Yep, thirdparty could be a good candidate to try, building thirdparty release is relatively easy as well
-Ayush On Thu, 20 Jul 2023 at 15:25, Steve Loughran <ste...@cloudera.com> wrote: > > > could be good. > > why not set it up for the third-party module first to see how well it works? > > On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ayush...@gmail.com> wrote: >> >> Something we can explore as well!! >> >> -Ayush >> >> Begin forwarded message: >> >> > From: Volkan Yazıcı <vol...@yazi.ci> >> > Date: 19 July 2023 at 1:24:49 AM IST >> > To: d...@community.apache.org >> > Subject: Signing releases using automated release infra >> > Reply-To: d...@community.apache.org >> > >> > Abstract: Signing release artifacts using an automated release >> > infrastructure has been officially approved by LEGAL. This enables >> > projects to sign artifacts using, say, GitHub Actions. >> > >> > I have been trying to overhaul the Log4j release process and make it >> > as frictionless as possible since last year. As a part of that effort, >> > I wanted to sign artifacts in CI during deployment and in a >> > `members@a.o` thread[0] I explained how one can do that securely with >> > the help of Infra. That was in December 2022. It has been a long, >> > rough journey, but we succeeded. In this PR[1], Legal has updated the >> > release policy to reflect that this process is officially allowed. >> > Further, Infra put together guides[2][3] to assist projects. Logging >> > Services PMC has already successfully performed 4 Log4j Tools releases >> > using this approach, see its release process[4] for a demonstration. >> > >> > [0] (members only!) >> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n >> > [1] https://github.com/apache/www-site/pull/235 >> > [2] https://infra.apache.org/release-publishing.html#signing >> > [3] https://infra.apache.org/release-signing.html#automated-release-signing >> > [4] >> > https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc >> > >> > # F.A.Q. >> > >> > ## Why shall a project be interested in this? >> > >> > It greatly simplifies the release process. See Log4j Tools release >> > process[4], probably the simplest among all Java-based ASF projects. >> > >> > ## How can a project get started? >> > >> > 1. Make sure your project builds are reproducible (otherwise there is >> > no way PMC can verify the integrity of CI-produced and -signed >> > artifacts) >> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets) >> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for >> > snapshot deployments) >> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for >> > staging deployments) >> > >> > You might also want to check this[5] GitHub Action workflow for >> > inspiration. >> > >> > [5] >> > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml >> > >> > ## Does the "automated release infrastructure" (CI) perform the full >> > release? >> > >> > No. CI *only* uploads signed artifacts to Nexus. The release manager >> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to >> > vote, and, upon consensus, RM needs to "close" the release in Nexus >> > and so on. >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org >> > For additional commands, e-mail: dev-h...@community.apache.org >> > --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
