-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #754 from sigstore/add-maven-to-release
Add maven-plugin to releases, update release instructions
- Loading branch information
Showing
3 changed files
with
33 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,46 +1,41 @@ | ||
| # Releasing | ||
|
|
||
| At the moment, this release only the `sigstore-java` library | ||
| Release is done on github. Do not release from your local machine. | ||
|
|
||
| ## Creating a release | ||
| Use the action "Tag and Build Release" with the version (ex `0.5.3`) to create a new release on github. It will | ||
| - tag `main` (or a branch) with `v0.5.3` | ||
| - create a new release with name `v0.5.3` containing | ||
| - all `sigstore-java` artifacts | ||
| - a slsa attesation for the release build | ||
| ## Create a tag | ||
|
|
||
| #### Reverting a failed release (Github only) | ||
| If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up | ||
| any tags or releases built during the action | ||
| 1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases) | ||
| 2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags) | ||
|
|
||
| ## Building a release bundle for maven central | ||
| Tag the release at the version you wish (ex `v0.5.3`), this *MUST* match the project version (`0.5.3`). See version info in [gradle.properties](gradle.properties). | ||
|
|
||
| The local release script requires you to have `cosign` and `gpg` installed. It | ||
| - downloads the latest release from github (ex `v0.5.3`) | ||
| - signs all artifacts (except slsa attestation) with cosign | ||
| - signs *everything* with gpg to satisfy maven central | ||
| - bundles all the files into `sigstore-java-0.5.3-bundle.jar` | ||
| ## Release `sigstore-java` and `sigstore-maven-plugin` | ||
|
|
||
| ``` | ||
| $ cd ./scripts | ||
| $ ./sign_and_bundle_release.sh | ||
| ``` | ||
| - Use the "Release sigstore-java and sigstore-maven-plugin to Maven Central" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to Maven Central. | ||
|
|
||
| ## Releasing to maven central | ||
| #### Complete the release on maven central | ||
|
|
||
| Releasing to maven central is a **permanent** action, it cannot be reverted | ||
|
|
||
| Upload the bundle: | ||
| 1. Log into [sonatype (s01)](https://s01.oss.sonatype.org) | ||
| 2. Click "Staging Upload" on the left navbar | ||
| 3. Set "Upload Mode" to "Artifact Bundle" | ||
| 4. Then select `sigstore-java-0.5.3-bundle.jar` that was generated by `sign_and_bundle_release.sh` | ||
| 5. Click "Upload Bundle" | ||
|
|
||
| Release the bundle: | ||
| 1. Log into [sonatype (s01)](https://s01.oss.sonatype.org) | ||
| 1. Click "Staging Repositories" on the left navbar | ||
| 2. Select your artifact and ensure all checks have passed | ||
| 3. Click "release" | ||
| 4. If checks are failing, "drop" the bundle and fix the release process | ||
| 1. Select your artifact, "close" it to begin checks | ||
| 1. After all checks have passed, "release" it | ||
| 1. If checks are failing, "drop" the bundle and fix the release process | ||
| 1. Releases show up on Maven Central roughly 1-2 hours after release | ||
|
|
||
| ## Release `sigstore-gradle-plugin` to Gradle Plugin Portal | ||
|
|
||
| - Use the "Release sigstore gradle plugins to Gradle Plugin Portal" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to the Gradle Plugin Portal | ||
| - There is no follow up here, plugins are auto released on the plugin portal.## Reverting a failed release (Github only) | ||
|
|
||
| If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up | ||
| any tags or releases built during the action | ||
| 1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases) | ||
| 2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags) | ||
|
|
||
| ### Maven Central | ||
|
|
||
| You can try to contact support but typically releases are permanent. | ||
|
|
||
| ### Gradle Plugin Portal | ||
|
|
||
| If you wish to revert a release, you must login to the portal using `sigstore-java-releasers` within 7 days to delete a release. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters