maven-mvnd icon indicating copy to clipboard operation
maven-mvnd copied to clipboard
verified publisher icon apache

Publish the final released zip files to Maven Central also

Open nielsbasjes opened this issue 1 year ago • 12 comments

As discussed here https://lists.apache.org/thread/14xzmfgh6qn8qmlw8fdfbwszpox8gnv0 the desired change is also publish the artifacts to maven central in addition to the currently used Github releases page and the Apache download servers.

The normal maven ends up here https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip

I propose to put the mvnd in a similar location with the intent of making it easily findable to others. https://repo.maven.apache.org/maven2/org/apache/maven/apache-mvnd/1.0.2/...

nielsbasjes avatar Oct 05 '24 12:10 nielsbasjes

Sure, could you write a script that does that ?

gnodet avatar Oct 05 '24 12:10 gnodet

Maven Central requires artefacts to be signed. Question if it's allowed by ASF policy, to store pgp keys used to sign outside of your own release manager workstation?

slachiewicz avatar Oct 05 '24 12:10 slachiewicz

Perhaps a semi automated process? First release it all the current way and then have a separate script that fetches, signs and publishes the artifacts from the developer machine?

nielsbasjes avatar Oct 05 '24 12:10 nielsbasjes

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/ How do they get there? Where are they signed?

nielsbasjes avatar Oct 05 '24 12:10 nielsbasjes

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/

How do they get there? Where are they signed?

Using the script build/release-candidate.sh which should be run on the release manager laptop.

gnodet avatar Oct 05 '24 13:10 gnodet

Maven Central requires artefacts to be signed. Question if it's allowed by ASF policy, to store pgp keys used to sign outside of your own release manager workstation?

I think using GitHub secrets could work. I managed to fully automate the JLine release process on GitHub, but it does have the ASF voting mechanism. But if we could semi automate releases for any ASF project , that would be nice.

gnodet avatar Oct 05 '24 13:10 gnodet

same issue #707

gzm55 avatar Oct 05 '24 14:10 gzm55

The files I see here are already signed https://downloads.apache.org/maven/mvnd/1.0.2/ How do they get there? Where are they signed?

Using the script build/release-candidate.sh which should be run on the release manager laptop.

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc

I'm open to any change, as long as it can be scripted.

gnodet avatar Oct 05 '24 15:10 gnodet

https://infra.apache.org/release-distribution.html#sigs-and-sums

Looks like, the only limitation is to not store keys on ASF infra. I haven't found requirements to use the key assigned to the person (but must be in KEYS), and infra recommends to have an automated sign.

slachiewicz avatar Oct 05 '24 15:10 slachiewicz

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc

I'm open to any change, as long as it can be scripted.

Looking at the scripting I see right now, how about this:

  • A new script build/publish-on-mavencentral.sh is added and which is called from build/release-publish.sh
  • This new script simply downloads all published files (including all the signature files and file hashes) from https://downloads.apache.org/maven/mvnd/${VERSION}
  • And then simply run the maven deploy plugin on each file to publish them as-is to maven central.

Would that work?

nielsbasjes avatar Oct 05 '24 17:10 nielsbasjes

The release process is documented at https://github.com/apache/maven-mvnd/blob/master/RELEASING.adoc I'm open to any change, as long as it can be scripted.

Looking at the scripting I see right now, how about this:

  • A new script build/publish-on-mavencentral.sh is added and which is called from build/release-publish.sh
  • This new script simply downloads all published files (including all the signature files and file hashes) from https://downloads.apache.org/maven/mvnd/${VERSION}
  • And then simply run the maven deploy plugin on each file to publish them as-is to maven central.

Would that work?

I think it would be better if the files would be published to http://repository.apache.org so that they can be linked during the vote. So maybe rather call it from release-candidate.sh, which would even be easier given we already have all the files available at that time. So upload all the files to the ASF nexus. Ideally, the script would close the repo, and the release-publish.sh would publish the repository to central. I'm not sure how those last two steps can be done. @cstamas may know...

gnodet avatar Oct 05 '24 22:10 gnodet

i will just leave this here, as we need multiple aspects from it (different binaries built on different runners, etc): https://gist.github.com/cstamas/69e6365bbb70521923020d68369bf8e5

cstamas avatar Oct 06 '24 09:10 cstamas