[
https://issues.apache.org/jira/browse/LOG4J2-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker updated LOG4J2-3466:
--------------------------------
Description:
Ever since migrating from Jenkins to GitHub Actions, we no longer have
snapshots being published. Besides remedying just that missing piece, we should
step things up here and automate as much of the snapshot and release process as
possible. This will allow interested users following development to try out
snapshots again, and it will enable release managers in the PMC to almost
trivially cut release candidates for a release vote.
To do this, this will involve updating our workflows to support building,
testing, packaging, signing, and publishing the resulting artifacts to the ASF
Maven repository. On Jenkins, it was simple to publish snapshots as there was
an included Maven settings file for doing so. In order to do the same from an
Action, a Nexus API key would likely need to be generated and imported as a
secret into Actions.
For signing purposes, there's the [sigstore project|https://www.sigstore.dev/]
that has an interesting approach to signing artifacts built in these types of
automation environments. This should hopefully alleviate the need for importing
GPG keys into Actions. See [https://github.com/sigstore/sigstore-maven-plugin]
for a Maven plugin.
[Airflow|https://cwiki.apache.org/confluence/display/INFRA/Github+Actions+to+DockerHub]
has some docs related to how they've managed to automate things similarly and
how to work with the existing ASF release policy (it may be that a release
manager will still have to manually add GPG sigs to staged artifacts or
something like that).
was:
Ever since migrating from Jenkins to GitHub Actions, we no longer have
snapshots being published. Besides remedying just that missing piece, we should
step things up here and automate as much of the snapshot and release process as
possible. This will allow interested users following development to try out
snapshots again, and it will enable release managers in the PMC to almost
trivially cut release candidates for a release vote.
To do this, this will involve updating our workflows to support building,
testing, packaging, signing, and publishing the resulting artifacts to the ASF
Maven repository. On Jenkins, it was simple to publish snapshots as there was
an included Maven settings file for doing so. In order to do the same from an
Action, a Nexus API key would likely need to be generated and imported as a
secret into Actions.
For signing purposes, there's the [sigstore project|https://www.sigstore.dev/]
that has an interesting approach to signing artifacts built in these types of
automation environments. This should hopefully alleviate the need for importing
GPG keys into Actions.
[Airflow|https://cwiki.apache.org/confluence/display/INFRA/Github+Actions+to+DockerHub]
has some docs related to how they've managed to automate things similarly and
how to work with the existing ASF release policy (it may be that a release
manager will still have to manually add GPG sigs to staged artifacts or
something like that).
> Automate artifact publishing and release preparation
> ----------------------------------------------------
>
> Key: LOG4J2-3466
> URL: https://issues.apache.org/jira/browse/LOG4J2-3466
> Project: Log4j 2
> Issue Type: Improvement
> Components: Build
> Affects Versions: 3.0.0, 2.18.0
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
>
> Ever since migrating from Jenkins to GitHub Actions, we no longer have
> snapshots being published. Besides remedying just that missing piece, we
> should step things up here and automate as much of the snapshot and release
> process as possible. This will allow interested users following development
> to try out snapshots again, and it will enable release managers in the PMC to
> almost trivially cut release candidates for a release vote.
> To do this, this will involve updating our workflows to support building,
> testing, packaging, signing, and publishing the resulting artifacts to the
> ASF Maven repository. On Jenkins, it was simple to publish snapshots as there
> was an included Maven settings file for doing so. In order to do the same
> from an Action, a Nexus API key would likely need to be generated and
> imported as a secret into Actions.
> For signing purposes, there's the [sigstore
> project|https://www.sigstore.dev/] that has an interesting approach to
> signing artifacts built in these types of automation environments. This
> should hopefully alleviate the need for importing GPG keys into Actions. See
> [https://github.com/sigstore/sigstore-maven-plugin] for a Maven plugin.
> [Airflow|https://cwiki.apache.org/confluence/display/INFRA/Github+Actions+to+DockerHub]
> has some docs related to how they've managed to automate things similarly
> and how to work with the existing ASF release policy (it may be that a
> release manager will still have to manually add GPG sigs to staged artifacts
> or something like that).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
