Release process workflow discussion

thadguidry · June 12, 2024, 5:23am

Looking at this line, I'm trying to understand it...

OpenRefine/OpenRefine/blob/337d4e2dcedb88fd32ec8ff13439cf0073782d6d/.github/workflows/snapshot_release.yml#L253


      
            run: mvn -B test
            env:
              GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
          
          - name: Set version string output variable
            id: version_string_variable
            run: echo "output_value=$(mvn org.apache.maven.plugins:maven-help-plugin:3.1.0:evaluate -Dexpression=project.version -q -DforceStdout)" >> "$GITHUB_OUTPUT"
          
          - name: Package and upload to OSSRH
            run: |
              mvn -B deploy -DskipTests=true -DrepositoryId=ossrh -Dapple.notarization.username=$APPLE_USERNAME -Dapple.notarization.password=$APPLE_PASSWORD -Dapple.notarization.team.id=$APPLE_TEAM_ID -Dgpg.signer=bc
            env:
              OSSRH_USER: ${{ secrets.OSSRH_USER }}
              OSSRH_PASS: ${{ secrets.OSSRH_PASS }}
              MAVEN_GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
              MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
              APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
              APPLE_USERNAME: ${{ secrets.APPLE_USERNAME }}
              APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          
          - name: Upload release asset for Windows (with Java)

What does this do on the Maven cmd and who is bc ?
-Dgpg.signer=bc

antonin_d · June 12, 2024, 6:35am

This command generates our release artifacts and signs and notarizes the MacOS package with Apple.

BC stands for "Bouncy Castle", a Java implementation of GPG:
https://maven.apache.org/plugins/maven-gpg-plugin/examples/deploy-signed-artifacts.html#sign-using-bc-signer

thadguidry · November 1, 2024, 4:04pm

Who maintains the GPG_PRIVATE_KEY and PASSPHRASE?
Referencing: https://central.sonatype.org/publish/publish-maven/#gpg-signed-components

I see from the workflow YAML file that it's stored as a variable using GitHub Secrets. Great!

But has the Public Key been uploaded to an OpenPGP keyserver like https://keyserver.ubuntu.com so that it's distributed throughout the OpenPGP synchronising keyserver decentralised network, so folks can verify our files signed with the keys like within Central Repository: org/openrefine/openrefine/3.8.5

We should add this info also to the How to do an OpenRefine version release | OpenRefine

thadguidry · November 13, 2024, 11:28am

Starting with Maven 3.5.0-beta-1 + , there's now ${revision} and others that are extemely helpful for OSS that publish themselves, especially as libraries as well.

So, I wanted to bring attention to that which was useful for us on DB2Rest project, like OpenRefine it's also a multi-module project that publishes libraries.
The new-ish guide: Maven – Maven CI Friendly Versions shows examples for multi-modules and how we used ${revision} and also used oss for the <flattenMode> in the have to use plugin mentioned in it for deployments Maven Flatten Plugin – flatten:flatten

@tfmorris It made things much simpler for us.

Topic		Replies	Views
Releasing 3.7-beta3 Development & Design	2	245	February 13, 2023
October 17th, 2024, Advisory Committee Day-to-day project operations minute-advisory	0	8	October 23, 2024
Releasing 3.8.3 Development & Design	3	28	October 19, 2024
OpenRefine 3.7.9 released Project announcements	12	309	March 7, 2024
July 25th, 2024, Advisory Committee only Day-to-day project operations minute-advisory	1	26	July 26, 2024

Release process workflow discussion

Related topics