Hi Gary, On Wed, 20 Dec 2023 at 14:57, Gary Gregory <garydgreg...@gmail.com> wrote: > > Also FYI, over at Log4j, we (Volkan and Piotr are the drivers) have been > creating releases from GitHub. I'm not sure we need to go this far here, > but there might be tidbits there that may prove useful.
Thanks for mentioning it. I think we could put all our scripts together and create something better without reinventing the wheel in each project. For example: * We all receive Dependabot PRs. Volkan did a tremendous amount of work to find a way to merge them automatically (there are GHA permissions everywhere that make it a complex operation, especially if we want to keep the Github token's permissions to a minimum). Commons could reuse that. * At Log4j we use a Beanshell script to create bin and src archives. Personally I find the results acceptable, but somehow lacking (e.g. it fails in Git worktrees). For this task the `commons-release-plugin` together with the `maven-assembly-plugin` and a list of files from the `maven-scm-plugin` could be a better choice. * If we were to start publishing VEX files, a common Github Actions bot could help inter-project coordination. For example if a `commons-compress` dependency publishes a CVE (let's say `snappy-java` to make it real), the bot could open an issue in `commons-compress`. After the Commons team analyses the issue with a justification, the bot could open an issue with `log4j-core` (which uses `commons-compress`) and attach the analysis performed by the Commons team, thus greatly simplifying the process. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
