ASF INFRA allows for automated release signing via GitHub actions, as described here:

https://infra.apache.org/release-signing.html#automated-release-signing

In the past few weeks, a number of changes and pull requests have been created and/or merged in our various projects and we've added the new github.com/apache/daffodil-infrastructure repository that adds tools/utilities that help us meet the listed requirements. Specifically:

* All artifacts being signed can be built reproducibly

There are two outstanding pull requests that are soon to be merged that will resolve the remaining issues preventing reproducible builds. Additionally, the new daffodil-infrastructure repo defines a container with an environment similar to GitHub actions that allows for locally creating reproducible builds:

https://github.com/apache/daffodil-infrastructure/tree/main/containers/build-release

* CI deploys the artifacts to a staging environment

The new daffodil-infrastructure repo includes a custom GitHub action that will be used by our projects to easily build artifacts in GitHub actions and deploy them to the ASF staging environment (i.e. repository.apache.org and dist.apache.org/repos/dist/dev)

https://github.com/apache/daffodil-infrastructure/tree/main/actions/release-candidate

I have also created draft pull requests in the daffodil, daffodil-vscode, and daffodil-sbt repositories that use this action to build release candidates:

https://github.com/apache/daffodil/pull/1445

https://github.com/apache/daffodil-sbt/pull/94

https://github.com/apache/daffodil-vscode/pull/1184

(Note that these PR's are drafts and may have minor changes before merging)

* The release procedure contains a validation step where all artifacts are reproduced on trusted hardware before publication to pages intended for end users

A new wiki page has been created that defines the steps and scripts to run to verify signatures, checksums, and build reproducibility, making use of the previously mentioned container.

https://cwiki.apache.org/confluence/display/DAFFODIL/Release+Verification

These steps use the previously mentioned container to locally build artifacts and a script to verify checksums, signatures, and reproducibility:

https://github.com/apache/daffodil-infrastructure/blob/main/scripts/check-release.sh

The new tag-based release workflow using the above actions has been created 
here:

https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=340037483

This workflow specifies that a VOTE cannot pass unless reproducibility has been verified.

Note that this new proposed release workflow is virtually identical to the existing workflow, except that the "Creating a Release Candidate" section is now simplified to just creating and pushing a single tag. That tag triggers the new GitHub actions to do all the necessary steps to build, sign, checksum, and stage artifacts in preparation for a release vote.


I ask that you look over this proposed workflow and see if there are any issues/concerns/questions. If there are no issues, please respond with a +1 so there is evidence of consensus for this change.

Once there is agreement, the next step is to begin a conversation with the ASF Security Team to approve this proposed workflow and work with INFRA to create signing keys and add them to our projects.

Reply via email to