Skip to content
Permalink
Browse files

Revise the releasing guide (#24)

In particular, don't advocate putting passwords in config files.
  • Loading branch information...
swankjesse committed Aug 13, 2019
1 parent 0f8fb57 commit 53793fa3691f5836fb5ba3d73022cf6a641b4471
Showing with 70 additions and 40 deletions.
  1. +70 −40 docs/releasing.md
@@ -1,6 +1,63 @@
Releasing
=========

### Prerequisite: Sonatype (Maven Central) Account

Create an account on the [Sonatype issues site][sonatype_issues]. Ask an existing publisher to open
an issue requesting publishing permissions for `app.cash` projects.

### Prerequisite: GPG Keys

Generate a GPG key (RSA, 4096 bit, 3650 day) expiry, or use an existing one. You should leave the
password empty for this key.

```
$ gpg --full-generate-key
```

Upload the GPG keys to public servers:

```
$ gpg --list-keys --keyid-format LONG
/Users/johnbarber/.gnupg/pubring.kbx
------------------------------
pub rsa4096/XXXXXXXXXXXXXXXX 2019-07-16 [SC] [expires: 2029-07-13]
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
uid [ultimate] John Barber <jbarber@cash.app>
sub rsa4096/ZZZZZZZZZZZZZZZZ 2019-07-16 [E] [expires: 2029-07-13]
$ gpg --send-keys --keyserver keyserver.ubuntu.com XXXXXXXXXXXXXXXX
```

### Prerequisite: Gradle Properties

Define publishing properties in `~/.gradle/gradle.properties`:

```
signing.keyId=1A2345F8
signing.password=
signing.secretKeyRingFile=/Users/jwilson/.gnupg/secring.gpg
```

`signing.keyId` is the GPG key's ID. Get it with this:

```
$ gpg --list-keys --keyid-format SHORT
```

`signing.password` is the password for this key. This might be empty!

`signing.secretKeyRingFile` is the absolute path for `secring.gpg`. You may need to export this
file manually with the following command where `XXXXXXXX` is the `keyId` above:

```
$ gpg --keyring secring.gpg --export-secret-key XXXXXXXX > ~/.gnupg/secring.gpg
```


Cutting a Release
-----------------

1. Update `CHANGELOG.md`.

2. Set versions:
@@ -10,7 +67,14 @@ Releasing
export NEXT_VERSION=X.Y.Z-SNAPSHOT
```

3. Update, build, and upload:
3. Set environment variables with your [Sonatype credentials][sonatype_issues].

```
export SONATYPE_NEXUS_USERNAME=johnbarber
export SONATYPE_NEXUS_PASSWORD=`pbpaste`
```

4. Update, build, and upload:

```
sed -i "" \
@@ -22,9 +86,10 @@ Releasing
./gradlew clean uploadArchives
```

4. Visit [Sonatype Nexus](https://oss.sonatype.org/) to promote (close then release) the artifact. Or drop it if there is a problem!
5. Visit [Sonatype Nexus][sonatype_nexus] to promote (close then release) the artifact. Or drop it
if there is a problem!

5. Tag the release, prepare for the next one, and push to GitHub.
6. Tag the release, prepare for the next one, and push to GitHub.

```
git commit -am "Prepare for release $RELEASE_VERSION."
@@ -36,40 +101,5 @@ Releasing
git push && git push --tags
```


Prerequisites
-------------

Generate a GPG key (RSA, 4096 bit, 3650 day) expiry, or use an existing one.
```
$ gpg --full-generate-key
```

Upload the GPG keys to public servers

```
$ gpg --list-keys --keyid-format LONG
/Users/johnbarber/.gnupg/pubring.kbx
------------------------------
pub rsa4096/XXXXXXXXXXXXXXXX 2019-07-16 [SC] [expires: 2029-07-13]
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
uid [ultimate] John Barber <jbarber@cash.app>
sub rsa4096/ZZZZZZZZZZZZZZZZ 2019-07-16 [E] [expires: 2029-07-13]
$ gpg --send-keys --keyserver keyserver.ubuntu.com XXXXXXXXXXXXXXXX
```

In `~/.gradle/gradle.properties`, set the following:

* `SONATYPE_NEXUS_USERNAME` - Sonatype username for releasing to `app.cash`.
* `SONATYPE_NEXUS_PASSWORD` - Sonatype password for releasing to `app.cash`.
* `signing.keyId` - key ID for GPG key. Example: `1A2345F8`. Get with the following command:
```
$ gpg --list-keys --keyid-format SHORT
```
* `signing.password` - password for GPG key, recommended to be empty.
* `signing.secretKeyRingFile` - absoluate file path for `secring.gpg`. Example: `/Users/johnbarber/.gnupg/secring.gpg`.
* You may need to export this file manually with the following command where `XXXXXXXX` is the same `keyId` as above:
```
$ gpg --keyring secring.gpg --export-secret-key XXXXXXXX > ~/.gnupg/secring.gpg
```
[sonatype_issues]: https://issues.sonatype.org/
[sonatype_nexus]: https://oss.sonatype.org/

0 comments on commit 53793fa

Please sign in to comment.
You can’t perform that action at this time.