JFYI. Maybe worth exploring -Ayush
Begin forwarded message: > From: Volkan Yazıcı <vol...@yazi.ci> > Date: 19 July 2023 at 1:24:49 AM IST > To: d...@community.apache.org > Subject: Signing releases using automated release infra > Reply-To: d...@community.apache.org > > Abstract: Signing release artifacts using an automated release > infrastructure has been officially approved by LEGAL. This enables > projects to sign artifacts using, say, GitHub Actions. > > I have been trying to overhaul the Log4j release process and make it > as frictionless as possible since last year. As a part of that effort, > I wanted to sign artifacts in CI during deployment and in a > `members@a.o` thread[0] I explained how one can do that securely with > the help of Infra. That was in December 2022. It has been a long, > rough journey, but we succeeded. In this PR[1], Legal has updated the > release policy to reflect that this process is officially allowed. > Further, Infra put together guides[2][3] to assist projects. Logging > Services PMC has already successfully performed 4 Log4j Tools releases > using this approach, see its release process[4] for a demonstration. > > [0] (members only!) > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n > [1] https://github.com/apache/www-site/pull/235 > [2] https://infra.apache.org/release-publishing.html#signing > [3] https://infra.apache.org/release-signing.html#automated-release-signing > [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc > > # F.A.Q. > > ## Why shall a project be interested in this? > > It greatly simplifies the release process. See Log4j Tools release > process[4], probably the simplest among all Java-based ASF projects. > > ## How can a project get started? > > 1. Make sure your project builds are reproducible (otherwise there is > no way PMC can verify the integrity of CI-produced and -signed > artifacts) > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets) > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for > snapshot deployments) > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for > staging deployments) > > You might also want to check this[5] GitHub Action workflow for inspiration. > > [5] > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml > > ## Does the "automated release infrastructure" (CI) perform the full release? > > No. CI *only* uploads signed artifacts to Nexus. The release manager > (RM) still needs to copy the CI-generated files to SVN, PMC needs to > vote, and, upon consensus, RM needs to "close" the release in Nexus > and so on. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org >
