+1 Great idea to automate stuffs. On Mon, Jul 10, 2023 at 2:58 PM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote:
> Hi, > > I suggest using GitHub Actions to prepare and sign release artifacts. > The ASF Security, Infra, and Legal teams have validated the process, so we > should be good. > > See > https://infra.apache.org/release-signing.html#automated-release-signing, > https://github.com/apache/www-site/pull/235 > > Note: GitHub only creates, and signs release files; it will not push the > files to the ASF servers. > Here's an outline of the suggested flow: > > 1) GitHub UI will have a button for "creating a release candidate" > > https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ > 2) GitHub creates the release candidate artifacts (source package, > binaries, maven repository artifacts), and it signs them. > The signing uses an Infra-provided machine PGP signing key. > 3) Release manager would take the files from GitHub, and publish them to > the ASF servers (SVN, Nexus). > 4) Then we conduct the vote > 5) As the vote passes, the release manager publishes the release > > The major difference is that the artifacts will be signed with a machine > key rather than a private key of the release manager. > > In the long run, it will pave the way to using https://www.sigstore.dev/ > for signing releases. > > WDYT? > > +1 [ ] I support the idea > -1 [ ] Do not implement it because... > > Vladimir > -- [image: photo] NaveenKumar Namachivayam Performance Engineer, QAInsights <http://github.com/qainsights> <http://youtube.com/qainsights> <http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights> <http://facebook.com/naveenkumar%5C.namachivayam> naveenku...@hey.com https://qainsights.com Cincinnati, OH
