This is an automated email from the ASF dual-hosted git repository. yuanz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-trustzone-sdk.git
commit 0517514539254468e5ead7c4f94793af0dfce378 Author: Yuan Zhuang <[email protected]> AuthorDate: Thu Jun 26 17:24:24 2025 +0800 docs: Add tips and scripts for release --- docs/release-tips.md | 128 +++++++++++++++++++ scripts/release/make_release_artifacts.sh | 200 ++++++++++++++++++++++++++++++ 2 files changed, 328 insertions(+) diff --git a/docs/release-tips.md b/docs/release-tips.md new file mode 100644 index 0000000..c5d75c2 --- /dev/null +++ b/docs/release-tips.md @@ -0,0 +1,128 @@ +--- +permalink: /trustzone-sdk-docs/release-tips.md +--- + +# TrustZone SDK Release Tips + +For the complete workflow and operational details, please refer to the [Release Guide for the Teaclave Community](link). +This documentation highlights items that are specific to the `TrustZone SDK`. + +## Release Schedule & Stages + +### Release Schedule + +Apache TrustZone SDK follows a quarterly release cycle, aligned with [OP-TEE releases](https://optee.readthedocs.io/en/latest/general/releases.html). + +The upcoming release in 2025 is as follows: + +| Apache Teaclave SDK Release Version | optee-* Rust crate Release version | OP-TEE Version | OP-TEE Release Date | Teaclave SDK Pre-release on Github (approximately) | Teaclave SDK Finalized Release on Apache and `crates.io` (approximately) | +|-------------------------------------|-------------------------------------|----------------|--------------------|----------------------------------------------------|--------------------------------------------------------------------------| +| v0.7.0 | v0.7.0 | OP-TEE 4.8.0 | 17/Oct/25 | 31/Oct/25 | 14/Nov/25 | +| v0.6.0 | v0.6.0 | OP-TEE 4.7.0 | 11/Jul/25 | 25/Jul/25 | 8/Aug/25 | + +**Note:** The table outlines the planned release schedule under normal circumstances. However, if there are no updates to the optee-* crates in the SDK during a given quarter, the release will be skipped and deferred to the following quarter. + +According to the Release Documentation in Teaclave community (link), the approximate timeline for v0.6.0: + +- **July 11** – OP-TEE 4.7.0 released +- **July 12–18** – Prepare the release +- **July 19–25** – Publish the pre-release on GitHub and start the vote +- **July 25 – August 8** – Voting period +- **August 8-15** – Post-release steps completed within one week + +The timeline is flexible and can be adjusted based on the actual circumstances. + + +## Specific for TrustZone SDK + +### Publish on `crates.io` + +We maintain the optee-* Rust crates at <https://crates.io/search?q=optee>, which are released in sync with Apache releases. + +If the release manager needs permission to publish these crates, please contact Yuan for access. + +After the Apache release is finalized, we need to publish the crates: + +```bash +cargo login +cd [each-crates-dir] # should be in correct dependency order, e.g. first optee-teec-sys, then optee-teec +cargo publish --dry-run # check if ready, will not upload +cargo publish # check and upload +``` + +### GitHub Action for Drafting Release Notes + +We use a GitHub Action to help categorize pull requests and generate a draft of the release notes. This makes the notes more readable and organized. The typical workflow is to first trigger the action, then manually edit the resulting draft as needed. + +Manually trigger the Github Action workflow to draft the release notes: + +1. Go to Actions → Draft Release Notes +2. Click Run workflow +3. Enter the Version to release (e.g. 0.5.0) +4. Confirm to Run workflow + +After the workflow completes, a draft release will appear at: +<https://github.com/apache/incubator-teaclave-trustzone-sdk/releases> + +The workflow categorizes the PRs according to their labels. + +Tips for improving the draft release notes: +- Add a brief summary at the top to highlight the major changes. You can write it manually or generate it using AI. +- Include sections such as “New Contributors” and “Changelog”. Note: Our custom GitHub Action does not generate these sections by default. To get these missing parts, you can click the "Generate Release Notes" button on the release editing page and copy the generated content into the draft. + + +Please note that once a release is published (including pre-releases), its release notes can no longer be updated via GitHub Actions (manual edits are possible). If you need to update the release notes through Actions (e.g., to revise the release to rc.2 to include the new commits), you must first delete the existing release (e.g. tagged rc.1), then re-trigger the workflow. + + +### Email template for voting + +```` +Title: [VOTE] Release Apache Teaclave TrustZone SDK (incubating) v$VERSION-$RC + +Hi all, + +I am pleased to be calling this vote for the release of +Apache Teaclave TrustZone SDK (incubating) $VERSION ($RC). + +The release note is available in: +- https://github.com/apache/incubator-teaclave-trustzone-sdk/releases/tag/v$VERSION-$RC + +The release candidate to be voted over is available at: +- https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-$VERSION-$RC/ + +The release candidate is signed with a GPG key available at: +- https://downloads.apache.org/incubator/teaclave/KEYS + +Instructions to verify the release candidate’s signature: +- https://teaclave.apache.org/download/#verify-the-integrity-of-the-files + +A release checklist for reference: +- https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist + +The release artifacts have passed all GitHub Actions CI checks. You can also reproduce the build process manually from source using the following commands: + +```bash +$ wget https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-$VERSION-$RC/apache-teaclave-trustzone-sdk-$VERSION-incubating.tar.gz +$ tar zxvf apache-teaclave-trustzone-sdk-$VERSION-incubating.tar.gz +$ cd apache-teaclave-trustzone-sdk-$VERSION-incubating +$ docker run --rm -it -v$(pwd):/teaclave-trustzone-sdk -w \ +/teaclave-trustzone-sdk yuanz0/teaclave-trustzone-sdk:ubuntu-24.04 \ +bash -c "./setup.sh && (./build_optee_libraries.sh optee) && source \ +environment && make && (cd ci && ./ci.sh)" +``` + +The vote will be open for at least 72 hours. Anyone can participate +in testing and voting, not just committers, please feel free to try +out the release candidate and provide your votes to this thread +explicitly. + +[ ] +1 approve +[ ] +0 no opinion +[ ] -1 disapprove with the reason + + +Best, +$YOUR_NAME +```` + + diff --git a/scripts/release/make_release_artifacts.sh b/scripts/release/make_release_artifacts.sh new file mode 100755 index 0000000..485b9e1 --- /dev/null +++ b/scripts/release/make_release_artifacts.sh @@ -0,0 +1,200 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set -euo pipefail + +# ---------------- Modify for Each Release --------------- +RELEASE_VERSION="0.5.0" +RC_NUMBER="1" +GPG_KEY_UID="YOUR_KEY_UID" + +ASF_USERNAME="${ASF_USERNAME:-your_asf_username}" +ASF_PASSWORD="${ASF_PASSWORD:-your_asf_password}" +# -------------------------------------------------------- + +# ------------------- Specific for Repo ------------------ +# Name of Github Repo +REPO_NAME="incubator-teaclave-trustzone-sdk" +# Name of Apache release artifacts +TAR_NAME="apache-teaclave-trustzone-sdk-${RELEASE_VERSION}-incubating" + +# SVN directory to put these artifacts +SVN_RC_DIR="trustzone-sdk-${RELEASE_VERSION}-rc.${RC_NUMBER}" +SVN_FINAL_DIR="trustzone-sdk-${RELEASE_VERSION}" +# -------------------------------------------------------- + +WORK_BASE_DIR="teaclave-release-tmp" +TAR_TOP_DIR_NAME="${REPO_NAME}-${RELEASE_VERSION}" +TAG="v${RELEASE_VERSION}-rc.${RC_NUMBER}" + +# SVN repository URLs +SVN_DEV_BASE="https://dist.apache.org/repos/dist/dev/incubator/teaclave"; +SVN_RELEASE_BASE="https://dist.apache.org/repos/dist/release/incubator/teaclave"; + +show_usage() { + echo "Usage: $0 <command>" + echo + echo " prepare : Package, sign, and verify release artifacts." + echo " upload : Verify existing artifacts and upload to Apache dist/dev SVN." + echo " finalize : Promote RC to final release and clean up RC artifacts." + echo " clean : Remove temporary working directory and artifacts." + echo + echo "Set these variables in the script before run:" + echo " RELEASE_VERSION" + echo " RC_NUMBER" + echo " GPG_KEY_UID" + echo " ASF_USERNAME (can override via env)" + echo " ASF_PASSWORD (can override via env)" + echo + exit 1 +} + +verify_artifacts() { + echo "[INFO] Verifying artifacts: ${TAR_NAME}.tar.gz" + + wget -q -O KEYS "${SVN_RELEASE_BASE}/KEYS" + + mkdir -p tmp-keyring + + if ! gpg --no-default-keyring --homedir tmp-keyring --import KEYS; then + echo "[WARN] gpg import returned an error. This may be caused by gpg-agent, but keys were still imported. Please make sure the verification passed in next step." + fi + + echo "[INFO] Verifying GPG signature..." + gpgv --keyring tmp-keyring/pubring.kbx "${TAR_NAME}.tar.gz.asc" "${TAR_NAME}.tar.gz" + + echo "[INFO] Verifying SHA512 checksum..." + sha512sum -c "${TAR_NAME}.tar.gz.sha512" + + echo "[SUCCESS] Artifact verification passed." + rm -r tmp-keyring +} + +# ---------------- Main ---------------- + +if [ $# -eq 0 ]; then + show_usage +fi + +case "$1" in + prepare) + echo "[INFO] Preparing release artifacts..." + + mkdir -p "$WORK_BASE_DIR" + cd "$WORK_BASE_DIR" + + echo "[INFO] Downloading tarball from GitHub tag: $TAG" + wget "https://github.com/apache/${REPO_NAME}/archive/refs/tags/${TAG}.tar.gz"; + tar xzvf "${TAG}.tar.gz" + + mv "${REPO_NAME}-${RELEASE_VERSION}-rc.${RC_NUMBER}" "${TAR_TOP_DIR_NAME}" + + echo "[INFO] Normalizing tarball metadata..." + MTIME=$(stat -f "%Sm" -t "%Y-%m-%d %H:%M:%S" "${TAR_TOP_DIR_NAME}/LICENSE") + + # On macOS, use gnu-tar + if [[ $(uname) == "Darwin" ]]; then + if ! command -v gtar &> /dev/null; then + echo "[ERROR] GNU tar (gtar) is required. Please run: brew install gnu-tar" + exit 1 + fi + TAR_CMD=gtar + else + TAR_CMD=tar + fi + + ${TAR_CMD} --sort=name \ + --owner=0 --group=0 --numeric-owner \ + --mtime="${MTIME}" \ + -cvf - "${TAR_TOP_DIR_NAME}" | gzip -n > "${TAR_NAME}.tar.gz" + + echo "[INFO] Signing..." + gpg --detach-sign --armor -u "${GPG_KEY_UID}" "${TAR_NAME}.tar.gz" + sha512sum "${TAR_NAME}.tar.gz" > "${TAR_NAME}.tar.gz.sha512" + + verify_artifacts + ;; + + upload) + echo "[INFO] Uploading verified artifacts to Apache SVN..." + + cd "$WORK_BASE_DIR" + verify_artifacts + + echo "[INFO] Uploading to SVN..." + svn co --depth=files "${SVN_DEV_BASE}" svn-dev-teaclave + cd svn-dev-teaclave + + mkdir "${SVN_RC_DIR}" + cp ../${TAR_NAME}.tar.gz{,.asc,.sha512} "${SVN_RC_DIR}/" + svn add "${SVN_RC_DIR}" + svn ci --username "${ASF_USERNAME}" --password "${ASF_PASSWORD}" -m "Add ${SVN_RC_DIR}" + + echo "[SUCCESS] Uploaded ${SVN_RC_DIR} to Apache dist/dev SVN." + ;; + + + finalize) + echo "[INFO] Finalizing release: promoting RC to final..." + + mkdir -p "$WORK_BASE_DIR" + cd "$WORK_BASE_DIR" + + # If the directory already exists, this script will not remove or overwrite it, let the users handle this case. + if [ -d svn-dev-teaclave ]; then + echo "[ERROR] Directory 'svn-dev-teaclave' already exists. Please remove it before proceeding." + exit 1 + fi + + echo "[INFO] Checking out svn-dev-teaclave directory..." + svn co "${SVN_DEV_BASE}" svn-dev-teaclave + cd svn-dev-teaclave + + echo "[INFO] Creating final release folder: ${SVN_FINAL_DIR}" + mkdir "${SVN_FINAL_DIR}" + cp -r "${SVN_RC_DIR}/"* "${SVN_FINAL_DIR}/" + svn add "${SVN_FINAL_DIR}" + svn ci --username "${ASF_USERNAME}" --password "${ASF_PASSWORD}" -m "Add ${REPO_NAME} ${RELEASE_VERSION} final release" + + echo "[INFO] Copying from dev to release repository..." + export SVN_EDITOR=true + svn cp \ + "${SVN_DEV_BASE}/${SVN_FINAL_DIR}/" \ + "${SVN_RELEASE_BASE}/${SVN_FINAL_DIR}/" \ + -m "Promote ${REPO_NAME} ${RELEASE_VERSION} to release" + + echo "[INFO] Removing RC folder: ${SVN_RC_DIR}" + svn delete "${SVN_RC_DIR}" + svn ci --username "${ASF_USERNAME}" --password "${ASF_PASSWORD}" \ + -m "${REPO_NAME}: delete old RCs" + + echo "[SUCCESS] Finalized release ${RELEASE_VERSION}" + ;; + + clean) + echo "[INFO] Cleaning up working directory: ${WORK_BASE_DIR}" + rm -rf "${WORK_BASE_DIR}" + echo "[SUCCESS] Cleaned up." + ;; + + *) + show_usage + ;; +esac + --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
