At the moment, this release only the sigstore-java
library
Use the action "Tag and Build Release" with the version (ex 0.5.3
) to create a new release on github. It will
- tag
main
(or a branch) withv0.5.3
- create a new release with name
v0.5.3
containing- all
sigstore-java
artifacts - a slsa attesation for the release build
- all
If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up any tags or releases built during the action
The local release script requires you to have cosign
and gpg
installed. It
- downloads the latest release from github (ex
v0.5.3
) - signs all artifacts (except slsa attestation) with cosign
- signs everything with gpg to satisfy maven central
- bundles all the files into
sigstore-java-0.5.3-bundle.jar
$ cd ./scripts
$ ./sign_and_bundle_release.sh
Releasing to maven central is a permanent action, it cannot be reverted
Upload the bundle:
- Log into sonatype (s01)
- Click "Staging Upload" on the left navbar
- Set "Upload Mode" to "Artifact Bundle"
- Then select
sigstore-java-0.5.3-bundle.jar
that was generated bysign_and_bundle_release.sh
- Click "Upload Bundle"
Release the bundle:
- Click "Staging Repositories" on the left navbar
- Select your artifact and ensure all checks have passed
- Click "release"
- If checks are failing, "drop" the bundle and fix the release process