100644 --- a/dev/README_RELEASE_PYTHON_CLIENT.md +++ b/dev/README_RELEASE_PYTHON_CLIENT.md @@ -511,6 +511,7 @@ Make sure you have imported into your GPG the PGP key of the person signing the You can import the whole KEYS file: ```shell script +wget https://dist.apache.org/repos/dist/release/airflow/KEYS gpg --import KEYS ```
