Aaaaand https://github.com/lampepfl/dotty/pull/18210 (which was our blocker for reproducible builds for Scala 3) was just merged which means it should land in Scala 3.3.2, many thanks to Arnout for working on this!
On Tue, Jul 18, 2023 at 3:00 PM Matthew de Detrich < [email protected]> wrote: > I would like to report that it has been approved by ASF legal to create > signed artifacts on github actions CI rather than us having to do it on a > local machine[1][2]. This is fantastic news since it significantly reduces > the overhead and reliability of generating JVM binary artifacts (aka > JAR's). Currently we have to do this on a local machine, and not only is > this error prone (there was actually a case where we generated artifacts > with an incorrect JDK version, something that was only realized after a > vote finished) but it also takes a large amount of time. > > The main requirement in order for us to use github actions to generate > binary artifacts is that we need reproducible builds. We already have this > enabled via sbt-reproducible-builds[3] however it doesn't work in Scala 3 > due to a compiler bug[4], Arnout Engelen is already working on a solution > as we speak[5]. > > In regards to specifics, the most ideal setup I can think of is to use > sbt-ci-release[6] to trigger a github actions build whenever a git tag that > follows the release version pattern (i.e. v1.0.0) is pushed to the git > repository to a specific branches (i.e. main and other release branches > such as v1.1.x). That github actions build will run +publishSigned which > will publish signed artifacts into the staging repository, at which point > other people participating in the release process can then review the > artifacts in staging (as is done now). > > The only other additional thing that may need to be done is to check the > reproducibility of a build (from what I can initially tell reading > https://issues.apache.org/jira/browse/INFRA-23996 it can be a check on > the github action but if we have a manual process for checking artifacts in > staging right now it may not even be needed). Arnout can probably chime in > here because he created sbt-reproducible-build. > > [1] https://infra.apache.org/release-publishing.html#signing > [2] > https://infra.apache.org/release-signing.html#automated-release-signing > [3] https://github.com/raboof/sbt-reproducible-builds > [4] https://github.com/lampepfl/dotty/issues/17330 > [5] https://github.com/lampepfl/dotty/pull/18210 > [6] https://github.com/sbt/sbt-ci-release > -- > > Matthew de Detrich > > *Aiven Deutschland GmbH* > > Immanuelkirchstraße 26, 10405 Berlin > > Amtsgericht Charlottenburg, HRB 209739 B > > Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > > *m:* +491603708037 > > *w:* aiven.io *e:* [email protected] > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* [email protected]
