Hi Chris, Thank you for your message and I apologize if my report did not include all the details of the case. I probably took some information for granted, my fault.
Before enabling writings on GitHub repository the release process was based on Python scripts requiring SVN write permissions and a Windows environment. Those scripts had to be executed manually from the laptop of the release manager (Karl Wright). Then we started to consider a different release process after enabling read-only mode on SVN and I raised a specific ticket to INFRA [1] about this asking to eventually use a GPG key as a service account in our GitHub Workflows. This is because I saw other Apache projects following a similar approach and you can also see that Daniel Gruno confirmed this in the ticket. Considering that now we have GitHub with read and write access and SVN in read-only mode, I mean in the current state without GPG keys, we don't have any script or documented procedure for doing releases. GitHub workflows are completed but only if a GPG key is available in the GitHub repository. If it is not possible to automate everything in GitHub workflows, we can refactor them in order to require a manual step for publishing all the artifacts. But at the moment it's not clear to me what to do for finalizing the new release process because the Apache Security Team didn't give us any more feedback. Maybe the updated work on these workflows on a separated branch it's a little bit confusing for everyone, I could eventually merge all the recent changes in the main trunk. Please let us know what you think. Thank you again for your support. Cheers, PG [1] - https://issues.apache.org/jira/browse/INFRA-25665 Il giorno mar 20 ago 2024 alle ore 09:09 Christofer Dutz <[email protected]> ha scritto: > Hi all, > > while reading your current board report, I came across the problem with > the using GPG keys on GitHub actions. You mentioned till that's resolved, > you're stuck doing releases. > > May I ask why? > > All other projects have no issues with releasing without GitHub Actions. > Also do I see quite a risk here uploading a person's GPG key to a machine > we have no control over. > > Chris > -- Piergiorgio
