Piotr, note that the build must be reproducible <https://infra.apache.org/release-signing.html#automated-release-signing> for CI-based signing. If this is not the case for Log4cxx, could you also address that in your PR, please?
On Wed, Oct 9, 2024 at 9:09 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > On Wed, 9 Oct 2024 at 08:36, Stephen Webb <swebb2...@gmail.com> wrote: > > > > That would be much simpler. I was not aware that option was available. Is > > there an example I can copy? > > We use `actions/setup-java` in our workflows[1], which can also > install a GPG key on the Github runner (and clears it when the action > ends/fails). > You probably could use `crazy-max/ghaction-import-gpg` in Log4cxx to > just install the GPG key. > > To speed up the process, I have opened INFRA-29194[3] to request the > addition of our shared GPG key and `dev` Subversion credentials to the > `logging-log4cxx`. > Once this is done, I can submit a PR that enhances the release workflow. > > Piotr > > [1] > https://github.com/apache/logging-parent/blob/428d9ede494f54358c6f004b07f7e40f8f33d3ab/.github/workflows/merge-dependabot-reusable.yaml#L70-L79 > [2] https://github.com/crazy-max/ghaction-import-gpg > [3] https://issues.apache.org/jira/browse/INFRA-26194 >
