[DRAFT] Some rudimentary version of how releasing could work #188
Conversation
scripts/release/README.md
Outdated
| -v `pwd`:/scripts:ro \ | ||
| -v ${HOME}/.gnupg/:/home/user/.gnupg/:ro -v /run/user/$(id -u)/:/run/user/$(id -u)/:ro \ | ||
| -e BUILD_COMMIT=origin/main \ | ||
| -e GPG_SIGNING_KEY=8DEF770BCFC57CEC83BF0410DC20AD935AC6CEF4 \ |
There was a problem hiding this comment.
This is a real id of an example key.
| sbt sourceDistGenerate | ||
|
|
||
| # sign source artifacts | ||
| find target/dist -regex '.*\(tgz\|zip\)' | xargs -I{} sh -c "sha512sum {} > {}.sha512" |
There was a problem hiding this comment.
newer versions (that already exist, but not yet uptaken here) produce the sha digests automatically
There was a problem hiding this comment.
I will make a PR to update version now.
There was a problem hiding this comment.
So the PR has been merged (see #195) so you don't need to worry about manually creating digests of the files.
| sbt +publishSigned | ||
|
|
||
| # generate and upload docs | ||
| # TODO |
This is more of a long term idea, but I always imagined using sbt-pgp directly rather than sbt-ci-release since sbt-pgp just wraps over gpg so there is no reason why it should have the same problems as sbt-ci-release. In fact I think in general sbt-ci-release is not really needed for pekko projects, the only functionality we use from it is sbt-dynver especially considering there is broad agreement on how to do a proper release which is not going to be via pushing a git tag. |
Here are some ideas how releasing could later work. It's far from finished.
In this setup, a docker image provides the base installation to use for building.
GPG keys are provided from the outside of the container by providing access to the host gpg-agent. Alternatively, we could provide keys similarly as
sbt-ci-releasedoes it by actually providing the secret as an environment value. Both options don't seem super compelling. The use ofgpg-agentat least provides the possibility to also use smartcards/yubikeys for signing automatically.The setup of
gpg-agentpropagation to the docker container is right now quite brittle: