Matt Sicker created LOG4J2-3466:
-----------------------------------
Summary: Automate artifact publishing and release preparation
Key: LOG4J2-3466
URL: https://issues.apache.org/jira/browse/LOG4J2-3466
Project: Log4j 2
Issue Type: Improvement
Components: Build
Affects Versions: 3.0.0, 2.18.0
Reporter: Matt Sicker
Assignee: Matt Sicker
Ever since migrating from Jenkins to GitHub Actions, we no longer have
snapshots being published. Besides remedying just that missing piece, we should
step things up here and automate as much of the snapshot and release process as
possible. This will allow interested users following development to try out
snapshots again, and it will enable release managers in the PMC to almost
trivially cut release candidates for a release vote.
To do this, this will involve updating our workflows to support building,
testing, packaging, signing, and publishing the resulting artifacts to the ASF
Maven repository. On Jenkins, it was simple to publish snapshots as there was
an included Maven settings file for doing so. In order to do the same from an
Action, a Nexus API key would likely need to be generated and imported as a
secret into Actions.
For signing purposes, there's the [sigstore project|https://www.sigstore.dev/]
that has an interesting approach to signing artifacts built in these types of
automation environments. This should hopefully alleviate the need for importing
GPG keys into Actions.
[Airflow|https://cwiki.apache.org/confluence/display/INFRA/Github+Actions+to+DockerHub]
has some docs related to how they've managed to automate things similarly and
how to work with the existing ASF release policy (it may be that a release
manager will still have to manually add GPG sigs to staged artifacts or
something like that).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
