diff --git a/.github/ISSUE_TEMPLATE/release-checklist.md b/.github/ISSUE_TEMPLATE/release-checklist.md index 762954bc..80a98f83 100644 --- a/.github/ISSUE_TEMPLATE/release-checklist.md +++ b/.github/ISSUE_TEMPLATE/release-checklist.md @@ -20,3 +20,8 @@ Full release instructions are at: [RELEASING.md](/sigstore/sigstore-java/blob/ma - [ ] [sigstore-java](https://repo1.maven.org/maven2/dev/sigstore/sigstore-java) - [ ] [sigstore-maven-plugin](https://repo1.maven.org/maven2/dev/sigstore/sigstore-maven-plugin) - [ ] sigstore-gradle-plugin [[base](https://plugins.gradle.org/plugin/dev.sigstore.sign-base)], [[sign](https://plugins.gradle.org/plugin/dev.sigstore.sign)] + +## Post Release +- [ ] Update README if required +- [ ] Update versions (`./scripts/update_version.sh`) +- [ ] Update CHANGELOG.md diff --git a/.gitignore b/.gitignore index d30d2c17..9d2c7859 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,15 @@ .gradle /build -/*/build +/**/build /out -/*/out +/**/out /http +/target +/**/target +.mvn/timing.properties +.mvn/wrapper/maven-wrapper.jar + # For occasional use of https://github.com/melix/includegit-gradle-plugin /checkouts @@ -20,6 +25,9 @@ .classpath .project .DS_Store +.vscode +.factorypath # except this icon !/.idea/icon.png + diff --git a/RELEASING.md b/RELEASING.md index 2328fda8..3ed296a4 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -2,6 +2,10 @@ Release is done on github. Do not release from your local machine. +## Create an issue + +Create a release issue using the release template + ## Create a tag Tag the release at the version you wish (ex `v0.5.3`), this *MUST* match the project version (`0.5.3`). See version info in [gradle.properties](gradle.properties). diff --git a/gradle.properties b/gradle.properties index cf80046d..585f21d9 100644 --- a/gradle.properties +++ b/gradle.properties @@ -4,7 +4,5 @@ systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true group=dev.sigstore -# remember to also update version in -# - SigstoreSignExtension.kt -# - build-logic/publishing/build.gradle.kts +# use the ./scripts/update_version.sh script to update all versions version=0.12.0 diff --git a/scripts/.gitignore b/scripts/.gitignore deleted file mode 100644 index 94e33d94..00000000 --- a/scripts/.gitignore +++ /dev/null @@ -1 +0,0 @@ -release_*/ diff --git a/scripts/sign_and_bundle_release.sh b/scripts/sign_and_bundle_release.sh deleted file mode 100755 index f64305e7..00000000 --- a/scripts/sign_and_bundle_release.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -set -e - -# ask github for the latest release -# todo: maybe change to take an input -echo "downloading latest release from github" -RELEASE_INFO=$(curl -s -H "Accept: application/vnd.github+json" https://api.github.com/repos/sigstore/sigstore-java/releases/latest) -RELEASE_VERSION="$(echo "$RELEASE_INFO" | jq -r '.tag_name')" -RELEASE_DIR="release_${RELEASE_VERSION}" - -echo "release version is: ${RELEASE_VERSION}" - -if [ -d "$RELEASE_DIR" ]; then - echo "Directory '$RELEASE_DIR' already exists" - exit 1 -fi - -# query the json for all the release assets -readarray -t ASSET_URLS < <(echo "$RELEASE_INFO" | jq -r '.assets[].browser_download_url') - -echo "downloading release artifacts" -for i in "${ASSET_URLS[@]}" -do - echo "$i" - wget -q --directory-prefix "$RELEASE_DIR" "$i" -done -cd "$RELEASE_DIR" - -# cosign sign all the files -echo "signing with sigstore-java cli" -for file in *; do - # skip intoto attestations, they are already signed - if [[ $file == *.intoto.jsonl ]] ; then - continue; - fi - fileabs=$(realpath "$file") - # gradle doesn't like running from the "release dir" - (cd ../../ && ./gradlew :sigstore-cli:run --args "sign --bundle $fileabs.sigstore $fileabs") -done - -# then gpg sign all the files (including sigstore files) -# this command uses gpgs default password acceptance mechansim accept a passcode -echo "signing with gpg" -for file in *; do - if [[ $file == *.sigstore ]]; then - continue; - fi - gpg --batch --detach-sign --armor -o "$file".asc "$file" -done - -# create a maven central compatible bundle jar -echo "creating maven bundle" -POM=$(ls ./*.pom) -BUNDLE_NAME=${POM%.pom}-bundle.jar -jar -cvf "${BUNDLE_NAME}" ./* - -echo "Upload $(realpath "$BUNDLE_NAME") to maven central (https://s01.oss.sonatype.org)" diff --git a/scripts/update_versions.sh b/scripts/update_versions.sh new file mode 100755 index 00000000..9ecd369a --- /dev/null +++ b/scripts/update_versions.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# this script is simple and should work for most usecases, but it may break if we do weird things +set -Eeo pipefail + +calculated_release_version=$(grep "^version=" gradle.properties | cut -d'=' -f2) +read -r -p "Enter released version [${calculated_release_version}]: " vin +release_version=${vin:-${calculated_release_version}} + +calculated_previous_version=$(grep "sigstore-gradle-sign-plugin" build-logic/publishing/build.gradle.kts | cut -d':' -f3 | cut -d'"' -f1) +read -r -p "Enter previous version [${calculated_previous_version}]: " pvin +previous_version=${pvin:-${calculated_previous_version}} + +calculated_next_version=$(echo "$release_version" | awk -F. -v OFS=. '{$2 += 1 ; print}') +read -r -p "Enter next version [${calculated_next_version}]: " nvin +next_version=${nvin:-${calculated_next_version}} + +echo "" +echo "previous: $previous_version" +echo "latest : $release_version" +echo "next : $next_version" +read -r -p "Run update? [y/N]: " yn +go=${yn:-"n"} +if [ "${go,,}" != "y" ]; then + echo "aborting" + exit +fi + +# sed below is probably accepting .'s in versions as regex any chars, but this works for our purposes + +# updates to new release version +sed -i "s/\(sigstore-gradle-sign-plugin:\)$previous_version/\1$release_version/" build-logic/publishing/build.gradle.kts +sed -i "s/\(\)$previous_version/\1$release_version/" sigstore-maven-plugin/README.md +sed -i "s/\(dev.sigstore.sign\") version \"\)$previous_version/\1$release_version/" sigstore-gradle/README.md + +# update to latest dev version +sed -i "s/\(sigstoreJavaVersion.convention(\"\)$release_version/\1$next_version/" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt +sed -i "s/version=$release_version/version=$next_version/" gradle.properties diff --git a/sigstore-gradle/README.md b/sigstore-gradle/README.md index 5248ee31..02026eaa 100644 --- a/sigstore-gradle/README.md +++ b/sigstore-gradle/README.md @@ -16,7 +16,7 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-spe ```kotlin plugins { - id("dev.sigstore.sign") + id("dev.sigstore.sign") version "0.11.0" } // Automatically sign all Maven publications, using GitHub Actions OIDC when available, diff --git a/sigstore-maven-plugin/.gitignore b/sigstore-maven-plugin/.gitignore deleted file mode 100644 index 605bac49..00000000 --- a/sigstore-maven-plugin/.gitignore +++ /dev/null @@ -1,24 +0,0 @@ -.vscode -.factorypath -.project -.classpath -.settings/ -*.iml -*.ipr -.idea -*.class -*.jar -target/ -pom.xml.tag -pom.xml.releaseBackup -pom.xml.versionsBackup -pom.xml.next -pom.xml.bak -release.properties -dependency-reduced-pom.xml -buildNumber.properties -.mvn/timing.properties -.mvn/wrapper/maven-wrapper.jar -.apt_generated/ -.apt_generated_tests/ -bin/