ASF INFRA allows for automated release signing via GitHub actions, as described
here:
https://infra.apache.org/release-signing.html#automated-release-signing
In the past few weeks, a number of changes and pull requests have been created
and/or merged in our various projects and we've added the new
github.com/apache/daffodil-infrastructure repository that adds tools/utilities
that help us meet the listed requirements. Specifically:
* All artifacts being signed can be built reproducibly
There are two outstanding pull requests that are soon to be merged that will
resolve the remaining issues preventing reproducible builds. Additionally, the
new daffodil-infrastructure repo defines a container with an environment similar
to GitHub actions that allows for locally creating reproducible builds:
https://github.com/apache/daffodil-infrastructure/tree/main/containers/build-release
* CI deploys the artifacts to a staging environment
The new daffodil-infrastructure repo includes a custom GitHub action that will
be used by our projects to easily build artifacts in GitHub actions and deploy
them to the ASF staging environment (i.e. repository.apache.org and
dist.apache.org/repos/dist/dev)
https://github.com/apache/daffodil-infrastructure/tree/main/actions/release-candidate
I have also created draft pull requests in the daffodil, daffodil-vscode, and
daffodil-sbt repositories that use this action to build release candidates:
https://github.com/apache/daffodil/pull/1445
https://github.com/apache/daffodil-sbt/pull/94
https://github.com/apache/daffodil-vscode/pull/1184
(Note that these PR's are drafts and may have minor changes before merging)
* The release procedure contains a validation step where all artifacts are
reproduced on trusted hardware before publication to pages intended for end users
A new wiki page has been created that defines the steps and scripts to run to
verify signatures, checksums, and build reproducibility, making use of the
previously mentioned container.
https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification
These steps use the previously mentioned container to locally build artifacts
and a script to verify checksums, signatures, and reproducibility:
https://github.com/apache/daffodil-infrastructure/blob/main/scripts/check-release.sh
The new tag-based release workflow using the above actions has been created
here:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=340037483
This workflow specifies that a VOTE cannot pass unless reproducibility has been
verified.
Note that this new proposed release workflow is virtually identical to the
existing workflow, except that the "Creating a Release Candidate" section is now
simplified to just creating and pushing a single tag. That tag triggers the new
GitHub actions to do all the necessary steps to build, sign, checksum, and stage
artifacts in preparation for a release vote.
I ask that you look over this proposed workflow and see if there are any
issues/concerns/questions. If there are no issues, please respond with a +1 so
there is evidence of consensus for this change.
Once there is agreement, the next step is to begin a conversation with the ASF
Security Team to approve this proposed workflow and work with INFRA to create
signing keys and add them to our projects.
