You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello everyone, I'm starting this thread to discuss whether it's possible to fully automate the OpenDAL release process.
Goal
The Release Manager no longer needs to handle tedious tasks. CI will manage artifact signing and SVN uploads.
Committers no longer need to perform manual verifications. CI will handle all verification steps within the release workflow.
The community no longer needs to wait 72 hours. OpenDAL PMC members should review the CI verification source code and logs to cast their votes. Once three votes are collected, the Release Manager can push the official tag.
For each release, the following steps are required:
The Release Manager should push SOME RC tags and ONE release tag, with no additional actions.
The Committer should review ONE verification code and logs to cast ONE vote, with no further actions.
The verification log will be saved and uploaded to the GitHub release as part of the release for future reference.
Implement
Most of the work will take place in CI, with details not elaborated here. Most of it is simply implementation.
To make this possible, we will need a dedicated SVN account to carry out the upload process on behalf of the OpenDAL community.
We will not depends on GPG key signing. Instead, we will integrate with sigstore and mechanism like Github Artifact Attestations to make sure the artifacts not changed.
Users are assured that these artifacts are produced by our workflow.
Users can visit our provenance through a public registry.
Users can verify our releases using tools like Sigstore or gh.
All of this ensures we provide better guarantees than a simple GPG signature.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello everyone, I'm starting this thread to discuss whether it's possible to fully automate the OpenDAL release process.
Goal
For each release, the following steps are required:
The verification log will be saved and uploaded to the GitHub release as part of the release for future reference.
Implement
Most of the work will take place in CI, with details not elaborated here. Most of it is simply implementation.
To make this possible, we will need a dedicated SVN account to carry out the upload process on behalf of the OpenDAL community.
We will not depends on GPG key signing. Instead, we will integrate with sigstore and mechanism like Github Artifact Attestations to make sure the artifacts not changed.
gh.All of this ensures we provide better guarantees than a simple GPG signature.
Context
Inspired by my post: What did ASF do wrong?.
The OpenDAL PMC is the first PMC to undertake such experimentation.
Beta Was this translation helpful? Give feedback.
All reactions