alternator-load-balancing
alternator-load-balancing copied to clipboard
scylladb
Add publish workflow
This PR is based on #17 and adds another workflow for publishing the Java artifacts (based on https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-Apache-Maven).
To perform a release, the maintainers of this repository will have to trigger the release workflow from the Actions tab and set the release version from there (see the added file CONTRIBUTING.md). The workflow will build the jars and publish them to Sonatype, which requires credentials that need to be provided as repository secrets.
As reflected in the README.md, this will change the way users can reuse the load-balancing module: they will be able to add a regular library dependency on the artifact com.scylladb.alternator:load-balancing instead of manually building the jar and adding it to their project classpath.
After the PR is merged, I need someone to set up the secrets and to try the workflow (see the instructions here: https://central.sonatype.org/publish/publish-guide/).
this assumes having GH actions access to our creds (can you advice here @yaronkaikov @d-helios ? or shall we better take it to internal CI/CD as we do with java driver ?)
As I mentioned in my review of #17 I'm an absolute newbie in both github workflows on Maven, but I do have quite a number of years of security experience, and I'm not very happy about the process described here:
If the "publishing" process is manual (a human - e.g., me, will need to perform the publishing), why does it need to happen on github's site and github should be told the secret of some other site (I'll read that "sonatype" page you mention later, I never even heard of them - how are they related to Maven?) Why shouldn't we do the opposite - i.e., I go to Maven's site and press a button there to download the jars from somewhere else?
There is something basic I don't understand... If I remember correctly, Github already has a way to publish deliverables. Can't we publish Jars in this way? Do these Jars have to be in a specific place (sonatype.org) to be used? Can't they be hosted by github.com?
Hey @nyh, these are all good questions!
If the "publishing" process is manual (a human - e.g., me, will need to perform the publishing), why does it need to happen on github's site and github should be told the secret of some other site
It does not need to happen on GitHub, but GitHub has utilities to support the whole software lifecycle, including performing releases, so I thought it would be convenient. That being said, if you already have an internal CI/CD infrastructure for the java-driver, it is probably better to reuse it instead of using a GitHub Workflow. Reusing your existing infrastructure would be beneficial both security-wise and homogeneity-wise :)
I'll read that "sonatype" page you mention later, I never even heard of them - how are they related to Maven?
Sonatype hosts the Maven Central repository. You can learn more about the history here.
Why shouldn't we do the opposite - i.e., I go to Maven's site and press a button there to download the jars from somewhere else?
That’s also a possibility (see here) but I don’t think it would be beneficial. Maintainers would have to build the project and then upload the jars manually. Here, I propose to automate the release process by having a single workflow that both builds the artifacts and uploads them. From my experience, it is a good idea to publish from a CD infrastructure rather than requiring the maintainers to build the packages on their own machine because the maintainers may incorrectly build the packages (e.g. if they have local changes in the code repository). But again, we could get the benefits of an automated release workflow without using GitHub Actions by reusing your existing CD infrastructure (the one you use for the Java driver).
Github already has a way to publish deliverables. Can't we publish Jars in this way? Do these Jars have to be in a specific place (sonatype.org) to be used? Can't they be hosted by github.com?
This is true, we could publish to GitHub packages instead of the Central repository. I think the Central repository is a better choice because it works out of the box with many build tools (with no extra configuration) and it is the largest Java packages repository in the world.
I see in https://github.com/scylladb/scylla-pkg/issues/3792#issuecomment-2094748627 that our Java driver team is handling similar things for the CQL Java drivers that need to be published. I think @avelanarius and @roydahan are more familiar with the details and permissions/signature aspects of how we do this, and we could do something similar for the Alternator Java library as well.
The direction is ok, we have other repositories that uses Github Actions for CI/CD. I'm not sure about the storing of credentials and how we usually deal with it.
@yaronkaikov / @avelanarius ?
In my experience, the usual way to do it is to create a repository-specific token that can be used instead of the actual Sonatype password. You can then store that token in the GitHub secrets.
@avelanarius @Lorak-mmk @yaronkaikov what are the next steps here? I guess it's just about token generation now, isn't it?
Trying to gain access to https://docs.google.com/document/d/199P3h_p1Z8vNYvqHetl5mjIr7sAYqY_NDfJwejgbI-4/edit , asked @BorishuVS
Merged (ab)using my super powers. Let me know if you need more assistance here / revert.
