This is an automated email from the ASF dual-hosted git repository.
engelen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko.git
The following commit(s) were added to refs/heads/main by this push:
new 16ca91cd8d ci: stage release candidate sources and jars (#2314)
16ca91cd8d is described below
commit 16ca91cd8d2e5eade04f48e5ed550e45939c5aa5
Author: Arnout Engelen <[email protected]>
AuthorDate: Tue Nov 11 08:54:02 2025 +0100
ci: stage release candidate sources and jars (#2314)
* ci: stage release candidate source archive
Needs Infra to configure these secrets before merging.
* chore: use 'git archive' to create source archive
I see some issues with reproducibility (the tar is identical but the
gzip stream differs), but those can be solved independently.
* fix: use reproducible gzip compression in 'git archive'
* fix: version tags start with 'v'
* ci: stage jars
This probably needs some iterations to get it just right, but
I don't see a good way to do that other than by actually merging
and triggering the workflow against (fake, non-version) RC tags.
* Add sonatype commands
* Version tags start with 'v'
* fix: set the version for sonatypeBundleUpload
not sure sonatypePrepare is really necessary, it seems
implicit, but let's stick to what's recommended in
https://github.com/xerial/sbt-sonatype?tab=readme-ov-file#publishing-your-artifact
* chore: don't require a leading 'v' for now
so we can test the workflow with unprotected tags
* ci: the key is not base64-encoded
---
.github/workflows/stage-release-candidate.yml | 159 ++++++++++++++++++++++++++
1 file changed, 159 insertions(+)
diff --git a/.github/workflows/stage-release-candidate.yml
b/.github/workflows/stage-release-candidate.yml
new file mode 100644
index 0000000000..b6e7bcc41b
--- /dev/null
+++ b/.github/workflows/stage-release-candidate.yml
@@ -0,0 +1,159 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Stage release candidate
+
+on:
+ workflow_dispatch:
+ inputs:
+ source-tar:
+ description: "Stage the source tarball to svn"
+ default: true
+ type: boolean
+ jars:
+ description: "Stage the binary jars to nexus"
+ default: true
+ type: boolean
+
+permissions:
+ contents: read
+
+jobs:
+ # Automating the step at
https://github.com/apache/pekko-site/wiki/Pekko-Release-Process#build-the-source-release-candidate
+ # Partly based on
https://github.com/apache/daffodil/blob/main/.github/workflows/release-candidate.yml
+ stage-release-candidate-to-svn:
+ runs-on: ubuntu-24.04
+ if: ${{ inputs.source-tar }}
+ steps:
+ - name: Check version parameter
+ run: |-
+ # To be enabled after this workflow has been tested:
+ #if [[ "$REF" != "v"* ]]; then
+ # echo "Trigger this workflow on a version tag"
+ # exit 1
+ #fi
+ if [[ "$REF" != *"-RC"* ]]; then
+ echo "Trigger this workflow on an RC tag"
+ exit 1
+ fi
+ export VERSION=$(echo $REF | sed -e "s/.\(.*\)-.*/\\1/")
+ export RC_VERSION=$(echo $REF | tail -c +2)
+ echo "Version: $VERSION"
+ echo "RC Version: $RC_VERSION"
+ env:
+ REF: ${{ github.ref_name }}
+
+ - name: Checkout
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #
v5.0.0
+ with:
+ fetch-depth: 0
+ fetch-tags: true
+ persist-credentials: false
+
+ - name: Generate source archive
+ run: |-
+ VERSION=$(echo $REF | sed -e "s/.\(.*\)-.*/\\1/")
+ PREFIX=apache-pekko-$VERSION
+ DATE=$(git log -n1 --format=%cs | tr -d -)
+ TARBALL=$PREFIX-src-$DATE.tgz
+
+ mkdir archive
+ git archive --format=tar --prefix=$PREFIX/ HEAD | gzip -6 -n >
archive/$TARBALL
+ cd archive
+ sha512sum $TARBALL > $TARBALL.sha512
+ env:
+ REF: ${{ github.ref_name }}
+
+ - name: Sign source archive
+ run: |-
+ echo $PEKKO_GPG_SECRET_KEY | gpg --batch --import --import-options
import-show
+ gpg -ab archive/*.tgz
+ env:
+ PEKKO_GPG_SECRET_KEY: ${{ secrets.PEKKO_GPG_SECRET_KEY }}
+
+ - name: Upload source dist
+ run: |-
+ svn checkout https://dist.apache.org/repos/dist/dev/pekko dist
+ cd dist
+
+ export RC_VERSION=$(echo $REF | tail -c +2)
+
+ mkdir $RC_VERSION
+ cp ../archive/* $RC_VERSION
+ svn add $RC_VERSION $RC_VERSION/*
+ svn commit --username $PEKKO_SVN_DEV_USERNAME --password
$PEKKO_SVN_DEV_PASSWORD --message "Stage Pekko $RC_VERSION" $RC_VERSION
+ env:
+ PEKKO_SVN_DEV_USERNAME: ${{ secrets.PEKKO_SVN_DEV_USERNAME }}
+ PEKKO_SVN_DEV_PASSWORD: ${{ secrets.PEKKO_SVN_DEV_PASSWORD }}
+ REF: ${{ github.ref_name }}
+
+ stage-jars-to-nexus:
+ runs-on: ubuntu-24.04
+ if: ${{ inputs.source-tar }}
+ steps:
+ - name: Check version parameter
+ run: |-
+ # To be enabled after this workflow has been tested:
+ #if [[ "$REF" != "v"* ]]; then
+ # echo "Trigger this workflow on a version tag"
+ # exit 1
+ #fi
+ if [[ "$REF" != *"-RC"* ]]; then
+ echo "Trigger this workflow on an RC tag"
+ exit 1
+ fi
+ export VERSION=$(echo $REF | sed -e "s/\(.*\)-.*/\\1/")
+ export RC_VERSION=$(echo $REF | tail -c +2)
+ echo "Version: $VERSION"
+ echo "RC Version: $RC_VERSION"
+ env:
+ REF: ${{ github.ref_name }}
+
+ - name: Checkout
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #
v5.0.0
+ with:
+ fetch-depth: 0
+ fetch-tags: true
+ persist-credentials: false
+
+ - name: Setup Java 17
+ uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
v5.0.0
+ with:
+ distribution: temurin
+ java-version: 17
+
+ - name: Install sbt
+ uses: sbt/setup-sbt@17575ea4e18dd928fe5968dbe32294b97923d65b # v1.1.13
+
+ # We intentionally do not use the Coursier cache for release candiates,
+ # to reduce attack surface
+
+ # It would be better to split this into 3 steps, where only the first
+ # uses sbt and the signing/staging are done with well-known tools
+ # reducing attack surface, but this seems to be the state of the art:
+ - name: Build, sign and stage artifacts
+ run: |-
+ VERSION=$(echo $REF | sed -e "s/.\(.*\)-.*/\\1/")
+ PGP_PASSPHRASE=
+
+ sbt "set ThisBuild / version := \"$VERSION\"; +publishSigned"
+ sbt "set ThisBuild / version := \"$VERSION\"; sonatypePrepare; set
ThisBuild / version := \"$VERSION\"; sonatypeBundleUpload; sonatypeClose"
+ env:
+ REF: ${{ github.ref_name }}
+ PGP_SECRET: ${{ secrets.PEKKO_GPG_SECRET_KEY }}
+ SONATYPE_USERNAME: ${{ secrets.NEXUS_USER }}
+ SONATYPE_PASSWORD: ${{ secrets.NEXUS_PW }}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
