+1 too Le mar. 11 juil. 2023 à 10:09, Milamber <milam...@apache.org> a écrit :
> > > On 10/07/2023 19:58, Vladimir Sitnikov wrote: > > Hi, > > > > I suggest using GitHub Actions to prepare and sign release artifacts. > > The ASF Security, Infra, and Legal teams have validated the process, so > we > > should be good. > > > > See > https://infra.apache.org/release-signing.html#automated-release-signing, > > https://github.com/apache/www-site/pull/235 > > > > Note: GitHub only creates, and signs release files; it will not push the > > files to the ASF servers. > > Here's an outline of the suggested flow: > > > > 1) GitHub UI will have a button for "creating a release candidate" > > > https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ > > 2) GitHub creates the release candidate artifacts (source package, > > binaries, maven repository artifacts), and it signs them. > > The signing uses an Infra-provided machine PGP signing key. > > 3) Release manager would take the files from GitHub, and publish them to > > the ASF servers (SVN, Nexus). > > 4) Then we conduct the vote > > 5) As the vote passes, the release manager publishes the release > > > > The major difference is that the artifacts will be signed with a machine > > key rather than a private key of the release manager. > > > > In the long run, it will pave the way to using https://www.sigstore.dev/ > > for signing releases. > > > > WDYT? > > > > +1 [ ] I support the idea > > > +1 seems good > > > -1 [ ] Do not implement it because... > > > > Vladimir > > > >
