One of my Pekko colleagues found that this process is documented. I wasn't aware that this approach has been approved as long as the security team signs off.
https://infra.apache.org/release-signing.html#automated-release-signing On Mon, 3 Jul 2023 at 12:04, tison <wander4...@gmail.com> wrote: > > Update mailing list. Or if I should start a new thread totally? > > Best, > tison. > > > tison <wander4...@gmail.com> 于2023年7月3日周一 19:00写道: > > > Hi Daniel, > > > > Thanks for your information! That can be an alternative for the signing > > key. > > > > Right now the blocker I met is 403 from the Nexus server which I suspect > > is the lack of permissions from the Nexus credentials. Could you confirm or > > correct it? > > > > Best, > > tison. > > > > > > tison <wander4...@gmail.com> 于2023年7月3日周一 18:58写道: > > > >> Hi PJ, > >> > >> Thanks for sharing your thoughts! > >> > >> For signing key, it's a resolved topic from my perspective. I use - > >> > >> 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1] > >> 2. Load the key from our 1password service, while since it's a specific > >> key, I feel comfortable to pass it to INFRA member and configure as a > >> secret alternatively. > >> > >> Best, > >> tison. > >> > >> [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS > >> > >> > >> PJ Fanning <fannin...@apache.org> 于2023年7月3日周一 18:52写道: > >> > >>> Adding the Incubator general list. > >>> > >>> My view would be that non-snapshot binary artifacts should be signed > >>> with a personal signing key - ideally the signing key that was used to > >>> release the related source release. Unfortunately, this would mean > >>> adding a user's signing key to the Apache GitHub account as a secret > >>> so that the automated GitHub Action job could access it. I don't see > >>> how we could allow personal signing keys to be added like this. > >>> > >>> On Mon, 3 Jul 2023 at 10:18, tison <wander4...@gmail.com> wrote: > >>> > > >>> > cc security > >>> > > >>> > Missed in the first place. > >>> > > >>> > Best, > >>> > tison. > >>> > > >>> > > >>> > tison <wander4...@gmail.com> 于2023年6月29日周四 22:21写道: > >>> >> > >>> >> Hi security team members, > >>> >> > >>> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding. > >>> >> > >>> >> I already verify that GitHub Actions work well for automatically > >>> deploying OpenDAL Java binding[2]. > >>> >> > >>> >> When integrating it with upstream (apache/incuabtor-opendal), I met a > >>> problem that deploying Maven projects requires NEXUS credentials. For my > >>> personal repo, I can config my Apache ID and password as secrets. For > >>> apache repos, it requires handing over the credentials to INFRA team > >>> member. Even I can trust the member, it's a bit less than awesome. > >>> >> > >>> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and > >>> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only. > >>> INFRA member suggested me to consult security team for approval for such > >>> automatic deployment and they would help to grant related permissions if > >>> approved. > >>> >> > >>> >> Please help review the request to support ASF projects deploying > >>> Maven project via GitHub Actions. > >>> >> > >>> >> Best, > >>> >> tison. > >>> >> > >>> >> [1] http://github.com/apache/incubator-opendal > >>> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752 > >>> >> [3] > >>> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192 > >>> >> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >>> For additional commands, e-mail: general-h...@incubator.apache.org > >>> > >>> --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
