Copilot commented on code in PR #311:
URL: https://github.com/apache/groovy-geb/pull/311#discussion_r2909436725
##########
RELEASING.md:
##########
@@ -44,12 +44,18 @@ limitations under the License.
11. `git push` the version branch and tag to GitHub
12. `read -s APACHE_PW` and enter your password at the prompt
13. Run `./gradlew --no-build-cache publishJarsAndManual -x
:integration:geb-gradle:publishPlugins -PapacheUser=jonnybot
-PapachePassword="${APACHE_PW}"`
-14. Start the vote process on the groovy-dev mailing list. It will need at
least 72 hours of remaining open and receive at least three affirmative votes
from the Groovy PMC. See the [Apache Voting
process](https://www.apache.org/foundation/voting.html) for more detail.
Mention significant breaking changes if there are any.
-15. Assuming the vote passes (at least three +1 votes from the PMC), you can
take the following steps to finalize the release.
-16. Email the vote thread to note that the vote has passed, with a final tally
of the votes.
-17. Ask a member of the PMC to copy the artifacts from the staging directory
in subversion to `groovy-release/geb/${VERSION}` and commit them to subversion,
as above.
-18. Ask a member of the PMC to release the staging repository at
https://repository.apache.org/#stagingRepositories
-19. Release the Gradle plugins with `./gradlew
:integration:geb-gradle:publishPlugins`
+14. Verify the staged release. Run the automated verification script from the
project root:
+ ```bash
+ etc/bin/verify.sh dev «version» /tmp/geb-«version»-verify
+ ```
+ This downloads the staged artifacts, verifies checksums and GPG
signatures, checks for required files, and runs the RAT license audit. The
individual scripts in `etc/bin/` can also be run separately — see their header
comments for details.
+15. Verify the build is reproducible per [ASF Security
policy](https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds)
by running `etc/bin/test-reproducible-builds.sh` and comparing the
locally-built jar checksums against the staged artifacts.
Review Comment:
Step 15 says to compare locally-built jar checksums against the staged
artifacts, but `etc/bin/test-reproducible-builds.sh` only compares two local
builds against each other and doesn’t fetch/compare staged jars. Please update
the docs to match what the script actually verifies, or extend the tooling to
perform the staged-vs-local comparison described here.
```suggestion
15. Verify the build is reproducible per [ASF Security
policy](https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds)
by running `etc/bin/test-reproducible-builds.sh`, which performs two local
builds and compares the resulting jar checksums to confirm they are identical.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
