bchapuis commented on issue #492: URL: https://github.com/apache/incubator-baremaps/issues/492#issuecomment-1312841422
@CalvinKirs @julianhyde @LeonardBesseau I'm progressing on the various tasks associated with the first release, and would like to have your opinion on PGP signatures. Right now, we do have an action that signs the jar files published on maven central. A PGP key dedicated to the project is stored as a secret on github. Do you think it fine to use a similar approach to sign the source and binary distributions published on github? We may ask the committers to sign the project's key, but I'm not totally sure about the implications of this. This approach would make the release process very simple. In order to release, one of the committer would have to execute the following: ``` mvn release:prepare -DautoVersionSubmodules=true -DgenerateBackupPoms=false ``` As the release plugin creates a tag for the release (vX.Y.Z), the creation of the assets can be automated with an action. Furthermore, the release can remain a [draft](https://github.com/apache/incubator-baremaps/blob/9c746129246f9e38cc6a6b2367ae5e53783aac88/.github/workflows/release.yml#L31) until the vote passes on the mailing list. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
