Hi all, I'm going to currently rework the release process a little bit in order to avoid the use of GPG secrets in GitHub Workflow. This is because we don't know how long it could take waiting for the Apache Security Team confirmation.
Today I updated the new Release Process page with all the details for creating a complete new release [1]. We will start running the GitHub workflow and then we will run a dedicated script for signing binaries and a command for publishing Maven artifacts. This will allow us to create a new release candidate for the end of September. Eventually we could reconsider an easier solution for the next release. Cheers, PG [1] - https://cwiki.apache.org/confluence/display/CONNECTORS/New+Release+Process+in+GitHub Il giorno mar 20 ago 2024 alle ore 15:26 Piergiorgio Lucidi < piergior...@apache.org> ha scritto: > Hi Chris, > > Thank you for your message and I apologize if my report did not include > all the details of the case. > I probably took some information for granted, my fault. > > Before enabling writings on GitHub repository the release process was > based on Python scripts requiring SVN write permissions and a > Windows environment. > Those scripts had to be executed manually from the laptop of the release > manager (Karl Wright). > > Then we started to consider a different release process after enabling > read-only mode on SVN and I raised a specific ticket to INFRA [1] about > this asking to eventually use a GPG key as a service account in our GitHub > Workflows. This is because I saw other Apache projects following a similar > approach and you can also see that Daniel Gruno confirmed this in the > ticket. > > Considering that now we have GitHub with read and write access and SVN in > read-only mode, I mean in the current state without GPG keys, we don't have > any script or documented procedure for doing releases. GitHub workflows are > completed but only if a GPG key is available in the GitHub repository. > > If it is not possible to automate everything in GitHub workflows, we can > refactor them in order to require a manual step for publishing all the > artifacts. > But at the moment it's not clear to me what to do for finalizing the new > release process because the Apache Security Team didn't give us any more > feedback. > > Maybe the updated work on these workflows on a separated branch it's a > little bit confusing for everyone, I could eventually merge all the recent > changes in the main trunk. > > Please let us know what you think. > Thank you again for your support. > > Cheers, > PG > > [1] - https://issues.apache.org/jira/browse/INFRA-25665 > > > > Il giorno mar 20 ago 2024 alle ore 09:09 Christofer Dutz <cd...@apache.org> > ha scritto: > >> Hi all, >> >> while reading your current board report, I came across the problem with >> the using GPG keys on GitHub actions. You mentioned till that's resolved, >> you're stuck doing releases. >> >> May I ask why? >> >> All other projects have no issues with releasing without GitHub Actions. >> Also do I see quite a risk here uploading a person's GPG key to a machine >> we have no control over. >> >> Chris >> > > > -- > Piergiorgio > -- Piergiorgio
