Hi Bertil, baremaps PPMC, Thanks for checking! That sounds pretty good already.
Part of the challenge in releasing from CI is that CI systems are notoriously hard to secure, and an undetected supply-chain attack could lead to publishing artifacts with injected malware. For that reason I'm sure you've seen that we require that you make your build bit-by-bit reproducible, and include steps in your release process to make sure you reproduce the build on independent hardware before promoting your release. Have you started documenting your release procedure yet? Have you included reproducing the artifacts as a step? Kind regards, Arnout On Fri, Mar 15, 2024 at 11:04 AM Bertil Chapuis <bchap...@gmail.com> wrote: > > Hello Apache Security Team, > > We are currently trying to automate the release process of Apache Baremaps > (incubating) [1]. As highlighted in the documentation, it seems possible to > get github secrets to sign artifacts [2]. Other projects are also using a > nexus username and password to publish maven snapshots and releases [3, 4]. > > To do so, we drafted two release workflows on Github Actions. > - The first one [5] publishes a pre release on GitHub. The source and binary > artifacts are signed and hashed. This workflow is working currently works > with a test key set as a secret in our CI. > - The second one [6] tries to publish snapshot artifacts on Nexus. Later on, > the intent is also to automate the publication of release artifacts. This > workflow currently fails with a 401 Unauthorized error. > > The INFRA Team asked for a review of the workflow by the security team before > setting the following secrets in the CI. > - NEXUS_USERNAME > - NEXUS_PASSWORD > - GPG_KEY_ID > - GPG_PASSPHRASE > - GPG_PRIVATE_KEY > > Thanks a lot for your help, > > Bertil Chapuis > > [1] https://github.com/apache/incubator-baremaps/issues/752 > [2] https://infra.apache.org/release-signing.html#automated-release-signing > [3] > https://github.com/apache/drill/blob/26f4d30dbefcc09a7dfe05576d3f9c7b45d822a0/.github/workflows/publish-snapshot.yml#L42 > [4] https://infra.apache.org/publishing-maven-artifacts.html > [5] > https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/release.yml > [6] > https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/publish.yml -- Arnout Engelen ASF Security Response Apache Pekko PPMC member ASF Member NixOS Committer Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
