[jira] [Commented] (JAMES-3510) Automate release procedure to speed up releases

Fri, 05 Mar 2021 00:35:04 -0800 


    [ 
https://issues.apache.org/jira/browse/JAMES-3510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295867#comment-17295867
 ] 

Juhan Aasaru commented on JAMES-3510:
-------------------------------------

Let's try to keep the discussion going to come up with something to implement 
on this matter.

As one option Jean Helou 
[proposed|[https://www.mail-archive.com/[email protected]/msg69765.html]
 ] to use gpg socket forwarding. 
I wonder if that would work so that the committer responsible for the release 
would log in to infra machine with gpg socket forwarding on.



> I am unsure as the commiter can hardly guaranty the builder and thus the 
>artifact had not been compromised - as it is a remote machine...

What about this improvement to the process:
 # A GIT tag is created for a release
 # Jenkins builds and uploads unsigned artifacts to Sonatype staging repository
 # Committer responsible for the release triggers build & sign in the local 
machine but only uploads signed artifacts to speed up the process

We would have to make sure that when building a JAR artifacts from a TAG the 
result is exactly the same (equal timestamps in JAR) no matter where the 
artifact is built.
This way the committer would sign local copies but these would be equal to 
copies in the repo and thus the signatures would be valid for the artifacts in 
the server.

 

 

 

> Automate release procedure to speed up releases
> -----------------------------------------------
>
>                 Key: JAMES-3510
>                 URL: https://issues.apache.org/jira/browse/JAMES-3510
>             Project: James Server
>          Issue Type: Improvement
>            Reporter: Juhan Aasaru
>            Priority: Major
>
> Could we collect here the steps that could be automated to fasten the process 
> of creating a new release.
> Me (or my colleague Andreas) would be willing to work on some of the 
> automation tasks.
> I propose automating publishing to Maven Central (building artifacts and PGP 
> signing them)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to