Re: [PR] Update Release notes to use verification scripts [groovy-geb]

Sat, 14 Mar 2026 10:34:18 -0700 


cbmarcum commented on code in PR #311:
URL: https://github.com/apache/groovy-geb/pull/311#discussion_r2935566029


##########
RELEASING.md:
##########
@@ -44,12 +44,18 @@ limitations under the License.
 11. `git push` the version branch and tag to GitHub
 12. `read -s APACHE_PW` and enter your password at the prompt
 13. Run `./gradlew --no-build-cache publishJarsAndManual -x 
:integration:geb-gradle:publishPlugins -PapacheUser=jonnybot 
-PapachePassword="${APACHE_PW}"`
-14. Start the vote process on the groovy-dev mailing list. It will need at 
least 72 hours of remaining open and receive at least three affirmative votes 
from the Groovy PMC. See the [Apache Voting 
process](https://www.apache.org/foundation/voting.html) for more detail. 
Mention significant breaking changes if there are any.
-15. Assuming the vote passes (at least three +1 votes from the PMC), you can 
take the following steps to finalize the release.
-16. Email the vote thread to note that the vote has passed, with a final tally 
of the votes.
-17. Ask a member of the PMC to copy the artifacts from the staging directory 
in subversion to `groovy-release/geb/${VERSION}` and commit them to subversion, 
as above.
-18. Ask a member of the PMC to release the staging repository at 
https://repository.apache.org/#stagingRepositories
-19. Release the Gradle plugins with `./gradlew 
:integration:geb-gradle:publishPlugins`
+14. Verify the staged release. Run the automated verification script from the 
project root:
+    ```bash
+    etc/bin/verify.sh dev «version» /tmp/geb-«version»-verify
+    ```
+    This downloads the staged artifacts, verifies checksums and GPG 
signatures, checks for required files, and runs the RAT license audit. The 
individual scripts in `etc/bin/` can also be run separately — see their header 
comments for details.
+15. Verify the build is reproducible per [ASF Security 
policy](https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds)
 by running `etc/bin/test-reproducible-builds.sh` and comparing the 
locally-built jar checksums against the staged artifacts.

Review Comment:
   Does "staged artifacts" refer to the jars staged at 
https://repository.apache.org/#stagingRepositories during a release vote?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to