Hi folks, in order to finalize the new release process, I created a ticket in the INFRA project: https://issues.apache.org/jira/browse/INFRA-25665
Then I had to involve the Apache Security Team for letting us use GitHub GPG keys. It seems that we have to adopt a release process similar to what our friends at OpenDAL did for their project: https://github.com/apache/opendal/blob/main/website/community/committers/verify.md#check-the-maven-artifacts-of-opendal-java This is because the GitHub CI platform is not a trusted hardware for the ASF, so for validating any new release, we have to build locally the same package and verify the GPG sign and the checksums. Here is the documentation of the OpenDAL check script: https://github.com/apache/opendal/tree/main/scripts I think that we could adopt exactly the same process. What do you think? Cheers, PG Il giorno ven 29 mar 2024 alle ore 20:13 Karl Wright <daddy...@gmail.com> ha scritto: > Svn url for review: > > https://dist.apache.org/repos/dist/dev/manifoldcf/apache-manifoldcf-2.26 > > Our area in this svn: > > https://dist.apache.org/repos/dist/dev/manifoldcf > <https://dist.apache.org/repos/dist/dev/manifoldcf/apache-manifoldcf-2.26> > > Our area for releases in this svn: > > https://dist.apache.org/repos/dist/release/manifoldcf > <https://dist.apache.org/repos/dist/dev/manifoldcf/apache-manifoldcf-2.26> > > To move a release candidate from one to the other (e.g. do the release): > > svn move > https://dist.apache.org/repos/dist/dev/manifoldcf/apache-manifoldcf-2.26 > > https://dist.apache.org/repos/dist/release/manifoldcf/apache-manifoldcf-2.26 > <https://dist.apache.org/repos/dist/dev/manifoldcf/apache-manifoldcf-2.26> > > > > On Fri, Mar 29, 2024 at 3:09 PM Karl Wright <daddy...@gmail.com> wrote: > > > The script as it exists now (release.bat) creates the release artifacts, > > signs them, and copies them into the svn development area. To actually > > release, you then just need to move them (using svn move) to the release > > part of the area. > > > > The machine I used to do this on died but the svn URL for the dev area is > > the one I would send around for the review and signoff for the releases. > > Let me look it up. > > > > > > > > > > On Fri, Mar 29, 2024 at 11:44 AM Piergiorgio Lucidi < > > piergior...@apache.org> wrote: > > > >> The open points now are related to the last two steps of our workflow: > >> > >> - Generating the file hashes using a shared GPG secret (in > progress...) > >> - Updating SVN public folders for publishing releases (TODO) > >> > >> We should agree with the Automated Release Process before proceeding: > >> > >> > https://issues.apache.org/jira/browse/INFRA-25665?focusedCommentId=17832209&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17832209 > >> > >> Practically INFRA will generate a new GPG key and they will add the > public > >> key into the ManifoldCF KEYS file. > >> This will let us manage the generation of file hashes using a GitHub > >> actions. > >> > >> Do you all agree with this? > >> Please let me know. > >> Thanks. > >> > >> Cheers, > >> PG > >> > >> Il giorno mar 26 mar 2024 alle ore 17:19 Karl Wright < > daddy...@gmail.com> > >> ha scritto: > >> > >> > Well we obviously need something that works, and just updating the > >> script > >> > to use github commands is one way to do that and would generate > releases > >> > like we do now. > >> > > >> > > >> > > >> > On Tue, Mar 12, 2024 at 9:00 AM Piergiorgio Lucidi < > >> piergior...@apache.org > >> > > > >> > wrote: > >> > > >> > > Hi Karl, > >> > > > >> > > I tried to look at the current process but It's not clear to me what > >> > > I should do now. > >> > > Should I just use svn commands from GitHub in order to execute the > >> same > >> > > steps? > >> > > Or do we have an alternative way without using svn? > >> > > > >> > > Do you know if we have something GitHub-centric for managing > releases? > >> > > > >> > > Cheers, > >> > > PG > >> > > > >> > > Il giorno mar 5 mar 2024 alle ore 21:53 Karl Wright < > >> daddy...@gmail.com> > >> > > ha > >> > > scritto: > >> > > > >> > > > Very good! > >> > > > > >> > > > In the past we've often had to add new commits to the release > branch > >> > and > >> > > > create a new RC. The RCs have to be copied into the staging area > >> (in > >> > an > >> > > > svn repo) and then when actually released there's a simple svn > >> command > >> > to > >> > > > do that. Are you familiar with that process? For this reason it > >> may > >> > be > >> > > > better to separate the creation of the release branch from > >> everything > >> > > else. > >> > > > > >> > > > Karl > >> > > > > >> > > > > >> > > > On Tue, Mar 5, 2024 at 9:23 AM Piergiorgio Lucidi < > >> > > piergior...@apache.org> > >> > > > wrote: > >> > > > > >> > > > > Hi folks, > >> > > > > > >> > > > > I have just pushed a potential GitHub workflow for creating the > >> > release > >> > > > > candidate branch and artifacts [1]. The related issue is > >> available in > >> > > > JIRA > >> > > > > [2]. > >> > > > > > >> > > > > We need to test it but I think that it could be something close > to > >> > what > >> > > > we > >> > > > > need: > >> > > > > > >> > > > > 1. Create the new branch > >> > > > > 2. Update CHANGES.txt, build.xml and all the poms > >> > > > > 3. Run the Ant build > >> > > > > 4. Run the Maven build (if we want to push artifacts on public > >> repos) > >> > > > > 5. Check licenses using Apache RAT > >> > > > > 6. Commit and push the new branch > >> > > > > 7. Upload artifacts as GitHub release assets > >> > > > > > >> > > > > Any feedback? > >> > > > > Thanks everyone. > >> > > > > > >> > > > > Cheers, > >> > > > > PG > >> > > > > > >> > > > > [1] - > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > https://github.com/apache/manifoldcf/blob/CONNECTORS-1754/.github/workflows/create-release-candidate.yml > >> > > > > > >> > > > > [2] - https://issues.apache.org/jira/browse/CONNECTORS-1754 > >> > > > > -- > >> > > > > Piergiorgio > >> > > > > > >> > > > > >> > > > >> > > > >> > > -- > >> > > Piergiorgio > >> > > > >> > > >> > >> > >> -- > >> Piergiorgio > >> > > > -- Piergiorgio
