This sounds like it might relate well to a reproducible builds project of some sort. Ideally we'd be able to do that in ci.jenkins.io, though credentials management is a little less fine-grained there, so doing so that way would likely required a trusted CI/CD environment.
Whether it's in Jenkins, GitHub Actions, or elsewhere, what I've always done is create dedicated CD credentials while limiting said credentials' access scopes as much as possible. On Fri, Mar 27, 2020 at 2:16 PM Radek Antoniuk <[email protected]> wrote: > > I'm thinking about automating the plugin release process using GH Actions: > > https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets > https://github.com/marketplace/actions/maven-release > https://help.github.com/en/actions/reference/events-that-trigger-workflows > https://www.asyncapi.com/blog/automated-releases/ > > It seems that the process for setting this up for releasing on GH is quite > straightforward. > The issue is uploading the new artifact to the Artifactory, for what we need > the credentials that are managed through: > https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/ > > There are two problems here: > - what user should be used in GH action to push to Artifactory > - the GH secrets can be only created by GH org owners > > Do you think it's a good idea to try this out? > For me the benefits are: > - the release process will be done in a standard environment defined by the > used docker image (obviously could be done locally but that's the point not > to do have the need to do it in docker locally) > - the process can be automated, e.g. "do a release at the last day of month > if there were any new PRs merged" - that would increase transparency and > predictability on the releases > > Cheers, > Radek > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/a799d799-6015-4252-8eb6-8d7f06a76609%40googlegroups.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4owf%2B6KJyABmzVvxLkNhC-_MRZLs%3D%3DB8ntPzxHxCYVeK5Q%40mail.gmail.com.
