QFJ-846 : Upload release to Maven/Sonatype

[lburgazzoli]

To deploy to Sonatype OSS :

mvn clean deploy -Prelease

Maven settings:

<settings>

  <servers>
    <server>
      <id>ossrh</id>
      <username>sonatypeUsr</username>
      <password>sonatypePwd</password>
    </server>
  </servers>

  <profiles>
    <profile>
      <id>props</id>
      <activation>
          <activeByDefault>true</activeByDefault>
      </activation>
      <properties>
        <gpg.keyname>gpgkey</gpg.keyname>
        <gpg.homerdir>/home/yourUser/.gnupg</gpg.homerdir>
        <gpg.passphrase>gpgpass</gpg.passphrase> 
      </properties>
    </profile>

</settings>

I've used my OSSRH account for the moment but the best would be to create a dedicated account for bamboo/travis builds so snapshots can be automatically uploaded to Sonatype OSS .

[chrjohn]

Thanks. Just a question out of curiosity: can anybody with a Sonatype OSS account publish snapshots for QFJ now? Or can this be restricted somehow?

[lburgazzoli]

At the moment only my sonatype account can publish quickfixj artifacts , I need to grant other people so I'm not the only one that can do so :-)

If you have a list of sonatype accounts that should have such grant let me know and I'll grant them.

[chrjohn]

I have created an account "qfjdeployment".
Thanks :)

[chrjohn]

Is there a reason why you reverted maven-compiler-plugin from 3.3 to 2.2?

[lburgazzoli]

no reason, should be a mistake wile merging from master, I will update the PR

[lburgazzoli]

OSSRH Permissions JIRA : https://issues.sonatype.org/browse/OSSRH-19686

[chrjohn]

Is the GPG signing required? Build is giving me errors:

build 29-Dec-2015 23:12:07 [INFO] --- maven-gpg-plugin:1.6:sign (sign-artifacts) @ quickfixj-parent ---
build 29-Dec-2015 23:12:07 gpg: no default secret key: No secret key
build 29-Dec-2015 23:12:07 gpg: signing failed: No secret key

Edit: if I understood correctly I only need signing for release. For snapshots this is not required?

[lburgazzoli]

Yes it should only be required for releases, for snapshot it is optional.

You can skip it with -Dgpg.skip=true for the moment, let me have a look tomorrow on how this can be automated.

[lburgazzoli]

#56 should fix this

[chrjohn]

I tested locally and upload works. I could not get it to work with the Bamboo server because somehow it puts spaces into the command line options and hence cannot find the settings.xml. I have asked the Bamboo admins to put the file into the .m2 directory on the server.
Thanks

[chrjohn]

Upload via Bamboo is working now.

[lburgazzoli]

Great, would it be possible to back port it to 1.6.x and do a release to maven central ? So we can also test if release works properly

[chrjohn]

I assume you mean Sonatype instead of Maven central? Because I did not make any config for Maven central. Or is this the same as Sonatype?

Edit: Regarding backport: I just did this and a snapshot upload worked. Will try to do a release later this week. Need to merge some smaller code changes...

Edit-2: I just noticed that the distribution zip file is now about 60MB larger than before. The JAR files are included twice now. One time with their normal name and one time with a timestamp added to the file name. Do you have any idea what causes this? This wasn't the case when you first uploaded the files to Sonatype on 18th December.

Cheers

[lburgazzoli]

If you do a release with version not ending with SNAPSHOT, the artifact will be uploaded to Sonatype staging area then to Maven central when you promote it (the plugin should do it automatically btw).

About the larger distribution, I think it has downloaded a version from sonatype, I need to investigate it
Edit: it may be solved with mvn clean install deploy -Prelease

Edit: distribution can be skipped but I need to create a dummy module or the nexus plugin would fail (see NEXUS-9138)

[chrjohn]

Sorry, another question before I do the release: I am not familiar with the nexus plugin. But I need to manually alter the POMs to change the version to e.g. "1.6.2" (without SNAPSHOT)? That is not something that is done automatically when using the "release" profile?

[lburgazzoli]

It doesn't with the current setup.

If you want a fully automated solution I/you need to add the maven-release-plugin which I've not included to avoid any issues with tags and so on.

A release can be done by:

mvn versions:set -DnewVersion=1.2.3
mvn clean install deploy -Prelease,sign

If you want me to add it, let me know.

[chrjohn]

Hi, no need to add it at the moment. Just was asking. ;)
Thanks for your help so far.

[chrjohn]

Oh another question about the "sign". I remember that it failed at first (#55 (comment)) . So I guess I'll have to generate some keys beforehand?

[lburgazzoli]

Yes, each artifact on maven central needs to be signed

http://central.sonatype.org/pages/apache-maven.html#gpg-signed-components

After a successfully manual release, we can add the maven-release-plugin so
you can create a specific bamboo task to do a release.you can trigger
manually.

On Tue, Jan 5, 2016 at 3:38 PM, Christoph John notifications@github.com
wrote:

Oh another question about the "sign". I remember that it failed at first (#55
(comment)
#55 (comment))
. So I guess I'll have to generate some keys beforehand?

—
Reply to this email directly or view it on GitHub
#55 (comment).

[chrjohn]

OK, I see. I'll have to talk to the Bamboo admin to check if gpg is installed and to generate the keys.

[chrjohn]

Hi @lburgazzoli , I am currently trying to build a release on my local machine. Looking good so far.
Automation via Bamboo can be done in a later step, as you suggested.
Thanks for your help and effort. :)

Cheers