Abstract: Signing release artifacts using an automated release infrastructure has been officially approved by LEGAL. This enables projects to sign artifacts using, say, GitHub Actions.
I have been trying to overhaul the Log4j release process and make it as frictionless as possible since last year. As a part of that effort, I wanted to sign artifacts in CI during deployment and in a `members@a.o` thread[0] I explained how one can do that securely with the help of Infra. That was in December 2022. It has been a long, rough journey, but we succeeded. In this PR[1], Legal has updated the release policy to reflect that this process is officially allowed. Further, Infra put together guides[2][3] to assist projects. Logging Services PMC has already successfully performed 4 Log4j Tools releases using this approach, see its release process[4] for a demonstration. [0] (members only!) https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n [1] https://github.com/apache/www-site/pull/235 [2] https://infra.apache.org/release-publishing.html#signing [3] https://infra.apache.org/release-signing.html#automated-release-signing [4] https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc # F.A.Q. ## Why shall a project be interested in this? It greatly simplifies the release process. See Log4j Tools release process[4], probably the simplest among all Java-based ASF projects. ## How can a project get started? 1. Make sure your project builds are reproducible (otherwise there is no way PMC can verify the integrity of CI-produced and -signed artifacts) 2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets) 3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for snapshot deployments) 4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for staging deployments) You might also want to check this[5] GitHub Action workflow for inspiration. [5] https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml ## Does the "automated release infrastructure" (CI) perform the full release? No. CI *only* uploads signed artifacts to Nexus. The release manager (RM) still needs to copy the CI-generated files to SVN, PMC needs to vote, and, upon consensus, RM needs to "close" the release in Nexus and so on. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
