For clarification this was for Groovy releases.
I will look at Geb after I finish the testcontainers work to see what could be
done there.
Best regards,
Carl
On 1/30/26 3:58 PM, Jonny wrote:
I missed the trick on using these during the last release cycle, Carl,
but I'd be open to the PR.
Best,
Jonny
On Tue, Jan 20, 2026 at 3:10 PM Carl Marcum <[email protected]>
wrote:
Hi All,
While working on the release votes this weekend it made me think about
automating some of this like Apache Grails does.
So I borrowed some of that and got something working for our releases.
In general it will:
1. Download KEYS file from release directory.
2. Download artifacts (source, binary, docs, and sdk) including hashes
and sig files from /dist/dev or dist/release into sub-directories of the
specified download location.
3. Verify each artifact for signature and checksum.
4. Unpack each artifact and check for a LICENSE and NOTICE file. Source
is also checked for a README.
5. For the unpacked source it will bootstrap a gradle wrapper if needed
and run the rat task.
The scripts are in my project fork in the add-verify-scripts branch here
[1].
Run from etc/bin with ./verify.sh ['dev' or 'release'] [semantic.version]
<download location>
'dev' or 'release' is used for the server location
underhttps://dist.apache.org/repos/dist/
Ex. ./verify.sh release 5.0.4 ~/temp/groovy-5.0.4-verify
Download location will be created.
Since the votes are over you can test on 'release'.
There is more work that can be done in this area but it's a start.
If you would like to include them I can create a PR.
[1]https://github.com/cbmarcum/groovy/tree/add-verify-scripts/etc/bin
Best regards,
Carl
