ptuomola commented on a change in pull request #1292: URL: https://github.com/apache/fineract/pull/1292#discussion_r477916660
########## File path: README.md ########## @@ -353,6 +353,41 @@ Releasing [How to Release Apache Fineract](https://cwiki.apache.org/confluence/x/DRwIB) documents the process how we make the source code that is available here in this Git repository into a binary release ZIP available on http://fineract.apache.org. +Before you use Gradle to create a release you need to make sure that your GPG is properly setup and that you have set the following properties in your ~/gradle/gradle.properties: +``` +signing.gnupg.keyName=7890ABCD +signing.gnupg.passphrase=secret +``` + +IMPORTANT: Do not set your GPG secrets in one of the project gradle.properties and double check that you are not accidentally committing them to Git. + Review comment: To avoid exactly this, is it possible to instruct people instead to pass these as command line parameters when they run the build? ########## File path: README.md ########## @@ -353,6 +353,41 @@ Releasing [How to Release Apache Fineract](https://cwiki.apache.org/confluence/x/DRwIB) documents the process how we make the source code that is available here in this Git repository into a binary release ZIP available on http://fineract.apache.org. +Before you use Gradle to create a release you need to make sure that your GPG is properly setup and that you have set the following properties in your ~/gradle/gradle.properties: +``` +signing.gnupg.keyName=7890ABCD +signing.gnupg.passphrase=secret +``` + +IMPORTANT: Do not set your GPG secrets in one of the project gradle.properties and double check that you are not accidentally committing them to Git. + +NOTE: Let's assume your GPG key ID would be "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ABCD" then you have to use the last 8 characters (i. e. "7890ABCD") for the signing plugin property "signing.gnupg.keyName". + +Execute the following task to create a distribution with an ASCII armored signature (.asc) and a SHA512 checksum file (.sha512): +``` +./gradlew -Pfineract.release clean build +``` Review comment: Would it be cleaner to have a specific distribution task that does all the distribution activities (package and signing etc), rather than relying on the build task and a new profile? ########## File path: fineract-provider/gradle.properties ########## @@ -16,5 +16,5 @@ # specific language governing permissions and limitations # under the License. # -releaseVersion=1.0.0 +releaseVersion=1.4.0 buildType=BUILD Review comment: Here we have the version hardcoded - for the Swagger documentation we pick it automatically from the git describe output. We should probably make this consistent and use one or the other... ########## File path: README.md ########## @@ -353,6 +353,41 @@ Releasing [How to Release Apache Fineract](https://cwiki.apache.org/confluence/x/DRwIB) documents the process how we make the source code that is available here in this Git repository into a binary release ZIP available on http://fineract.apache.org. +Before you use Gradle to create a release you need to make sure that your GPG is properly setup and that you have set the following properties in your ~/gradle/gradle.properties: +``` +signing.gnupg.keyName=7890ABCD +signing.gnupg.passphrase=secret +``` + +IMPORTANT: Do not set your GPG secrets in one of the project gradle.properties and double check that you are not accidentally committing them to Git. + +NOTE: Let's assume your GPG key ID would be "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ABCD" then you have to use the last 8 characters (i. e. "7890ABCD") for the signing plugin property "signing.gnupg.keyName". + +Execute the following task to create a distribution with an ASCII armored signature (.asc) and a SHA512 checksum file (.sha512): +``` +./gradlew -Pfineract.release clean build +``` + +Above task will create the following files in folder build/distributions: + +- distribution file: apache-fineract-1.4.0-binary.tar.gz +- ASCII armored signatures: apache-fineract-1.4.0-binary.tar.gz.asc +- SHA512 checksum: apache-fineract-1.4.0-binary.tar.gz.sha512 + +Verify the validity of the release distribution with: +``` +gpg --verify build/distributions/apache-fineract-1.4.0-binary.tar.gz.asc +``` Review comment: Would it make sense to include this in the distribution task as well - so that this gets automatically ran and the user just has to review the output? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
