diff --git a/.github/workflows/release-sigstore-java-from-tag.yaml b/.github/workflows/release-sigstore-java-from-tag.yaml index cd8874aa..7cf0abaa 100644 --- a/.github/workflows/release-sigstore-java-from-tag.yaml +++ b/.github/workflows/release-sigstore-java-from-tag.yaml @@ -1,4 +1,4 @@ -name: Release sigstore-java to Maven Central +name: Release sigstore-java and sigstore-maven-plugin to Maven Central on: workflow_dispatch: # user is expected to use a tag as the branch to run the action on @@ -51,7 +51,7 @@ jobs: - name: Build, Sign and Release to Maven Central run: | - ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository -Prelease + ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository :sigstore-maven-plugin:publishMavenJavaPublicationToSonatypeRepository -Prelease env: ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} diff --git a/RELEASING.md b/RELEASING.md index db608f85..2328fda8 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -1,46 +1,41 @@ # Releasing -At the moment, this release only the `sigstore-java` library +Release is done on github. Do not release from your local machine. -## Creating a release -Use the action "Tag and Build Release" with the version (ex `0.5.3`) to create a new release on github. It will -- tag `main` (or a branch) with `v0.5.3` -- create a new release with name `v0.5.3` containing - - all `sigstore-java` artifacts - - a slsa attesation for the release build +## Create a tag -#### Reverting a failed release (Github only) -If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up -any tags or releases built during the action -1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases) -2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags) - -## Building a release bundle for maven central +Tag the release at the version you wish (ex `v0.5.3`), this *MUST* match the project version (`0.5.3`). See version info in [gradle.properties](gradle.properties). -The local release script requires you to have `cosign` and `gpg` installed. It -- downloads the latest release from github (ex `v0.5.3`) -- signs all artifacts (except slsa attestation) with cosign -- signs *everything* with gpg to satisfy maven central -- bundles all the files into `sigstore-java-0.5.3-bundle.jar` +## Release `sigstore-java` and `sigstore-maven-plugin` -``` -$ cd ./scripts -$ ./sign_and_bundle_release.sh -``` +- Use the "Release sigstore-java and sigstore-maven-plugin to Maven Central" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to Maven Central. -## Releasing to maven central +#### Complete the release on maven central Releasing to maven central is a **permanent** action, it cannot be reverted -Upload the bundle: -1. Log into [sonatype (s01)](https://s01.oss.sonatype.org) -2. Click "Staging Upload" on the left navbar -3. Set "Upload Mode" to "Artifact Bundle" -4. Then select `sigstore-java-0.5.3-bundle.jar` that was generated by `sign_and_bundle_release.sh` -5. Click "Upload Bundle" - Release the bundle: +1. Log into [sonatype (s01)](https://s01.oss.sonatype.org) 1. Click "Staging Repositories" on the left navbar -2. Select your artifact and ensure all checks have passed -3. Click "release" -4. If checks are failing, "drop" the bundle and fix the release process +1. Select your artifact, "close" it to begin checks +1. After all checks have passed, "release" it + 1. If checks are failing, "drop" the bundle and fix the release process +1. Releases show up on Maven Central roughly 1-2 hours after release + +## Release `sigstore-gradle-plugin` to Gradle Plugin Portal + +- Use the "Release sigstore gradle plugins to Gradle Plugin Portal" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to the Gradle Plugin Portal +- There is no follow up here, plugins are auto released on the plugin portal.## Reverting a failed release (Github only) + +If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up +any tags or releases built during the action +1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases) +2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags) + +### Maven Central + +You can try to contact support but typically releases are permanent. + +### Gradle Plugin Portal + +If you wish to revert a release, you must login to the portal using `sigstore-java-releasers` within 7 days to delete a release. diff --git a/gradle.properties b/gradle.properties index 4a2334ec..315017e6 100644 --- a/gradle.properties +++ b/gradle.properties @@ -3,7 +3,8 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true group=dev.sigstore -# remember to also update + +# remember to also update version in # - SigstoreSignExtension.kt # - build-logic/publishing/build.gradle.kts version=0.11.0