GitHub user Xuanwo edited a discussion: discuss: Automate OpenDAL Release
Hello everyone, I'm starting this thread to discuss whether it's possible to fully automate the OpenDAL release process. ## Goal - The Release Manager no longer needs to handle tedious tasks. CI will manage artifact signing and SVN uploads. - Committers no longer need to perform manual verifications. CI will handle all verification steps within the release workflow. - The community no longer needs to wait 72 hours. OpenDAL PMC members should review the CI verification source code and logs to cast their votes. Once three votes are collected, the Release Manager can push the official tag. For each release, the following steps are required: - The Release Manager should push SOME RC tags and ONE release tag, with no additional actions. - The Committer should review ONE verification code and logs to cast ONE vote, with no further actions. The verification log will be saved and uploaded to the GitHub release as part of the release for future reference. ## Implement Most of the work will take place in CI, with details not elaborated here. Most of it is simply implementation. To make this possible, we will need a dedicated SVN account to carry out the upload process on behalf of the OpenDAL community. We will not depends on GPG key signing. Instead, we will integrate with [sigstore](https://www.sigstore.dev/) and mechanism like [Github Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) to make sure the artifacts not changed. - Users are assured that these artifacts are produced by our workflow. - Users can visit our provenance through a public registry. - Users can verify our releases using tools like Sigstore or `gh`. All of this ensures we provide better guarantees than a simple GPG signature. ## Context Inspired by my post: [What did ASF do wrong?](https://xuanwo.io/2024/09-what-did-asf-do-wrong/). The OpenDAL PMC is the first PMC to undertake such experimentation. I thoroughly verified that we are not in violation of the ASF release policy: https://www.apache.org/legal/release-policy.html GitHub link: https://github.com/apache/opendal/discussions/5350 ---- This is an automatically sent email for dev@opendal.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@opendal.apache.org
