could be good. why not set it up for the third-party module first to see how well it works?
On Tue, 18 Jul 2023 at 21:05, Ayush Saxena <ayush...@gmail.com> wrote: > Something we can explore as well!! > > -Ayush > > Begin forwarded message: > > > From: Volkan Yazıcı <vol...@yazi.ci> > > Date: 19 July 2023 at 1:24:49 AM IST > > To: d...@community.apache.org > > Subject: Signing releases using automated release infra > > Reply-To: d...@community.apache.org > > > > Abstract: Signing release artifacts using an automated release > > infrastructure has been officially approved by LEGAL. This enables > > projects to sign artifacts using, say, GitHub Actions. > > > > I have been trying to overhaul the Log4j release process and make it > > as frictionless as possible since last year. As a part of that effort, > > I wanted to sign artifacts in CI during deployment and in a > > `members@a.o` thread[0] I explained how one can do that securely with > > the help of Infra. That was in December 2022. It has been a long, > > rough journey, but we succeeded. In this PR[1], Legal has updated the > > release policy to reflect that this process is officially allowed. > > Further, Infra put together guides[2][3] to assist projects. Logging > > Services PMC has already successfully performed 4 Log4j Tools releases > > using this approach, see its release process[4] for a demonstration. > > > > [0] (members only!) > > https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n > > [1] https://github.com/apache/www-site/pull/235 > > [2] https://infra.apache.org/release-publishing.html#signing > > [3] > https://infra.apache.org/release-signing.html#automated-release-signing > > [4] > https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc > > > > # F.A.Q. > > > > ## Why shall a project be interested in this? > > > > It greatly simplifies the release process. See Log4j Tools release > > process[4], probably the simplest among all Java-based ASF projects. > > > > ## How can a project get started? > > > > 1. Make sure your project builds are reproducible (otherwise there is > > no way PMC can verify the integrity of CI-produced and -signed > > artifacts) > > 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets) > > 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for > > snapshot deployments) > > 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for > > staging deployments) > > > > You might also want to check this[5] GitHub Action workflow for > inspiration. > > > > [5] > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml > > > > ## Does the "automated release infrastructure" (CI) perform the full > release? > > > > No. CI *only* uploads signed artifacts to Nexus. The release manager > > (RM) still needs to copy the CI-generated files to SVN, PMC needs to > > vote, and, upon consensus, RM needs to "close" the release in Nexus > > and so on. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > > For additional commands, e-mail: dev-h...@community.apache.org > > >
