-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DRAFT] Some rudimentary version of how releasing could work #188
base: main
Are you sure you want to change the base?
Conversation
scripts/release/README.md
Outdated
-v `pwd`:/scripts:ro \ | ||
-v ${HOME}/.gnupg/:/home/user/.gnupg/:ro -v /run/user/$(id -u)/:/run/user/$(id -u)/:ro \ | ||
-e BUILD_COMMIT=origin/main \ | ||
-e GPG_SIGNING_KEY=8DEF770BCFC57CEC83BF0410DC20AD935AC6CEF4 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a real signing key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a real id of an example key.
sbt sourceDistGenerate | ||
|
||
# sign source artifacts | ||
find target/dist -regex '.*\(tgz\|zip\)' | xargs -I{} sh -c "sha512sum {} > {}.sha512" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
newer versions (that already exist, but not yet uptaken here) produce the sha digests automatically
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will make a PR to update version now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the PR has been merged (see #195) so you don't need to worry about manually creating digests of the files.
sbt +publishSigned | ||
|
||
# generate and upload docs | ||
# TODO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: new line here
This is more of a long term idea, but I always imagined using sbt-pgp directly rather than sbt-ci-release since sbt-pgp just wraps over gpg so there is no reason why it should have the same problems as sbt-ci-release. In fact I think in general sbt-ci-release is not really needed for pekko projects, the only functionality we use from it is sbt-dynver especially considering there is broad agreement on how to do a proper release which is not going to be via pushing a git tag. |
Here are some ideas how releasing could later work. It's far from finished.
In this setup, a docker image provides the base installation to use for building.
GPG keys are provided from the outside of the container by providing access to the host gpg-agent. Alternatively, we could provide keys similarly as
sbt-ci-release
does it by actually providing the secret as an environment value. Both options don't seem super compelling. The use ofgpg-agent
at least provides the possibility to also use smartcards/yubikeys for signing automatically.The setup of
gpg-agent
propagation to the docker container is right now quite brittle: