Fwd: Signing releases using automated release infra

[Ayush Saxena <ay...@gmail.com>]

Something we can explore as well!!

-Ayush

Begin forwarded message:

> From: Volkan Yazıcı <vo...@yazi.ci>
> Date: 19 July 2023 at 1:24:49 AM IST
> To: dev@community.apache.org
> Subject: Signing releases using automated release infra
> Reply-To: dev@community.apache.org
> 
> Abstract: Signing release artifacts using an automated release
> infrastructure has been officially approved by LEGAL. This enables
> projects to sign artifacts using, say, GitHub Actions.
> 
> I have been trying to overhaul the Log4j release process and make it
> as frictionless as possible since last year. As a part of that effort,
> I wanted to sign artifacts in CI during deployment and in a
> `members@a.o` thread[0] I explained how one can do that securely with
> the help of Infra. That was in December 2022. It has been a long,
> rough journey, but we succeeded. In this PR[1], Legal has updated the
> release policy to reflect that this process is officially allowed.
> Further, Infra put together guides[2][3] to assist projects. Logging
> Services PMC has already successfully performed 4 Log4j Tools releases
> using this approach, see its release process[4] for a demonstration.
> 
> [0] (members only!)
> https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
> [1] https://github.com/apache/www-site/pull/235
> [2] https://infra.apache.org/release-publishing.html#signing
> [3] https://infra.apache.org/release-signing.html#automated-release-signing
> [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
> 
> # F.A.Q.
> 
> ## Why shall a project be interested in this?
> 
> It greatly simplifies the release process. See Log4j Tools release
> process[4], probably the simplest among all Java-based ASF projects.
> 
> ## How can a project get started?
> 
> 1. Make sure your project builds are reproducible (otherwise there is
> no way PMC can verify the integrity of CI-produced and -signed
> artifacts)
> 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
> 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
> snapshot deployments)
> 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
> staging deployments)
> 
> You might also want to check this[5] GitHub Action workflow for inspiration.
> 
> [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
> 
> ## Does the "automated release infrastructure" (CI) perform the full release?
> 
> No. CI *only* uploads signed artifacts to Nexus. The release manager
> (RM) still needs to copy the CI-generated files to SVN, PMC needs to
> vote, and, upon consensus, RM needs to "close" the release in Nexus
> and so on.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
> 

Re: Signing releases using automated release infra

[Ayush Saxena <ay...@gmail.com>]

Yep, thirdparty could be a good candidate to try, building thirdparty
release is relatively easy as well

-Ayush

On Thu, 20 Jul 2023 at 15:25, Steve Loughran <st...@cloudera.com> wrote:
>
>
> could be good.
>
> why not set it up for the third-party module first to see how well it works?
>
> On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:
>>
>> Something we can explore as well!!
>>
>> -Ayush
>>
>> Begin forwarded message:
>>
>> > From: Volkan Yazıcı <vo...@yazi.ci>
>> > Date: 19 July 2023 at 1:24:49 AM IST
>> > To: dev@community.apache.org
>> > Subject: Signing releases using automated release infra
>> > Reply-To: dev@community.apache.org
>> >
>> > Abstract: Signing release artifacts using an automated release
>> > infrastructure has been officially approved by LEGAL. This enables
>> > projects to sign artifacts using, say, GitHub Actions.
>> >
>> > I have been trying to overhaul the Log4j release process and make it
>> > as frictionless as possible since last year. As a part of that effort,
>> > I wanted to sign artifacts in CI during deployment and in a
>> > `members@a.o` thread[0] I explained how one can do that securely with
>> > the help of Infra. That was in December 2022. It has been a long,
>> > rough journey, but we succeeded. In this PR[1], Legal has updated the
>> > release policy to reflect that this process is officially allowed.
>> > Further, Infra put together guides[2][3] to assist projects. Logging
>> > Services PMC has already successfully performed 4 Log4j Tools releases
>> > using this approach, see its release process[4] for a demonstration.
>> >
>> > [0] (members only!)
>> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
>> > [1] https://github.com/apache/www-site/pull/235
>> > [2] https://infra.apache.org/release-publishing.html#signing
>> > [3] https://infra.apache.org/release-signing.html#automated-release-signing
>> > [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
>> >
>> > # F.A.Q.
>> >
>> > ## Why shall a project be interested in this?
>> >
>> > It greatly simplifies the release process. See Log4j Tools release
>> > process[4], probably the simplest among all Java-based ASF projects.
>> >
>> > ## How can a project get started?
>> >
>> > 1. Make sure your project builds are reproducible (otherwise there is
>> > no way PMC can verify the integrity of CI-produced and -signed
>> > artifacts)
>> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
>> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
>> > snapshot deployments)
>> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
>> > staging deployments)
>> >
>> > You might also want to check this[5] GitHub Action workflow for inspiration.
>> >
>> > [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
>> >
>> > ## Does the "automated release infrastructure" (CI) perform the full release?
>> >
>> > No. CI *only* uploads signed artifacts to Nexus. The release manager
>> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
>> > vote, and, upon consensus, RM needs to "close" the release in Nexus
>> > and so on.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
>> > For additional commands, e-mail: dev-help@community.apache.org
>> >

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org

Re: Signing releases using automated release infra

[Ayush Saxena <ay...@gmail.com>]

Yep, thirdparty could be a good candidate to try, building thirdparty
release is relatively easy as well

-Ayush

On Thu, 20 Jul 2023 at 15:25, Steve Loughran <st...@cloudera.com> wrote:
>
>
> could be good.
>
> why not set it up for the third-party module first to see how well it works?
>
> On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:
>>
>> Something we can explore as well!!
>>
>> -Ayush
>>
>> Begin forwarded message:
>>
>> > From: Volkan Yazıcı <vo...@yazi.ci>
>> > Date: 19 July 2023 at 1:24:49 AM IST
>> > To: dev@community.apache.org
>> > Subject: Signing releases using automated release infra
>> > Reply-To: dev@community.apache.org
>> >
>> > Abstract: Signing release artifacts using an automated release
>> > infrastructure has been officially approved by LEGAL. This enables
>> > projects to sign artifacts using, say, GitHub Actions.
>> >
>> > I have been trying to overhaul the Log4j release process and make it
>> > as frictionless as possible since last year. As a part of that effort,
>> > I wanted to sign artifacts in CI during deployment and in a
>> > `members@a.o` thread[0] I explained how one can do that securely with
>> > the help of Infra. That was in December 2022. It has been a long,
>> > rough journey, but we succeeded. In this PR[1], Legal has updated the
>> > release policy to reflect that this process is officially allowed.
>> > Further, Infra put together guides[2][3] to assist projects. Logging
>> > Services PMC has already successfully performed 4 Log4j Tools releases
>> > using this approach, see its release process[4] for a demonstration.
>> >
>> > [0] (members only!)
>> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
>> > [1] https://github.com/apache/www-site/pull/235
>> > [2] https://infra.apache.org/release-publishing.html#signing
>> > [3] https://infra.apache.org/release-signing.html#automated-release-signing
>> > [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
>> >
>> > # F.A.Q.
>> >
>> > ## Why shall a project be interested in this?
>> >
>> > It greatly simplifies the release process. See Log4j Tools release
>> > process[4], probably the simplest among all Java-based ASF projects.
>> >
>> > ## How can a project get started?
>> >
>> > 1. Make sure your project builds are reproducible (otherwise there is
>> > no way PMC can verify the integrity of CI-produced and -signed
>> > artifacts)
>> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
>> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
>> > snapshot deployments)
>> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
>> > staging deployments)
>> >
>> > You might also want to check this[5] GitHub Action workflow for inspiration.
>> >
>> > [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
>> >
>> > ## Does the "automated release infrastructure" (CI) perform the full release?
>> >
>> > No. CI *only* uploads signed artifacts to Nexus. The release manager
>> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
>> > vote, and, upon consensus, RM needs to "close" the release in Nexus
>> > and so on.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
>> > For additional commands, e-mail: dev-help@community.apache.org
>> >

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org

Re: Signing releases using automated release infra

[Ayush Saxena <ay...@gmail.com>]

Yep, thirdparty could be a good candidate to try, building thirdparty
release is relatively easy as well

-Ayush

On Thu, 20 Jul 2023 at 15:25, Steve Loughran <st...@cloudera.com> wrote:
>
>
> could be good.
>
> why not set it up for the third-party module first to see how well it works?
>
> On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:
>>
>> Something we can explore as well!!
>>
>> -Ayush
>>
>> Begin forwarded message:
>>
>> > From: Volkan Yazıcı <vo...@yazi.ci>
>> > Date: 19 July 2023 at 1:24:49 AM IST
>> > To: dev@community.apache.org
>> > Subject: Signing releases using automated release infra
>> > Reply-To: dev@community.apache.org
>> >
>> > Abstract: Signing release artifacts using an automated release
>> > infrastructure has been officially approved by LEGAL. This enables
>> > projects to sign artifacts using, say, GitHub Actions.
>> >
>> > I have been trying to overhaul the Log4j release process and make it
>> > as frictionless as possible since last year. As a part of that effort,
>> > I wanted to sign artifacts in CI during deployment and in a
>> > `members@a.o` thread[0] I explained how one can do that securely with
>> > the help of Infra. That was in December 2022. It has been a long,
>> > rough journey, but we succeeded. In this PR[1], Legal has updated the
>> > release policy to reflect that this process is officially allowed.
>> > Further, Infra put together guides[2][3] to assist projects. Logging
>> > Services PMC has already successfully performed 4 Log4j Tools releases
>> > using this approach, see its release process[4] for a demonstration.
>> >
>> > [0] (members only!)
>> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
>> > [1] https://github.com/apache/www-site/pull/235
>> > [2] https://infra.apache.org/release-publishing.html#signing
>> > [3] https://infra.apache.org/release-signing.html#automated-release-signing
>> > [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
>> >
>> > # F.A.Q.
>> >
>> > ## Why shall a project be interested in this?
>> >
>> > It greatly simplifies the release process. See Log4j Tools release
>> > process[4], probably the simplest among all Java-based ASF projects.
>> >
>> > ## How can a project get started?
>> >
>> > 1. Make sure your project builds are reproducible (otherwise there is
>> > no way PMC can verify the integrity of CI-produced and -signed
>> > artifacts)
>> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
>> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
>> > snapshot deployments)
>> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
>> > staging deployments)
>> >
>> > You might also want to check this[5] GitHub Action workflow for inspiration.
>> >
>> > [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
>> >
>> > ## Does the "automated release infrastructure" (CI) perform the full release?
>> >
>> > No. CI *only* uploads signed artifacts to Nexus. The release manager
>> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
>> > vote, and, upon consensus, RM needs to "close" the release in Nexus
>> > and so on.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
>> > For additional commands, e-mail: dev-help@community.apache.org
>> >

---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: mapreduce-dev-help@hadoop.apache.org

Re: Signing releases using automated release infra

[Ayush Saxena <ay...@gmail.com>]

Yep, thirdparty could be a good candidate to try, building thirdparty
release is relatively easy as well

-Ayush

On Thu, 20 Jul 2023 at 15:25, Steve Loughran <st...@cloudera.com> wrote:
>
>
> could be good.
>
> why not set it up for the third-party module first to see how well it works?
>
> On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:
>>
>> Something we can explore as well!!
>>
>> -Ayush
>>
>> Begin forwarded message:
>>
>> > From: Volkan Yazıcı <vo...@yazi.ci>
>> > Date: 19 July 2023 at 1:24:49 AM IST
>> > To: dev@community.apache.org
>> > Subject: Signing releases using automated release infra
>> > Reply-To: dev@community.apache.org
>> >
>> > Abstract: Signing release artifacts using an automated release
>> > infrastructure has been officially approved by LEGAL. This enables
>> > projects to sign artifacts using, say, GitHub Actions.
>> >
>> > I have been trying to overhaul the Log4j release process and make it
>> > as frictionless as possible since last year. As a part of that effort,
>> > I wanted to sign artifacts in CI during deployment and in a
>> > `members@a.o` thread[0] I explained how one can do that securely with
>> > the help of Infra. That was in December 2022. It has been a long,
>> > rough journey, but we succeeded. In this PR[1], Legal has updated the
>> > release policy to reflect that this process is officially allowed.
>> > Further, Infra put together guides[2][3] to assist projects. Logging
>> > Services PMC has already successfully performed 4 Log4j Tools releases
>> > using this approach, see its release process[4] for a demonstration.
>> >
>> > [0] (members only!)
>> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
>> > [1] https://github.com/apache/www-site/pull/235
>> > [2] https://infra.apache.org/release-publishing.html#signing
>> > [3] https://infra.apache.org/release-signing.html#automated-release-signing
>> > [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
>> >
>> > # F.A.Q.
>> >
>> > ## Why shall a project be interested in this?
>> >
>> > It greatly simplifies the release process. See Log4j Tools release
>> > process[4], probably the simplest among all Java-based ASF projects.
>> >
>> > ## How can a project get started?
>> >
>> > 1. Make sure your project builds are reproducible (otherwise there is
>> > no way PMC can verify the integrity of CI-produced and -signed
>> > artifacts)
>> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
>> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
>> > snapshot deployments)
>> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
>> > staging deployments)
>> >
>> > You might also want to check this[5] GitHub Action workflow for inspiration.
>> >
>> > [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
>> >
>> > ## Does the "automated release infrastructure" (CI) perform the full release?
>> >
>> > No. CI *only* uploads signed artifacts to Nexus. The release manager
>> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
>> > vote, and, upon consensus, RM needs to "close" the release in Nexus
>> > and so on.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
>> > For additional commands, e-mail: dev-help@community.apache.org
>> >

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org

Re: Signing releases using automated release infra

[Steve Loughran <st...@cloudera.com.INVALID>]

could be good.

why not set it up for the third-party module first to see how well it works?

On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:

> Something we can explore as well!!
>
> -Ayush
>
> Begin forwarded message:
>
> > From: Volkan Yazıcı <vo...@yazi.ci>
> > Date: 19 July 2023 at 1:24:49 AM IST
> > To: dev@community.apache.org
> > Subject: Signing releases using automated release infra
> > Reply-To: dev@community.apache.org
> >
> > Abstract: Signing release artifacts using an automated release
> > infrastructure has been officially approved by LEGAL. This enables
> > projects to sign artifacts using, say, GitHub Actions.
> >
> > I have been trying to overhaul the Log4j release process and make it
> > as frictionless as possible since last year. As a part of that effort,
> > I wanted to sign artifacts in CI during deployment and in a
> > `members@a.o` thread[0] I explained how one can do that securely with
> > the help of Infra. That was in December 2022. It has been a long,
> > rough journey, but we succeeded. In this PR[1], Legal has updated the
> > release policy to reflect that this process is officially allowed.
> > Further, Infra put together guides[2][3] to assist projects. Logging
> > Services PMC has already successfully performed 4 Log4j Tools releases
> > using this approach, see its release process[4] for a demonstration.
> >
> > [0] (members only!)
> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
> > [1] https://github.com/apache/www-site/pull/235
> > [2] https://infra.apache.org/release-publishing.html#signing
> > [3]
> https://infra.apache.org/release-signing.html#automated-release-signing
> > [4]
> https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
> >
> > # F.A.Q.
> >
> > ## Why shall a project be interested in this?
> >
> > It greatly simplifies the release process. See Log4j Tools release
> > process[4], probably the simplest among all Java-based ASF projects.
> >
> > ## How can a project get started?
> >
> > 1. Make sure your project builds are reproducible (otherwise there is
> > no way PMC can verify the integrity of CI-produced and -signed
> > artifacts)
> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
> > snapshot deployments)
> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
> > staging deployments)
> >
> > You might also want to check this[5] GitHub Action workflow for
> inspiration.
> >
> > [5]
> https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
> >
> > ## Does the "automated release infrastructure" (CI) perform the full
> release?
> >
> > No. CI *only* uploads signed artifacts to Nexus. The release manager
> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
> > vote, and, upon consensus, RM needs to "close" the release in Nexus
> > and so on.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>

Re: Signing releases using automated release infra

[Steve Loughran <st...@cloudera.com.INVALID>]

could be good.

why not set it up for the third-party module first to see how well it works?

On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:

> Something we can explore as well!!
>
> -Ayush
>
> Begin forwarded message:
>
> > From: Volkan Yazıcı <vo...@yazi.ci>
> > Date: 19 July 2023 at 1:24:49 AM IST
> > To: dev@community.apache.org
> > Subject: Signing releases using automated release infra
> > Reply-To: dev@community.apache.org
> >
> > Abstract: Signing release artifacts using an automated release
> > infrastructure has been officially approved by LEGAL. This enables
> > projects to sign artifacts using, say, GitHub Actions.
> >
> > I have been trying to overhaul the Log4j release process and make it
> > as frictionless as possible since last year. As a part of that effort,
> > I wanted to sign artifacts in CI during deployment and in a
> > `members@a.o` thread[0] I explained how one can do that securely with
> > the help of Infra. That was in December 2022. It has been a long,
> > rough journey, but we succeeded. In this PR[1], Legal has updated the
> > release policy to reflect that this process is officially allowed.
> > Further, Infra put together guides[2][3] to assist projects. Logging
> > Services PMC has already successfully performed 4 Log4j Tools releases
> > using this approach, see its release process[4] for a demonstration.
> >
> > [0] (members only!)
> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
> > [1] https://github.com/apache/www-site/pull/235
> > [2] https://infra.apache.org/release-publishing.html#signing
> > [3]
> https://infra.apache.org/release-signing.html#automated-release-signing
> > [4]
> https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
> >
> > # F.A.Q.
> >
> > ## Why shall a project be interested in this?
> >
> > It greatly simplifies the release process. See Log4j Tools release
> > process[4], probably the simplest among all Java-based ASF projects.
> >
> > ## How can a project get started?
> >
> > 1. Make sure your project builds are reproducible (otherwise there is
> > no way PMC can verify the integrity of CI-produced and -signed
> > artifacts)
> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
> > snapshot deployments)
> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
> > staging deployments)
> >
> > You might also want to check this[5] GitHub Action workflow for
> inspiration.
> >
> > [5]
> https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
> >
> > ## Does the "automated release infrastructure" (CI) perform the full
> release?
> >
> > No. CI *only* uploads signed artifacts to Nexus. The release manager
> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
> > vote, and, upon consensus, RM needs to "close" the release in Nexus
> > and so on.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>

Re: Signing releases using automated release infra

[Steve Loughran <st...@cloudera.com.INVALID>]

could be good.

why not set it up for the third-party module first to see how well it works?

On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:

> Something we can explore as well!!
>
> -Ayush
>
> Begin forwarded message:
>
> > From: Volkan Yazıcı <vo...@yazi.ci>
> > Date: 19 July 2023 at 1:24:49 AM IST
> > To: dev@community.apache.org
> > Subject: Signing releases using automated release infra
> > Reply-To: dev@community.apache.org
> >
> > Abstract: Signing release artifacts using an automated release
> > infrastructure has been officially approved by LEGAL. This enables
> > projects to sign artifacts using, say, GitHub Actions.
> >
> > I have been trying to overhaul the Log4j release process and make it
> > as frictionless as possible since last year. As a part of that effort,
> > I wanted to sign artifacts in CI during deployment and in a
> > `members@a.o` thread[0] I explained how one can do that securely with
> > the help of Infra. That was in December 2022. It has been a long,
> > rough journey, but we succeeded. In this PR[1], Legal has updated the
> > release policy to reflect that this process is officially allowed.
> > Further, Infra put together guides[2][3] to assist projects. Logging
> > Services PMC has already successfully performed 4 Log4j Tools releases
> > using this approach, see its release process[4] for a demonstration.
> >
> > [0] (members only!)
> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
> > [1] https://github.com/apache/www-site/pull/235
> > [2] https://infra.apache.org/release-publishing.html#signing
> > [3]
> https://infra.apache.org/release-signing.html#automated-release-signing
> > [4]
> https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
> >
> > # F.A.Q.
> >
> > ## Why shall a project be interested in this?
> >
> > It greatly simplifies the release process. See Log4j Tools release
> > process[4], probably the simplest among all Java-based ASF projects.
> >
> > ## How can a project get started?
> >
> > 1. Make sure your project builds are reproducible (otherwise there is
> > no way PMC can verify the integrity of CI-produced and -signed
> > artifacts)
> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
> > snapshot deployments)
> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
> > staging deployments)
> >
> > You might also want to check this[5] GitHub Action workflow for
> inspiration.
> >
> > [5]
> https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
> >
> > ## Does the "automated release infrastructure" (CI) perform the full
> release?
> >
> > No. CI *only* uploads signed artifacts to Nexus. The release manager
> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
> > vote, and, upon consensus, RM needs to "close" the release in Nexus
> > and so on.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>

Re: Signing releases using automated release infra

[Steve Loughran <st...@cloudera.com.INVALID>]

could be good.

why not set it up for the third-party module first to see how well it works?

On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ay...@gmail.com> wrote:

> Something we can explore as well!!
>
> -Ayush
>
> Begin forwarded message:
>
> > From: Volkan Yazıcı <vo...@yazi.ci>
> > Date: 19 July 2023 at 1:24:49 AM IST
> > To: dev@community.apache.org
> > Subject: Signing releases using automated release infra
> > Reply-To: dev@community.apache.org
> >
> > Abstract: Signing release artifacts using an automated release
> > infrastructure has been officially approved by LEGAL. This enables
> > projects to sign artifacts using, say, GitHub Actions.
> >
> > I have been trying to overhaul the Log4j release process and make it
> > as frictionless as possible since last year. As a part of that effort,
> > I wanted to sign artifacts in CI during deployment and in a
> > `members@a.o` thread[0] I explained how one can do that securely with
> > the help of Infra. That was in December 2022. It has been a long,
> > rough journey, but we succeeded. In this PR[1], Legal has updated the
> > release policy to reflect that this process is officially allowed.
> > Further, Infra put together guides[2][3] to assist projects. Logging
> > Services PMC has already successfully performed 4 Log4j Tools releases
> > using this approach, see its release process[4] for a demonstration.
> >
> > [0] (members only!)
> > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
> > [1] https://github.com/apache/www-site/pull/235
> > [2] https://infra.apache.org/release-publishing.html#signing
> > [3]
> https://infra.apache.org/release-signing.html#automated-release-signing
> > [4]
> https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
> >
> > # F.A.Q.
> >
> > ## Why shall a project be interested in this?
> >
> > It greatly simplifies the release process. See Log4j Tools release
> > process[4], probably the simplest among all Java-based ASF projects.
> >
> > ## How can a project get started?
> >
> > 1. Make sure your project builds are reproducible (otherwise there is
> > no way PMC can verify the integrity of CI-produced and -signed
> > artifacts)
> > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
> > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
> > snapshot deployments)
> > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
> > staging deployments)
> >
> > You might also want to check this[5] GitHub Action workflow for
> inspiration.
> >
> > [5]
> https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
> >
> > ## Does the "automated release infrastructure" (CI) perform the full
> release?
> >
> > No. CI *only* uploads signed artifacts to Nexus. The release manager
> > (RM) still needs to copy the CI-generated files to SVN, PMC needs to
> > vote, and, upon consensus, RM needs to "close" the release in Nexus
> > and so on.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>