ATR looks promising <https://github.com/apache/tooling-trusted-releases/pulse>, thank you James! I tried it out and I found a few rough edges (it does have a massive "Alpha" warning banner). It's not something we should use yet, but when it matures a bit it could be really useful. FWIW, I filed an issue for one HTTP 500 server error I ran into <https://github.com/apache/tooling-trusted-releases/issues/241>.
I'll start a new thread to discuss the release process in general. I'll call it "release process improvement". To your point below about reproducible builds, my gut says we should not yet put effort into byte-same release artifacts. Don't get me wrong, it's a Good Thing and perhaps as important as, say, signing release artifacts. Maybe even more important as supply chain attacks increase. So I would for sure like it and it would be nice to have <https://medium.com/@ayushgupta228/reproducible-java-builds-why-your-jars-lie-and-how-to-fix-it-e32e4942acf6>, but I'd anticipate a lot of fiddly work chasing down every timestamp and out-of-order archive. I'm encouraged the concept appears to be gaining <https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives> traction <https://docs.gradle.org/current/userguide/building_java_projects.html#sec:properties_files> in tooling we use, but I'm still not sure the juice will be worth the squeeze right now. If someone else wants to work on this I will advise, encourage, and assist. On Mon, Sep 15, 2025 at 10:16 AM James Dailey <[email protected]> wrote: > Hi Devs at Fineract - > > Notes from the ASF Community Over Code in Minneapolis. > > Sunday - Infra track : ATR Automated Build and Release > The talk is about the automated release process - and how ASF Tooling is > advancing the process to allow for "mostly" on infra release process. > > First, if you don't know about the release process at ASF, it follows a > set of policies. > > https://www.apache.org/legal/release-policy.html > > This is NOT an intro email to this subject. If you want to know about our > release process at Fineract please see the current documentation and recent > emails updating our release processes at this project. > https://fineract.apache.org/docs/current/#_release_process > > --- > > In the NEW, still not fully released automation by ASF, there are some > improvements coming. > > At a high level, the process goes like this. > > Security team : > (project) Proves that your Build automation produces reproducible results > > Infra team: > Generates the PMC GPG keys > Saves private key as a repository secret > > PMC: > Signs artifact with private key > Tests reproducibility during the vote > Adds public key to their KEYS file > > Drivers for the new ASF Trusted Release (ATR) interface > Making it easier > SBOM is becoming essential for ASF and automation is becoming vital. > > There is a demo of the new build process for new incubating projects. > ==> release-test.apache.org > > High level flow: > Compose > Vote > Finish > > I also met with one of the Grails project PMC team members who could give > us some pointers. He suggested that we copy what they have done, which > automates a full set of processes using Gradle. End to end. > > It would be useful to have a Committer here (can be anyone) to work on > getting familiar with the new ATR and separately, those interested in > supporting the release process, could discuss the Grails model - and how > these two might be used together or to make improvements to our release > process. > > see github/ tooling-actionblob/main/readme > https://github.com/apache/tooling-actions/tree/main/release-on-atr > > see also new GHActions - that can be triggered is part of the process > key new thing is the uploads of the artifacts go to the tool not to SVN > > I've (tentatively) signed us up to have Fineract be part of the beta > release of this new tooling, Q4 this year into Q1 2026. > > The key thing for either of these efforts is getting a reliable > Reproducible build. ie from the same release point generate a byte-same > release artifact. > > Comments? Interest? > > Thanks, > Jdailey >
