Release Process

For Versions 5+

Perform a Milestone, RC or GA Release

NOTE: This release process uses the spring-build-conventions gradle plug-in.

Process Overview

1. Update dependencies
2. Update release version
3. Build Locally
4. Push the release commit
5. Announce the release on Slack
6. Tag the release
7. Update to next development version
8. Update version on project page
9. Update Release Notes on GitHub
10. Close / Create Milestone
11. Announce the release on other channels

Detailed Steps

1. Update dependencies

If you are on master use 1.b, otherwise use 1.a

1.a Updating Manually

• Dependencies are declared in gradle/dependency-management.gradle
• Update Spring Framework and Spring Data at a minimum
• Then find dependencies that need updating by running the update-dependencies.sh script:

./scripts/update-dependencies.sh

Prerequisites: The build directory has to exist to store the file build/updates.txt. This directory gets created when a new build is run, but is not present on a fresh git clone.

1.b Lock Dependencies

Master is setup to use Gradle dependency locking and version ranges so builds automatically take advantage of the latest dependencies. In order to ensure releases are reproducible, we must lock the dependencies before a release.

To lock the dependencies execute:

./gradlew writeLocks --write-locks

This writes out all the resolved versions. Run the build. If it passes, commit the changes.

2. Update release version

• Update the version number in gradle.properties for the release, for example, 5.1.0.M1, 5.1.0.RC1, 5.1.0.RELEASE

3. Build Locally

• Run the build locally with:

./gradlew check

4. Push the release commit

• Push the release commit and Jenkins will build and deploy the artifacts
• If you are pushing to Maven Central, then you can get notified when it's uploaded by running the following:

./scripts/release/wait-for-done.sh 5.2.0.RELEASE

5. Announce the release on Slack

• Announce via Slack on #spring-security, including the keyword spring-security-release in the message. Something like:

spring-security-release 5.2.0.RC1 is out!

6. Tag the release

• Tag the release and then push the tag

git tag 5.2.0.RC1
git push origin 5.2.0.RC1

7. Update to next development version

• Update release version to next BUILD-SNAPSHOT version and then push
• If dependency locks (1.b) were used, revert the commit that included the lock files so that the build uses the latest versions again.

8. Update version on project page

• Update release version on projects.spring.io

9. Update Release Notes on GitHub

• Download the GitHub release notes generator

wget https://github.com/spring-io/github-release-notes-generator/releases/download/v0.0.2/github-release-notes-generator.jar

• Generate the release notes

java -jar github-release-notes-generator.jar \
    --releasenotes.github.organization=spring-projects \
    --releasenotes.github.repository=spring-security \
    --spring.config.location=scripts/release/release-notes-sections.yml \
    $MILESTONE release-notes

Note 1: $MILESTONE is something like 5.2.1 or 5.3.0.M1.
Note 2: The location scripts/release/release-notes-sections.yml is relative to the spring-security repo.
Note 3: This will create a file on your filesystem called release-notes.

• Copy the release notes to your clipboard (your mileage may vary with the following command)

cat release-notes | xclip -selection clipboard

• Create the release on GitHub, associate it with the tag, and paste the generated notes

10. Close / Create Milestone

• In GitHub Milestones, create a new milestone for the next release version
• Move any open issues from the existing milestone you just released to the new milestone
• Close the milestone for the release.

11. Announce the release on other channels

• Create a Blog
• Tweet from @SpringSecurity
• Send email to spring-developer@pivotal.io

For Spring Security 4.2.x

• Visit https://build.spring.io/browse/SEC-B42X
• Log In
• Ensure you have admin permissions for the build
• Make sure last build is successful
• Then click on the build number of the last build

• Click the arrow on the left hand side below the details

• Click on Default Job

• Click on Artifactory Release & Promotion

• Fill out the form with the correct values. Use the screenshot below for an example

• Click Build and Release to Artifactory
• A build will start for the release. When it completes (will have "Manual run by ..." next to it) click on the build number

• Click on Artifactory Release & Promotion again
• Fill out form for release

• Click Update. Wait for it to complete.

• Click on Artifactory Build Info
• Invoke the the scripts in scripts/release/ to release with necessary arguments. Get all the secrets from LastPass

$ ./scripts/release/push-to-spring-distributions.sh $BUILD_NUMBER_FROM_BAMBOO
$ ./scripts/release/sync-to-central.sh $RELEASE_VERSION $BINTRAY_API_KEY $SONATYPE_USER_TOKEN $SONATYPE_TOKEN_PWD
$ ./scripts/release/wait-for-done.sh $RELEASE_VERSION

You will get a notification when the release is done.

NOTE: wait-for-done only works if you have spd-say installed.