ci: Add Docker publishing workflows and documentation for ASF releases #18
Conversation
adityamparikh
changed the title
|
Thanks @adityamparikh... So, I suspect this is one of those changes that is tougher in the sense of we are interacting with ASF processes. So don't get frustrated ;-). Now, I haven't done a docker deployment process. Does this process mirror what we have in https://github.com/apache/solr-docker ??? |
|
From Claude's Review: The release process in this Solr MCP repository does not directly mirror the Apache Solr Docker repository, though both follow Apache Software Foundation (ASF) requirements. Here are the key findings: Similarities (ASF Compliance)
Major Differences Build System
Release Automation
Publishing Strategy
Dockerfile Management
Conclusion
The documentation structure and ASF compliance suggest the team studied Apache release requirements but created their own workflow suited to the project's needs rather than directly mirroring Solr Docker's process. |
janhoy
left a comment
janhoy
left a comment
There was a problem hiding this comment.
AI code tools are great, but I feel better discussing with a human than a raw AI output, there is always some level of noise in those reponses.
I have not reviewed the entire PR. So I just add some preliminary comments here. Some nice GH Action use for the release process, I like that.
| description: 'Release version (e.g., 1.0.0)' | ||
| required: true | ||
| type: string | ||
| # Which release candidate was approved (used to check out the exact tag) |
There was a problem hiding this comment.
The indentation of the comments are confusing, should be in line with the block below
|
|
||
| 1. Contact ASF INFRA for setup requirements | ||
| 2. Enable in release workflow with `sign_with_asf_infra: true` | ||
| 3. Signatures will be automatically applied to artifacts |
There was a problem hiding this comment.
Here is the description from INFRA about using GitHub actions for signing artifacts: https://infra.apache.org/release-signing.html#automated-release-signing
First we need to assess whether this repo qualifies, where the crucial part is reproducible builds. If it does, the release process must include a reproduction of the same artifacts (with same SHA) on developer's hardware. Etc. Once we feel all boxes are checked we can file an INFRA Jira issue to apply for signing secret to be deployed to the proejct.
There was a problem hiding this comment.
Do we think that going down the https://news.apache.org/foundation/entry/apache-trusted-releases-platform-begins-second-alpha is a rat hole? It would be nice if we don't need to do the "developer's hardware" step....
There was a problem hiding this comment.
Here is the description from INFRA about using GitHub actions for signing artifacts: https://infra.apache.org/release-signing.html#automated-release-signing
First we need to assess whether this repo qualifies, where the crucial part is reproducible builds. If it does, the release process must include a reproduction of the same artifacts (with same SHA) on developer's hardware. Etc. Once we feel all boxes are checked we can file an INFRA Jira issue to apply for signing secret to be deployed to the proejct.
gradle build will produce reproducible jars and the jib plugin will produce reproducible docker images.
https://github.com/apache/solr-mcp/pull/18/files#diff-c6d47dacf31662f6791d0cf218b1d34ee0ab48348c037819431cdd40e3fc23e4R163
has placeholder for automated release signing which will have to be implemented.
There was a problem hiding this comment.
It says that all projects are eligible for joining the 2nd Alpha of the ATR. Since we already have reproducible build, this could be interesting. The ATR project aims to automate everyting, voting and convenience binary distribution to various package repos, probably also Docker further down the road. For now it seems like it will handle the release process itself and let you download the artifact for manual release at the end.
To me it looks like requesting a "Github actions" signing key option is different from joining Apache-Trusted-Releases alpha. Perhaps even possible to combine?
There was a problem hiding this comment.
do we need anyone else's inputs or suggestions in order to proceed?
There was a problem hiding this comment.
They are discussing adding a new github action to publish artifacts to ATR https://the-asf.slack.com/archives/C049WADAAQG/p1762958477034239?thread_ts=1762950994.138959&cid=C049WADAAQG
Perhaps you can float a dev@ [DISCUSS] list thread outlining the proposed release procedure and mention that we consider ATR with CI signing. Then we'll have some broader decision on what to do before starting to apply or order stuff from INFRA.
| run: | | ||
| # Also publish to GitHub Container Registry | ||
| ./gradlew jib \ | ||
| -Djib.to.image=ghcr.io/${{ github.repository_owner }}/solr-mcp:${{ inputs.release_version }} \ |
There was a problem hiding this comment.
If we're anyway publishing nightlies to hub, is there a particular benefit of also using ghcr?
There was a problem hiding this comment.
If we have established process around publishing to one or the other, we can follow the same here. Publishing release gives options to make it available where the users are able to access and keeping nightly releases to only one.
|
I don't have a lot of expertise in Docker builds. It looks like the model in |
|
Solr was early with docker image without a prefix (org), that's why that workflow is special, and the solr image is built on Docker's infrastructure and is auto refreshed by them. But they don't allow new images in, and frankly an If we want to re-build once in a while to take advantage of newer base image, we could perhaps setup a scheduled workflow every Sunday or something that will check if upstream has any changes, and if so, re-build and re-publish the image. Preferences vary here, since that violates the immutable tag principle. But users can shield themselves from such changes by pinning SHA. Not a priority anyway. |
Thanks for the back story on the Solr docker image. I think that rebuilding for newer base image is probably overkill for what this project does... Plus, hopefully it's an active project and has periodic releases to pick up the new releases. --> I am also always nervous about adding more build tooling then we can feasibly support! |
|
@epugh @janhoy I created Jira ticket for Infra to get signing key https://issues.apache.org/jira/browse/INFRA-27404 |
… and nightlies path; mark Docker images as convenience binaries; update MCP label snippet; extend release checklist and policy notes
…agement, nightly builds, and publishing steps
adityamparikh
force-pushed
the
docs/release-process-clarifications
branch
from
36cfd48 to
0a6d6cd
Compare
3 participants
.github/workflows/nightly-build.yml: Automated nightly buildsapache/solr-mcp-nightlyon Docker Hub.github/workflows/release-publish.yml: Official release workflowapache/solr-mcpwith semantic versioningDocumentation
DOCKER_PUBLISHING.md: Complete Docker publishing guideGitHub workflows modified using Claude to address #15 (comment)