feat: publish to Sonatype OSSRH#102
Conversation
|
Consider that after this PR is merged, then immediately the first deployment to Sonatype OSSRH will start and the first version |
|
Hey @davisusanibar, can you rebase? |
|
Hey @davisusanibar , a couple things here. The doc at least looks like it is double releasing (to github and ossrh). Let's not do that. Additionally, we should automate the movement from stage to release. Some info here about this: https://issues.sonatype.org/browse/OSSRH-48410 Will look at the detail soon... |
I could recommend initially to send only to staging, after we test if the library is working and all is ok we could send another PR to publish automatically. Please let me know how do we could proceed? |
Ohh I just see your point, ... that sound really interesting, ...let me check about how do we could automate , thanks! |
|
Hi @jacques-n I have a doubt about Consider:
a.) Create the release on staging Request:
{
"data": {
"description": "io.substrait:substrait:1.2.4"
}
}
Response:
{
"data": {
"stagedRepositoryId": "io.substrait-1041",
"description": "io.substrait:substrait:1.2.4"
}
}Problem arise with "1041", it is a sequential number that cannot be pre-calculated in the next steps. b.) Close the release (send the artifacts to https://s01.oss.sonatype.org/content/repositories/staging): Request:
{
"data": {
"stagedRepositoryIds": ["io.substrait-1041"],
"description": "io.substrait:substrait:1.2.4",
"autoDropAfterRelease": true
}
}c.) Release the artifacts to maven central (to: https://s01.oss.sonatype.org/content/repositories/releases/): Request
{
"data": {
"stagedRepositoryIds": ["io.substrait-1041"],
"description": "io.substrait:substrait:1.2.4",
"autoDropAfterRelease": true
}
}In case is needed to Create / Close / Release in different step there is needed to persist information per steps OR call all the task as one. |
One way about how do we could release to maven central automatically will be to create a rule/job that the maximum time to verify/test artifacts on Staging is 05 days, after that a Job automatically will run a promote to maven central. POST: https://s01.oss.sonatype.org/service/local/staging/profile_repositories <stagingRepositories>
<data>
<stagingProfileRepository>
<profileId>XXXXXXXX</profileId>
<profileName>io.substrait</profileName>
<profileType>repository</profileType>
<repositoryId>io.substrait-1041</repositoryId>
<type>closed</type>
<policy>release</policy>
<userId>dsusanibara</userId>
<userAgent>gradle-nexus-publish-plugin/1.1.0</userAgent>
<ipAddress>x.y.z.w</ipAddress>
<repositoryURI>https://s01.oss.sonatype.org/content/repositories/io.substrait-1041</repositoryURI>
<created>2022-11-10T11:46:31.407Z</created>
<createdDate>Thu Nov 10 11:46:31 UTC 2022</createdDate>
<createdTimestamp>1668080791407</createdTimestamp>
<updated>2022-11-10T11:48:23.774Z</updated>
<updatedDate>Thu Nov 10 11:48:23 UTC 2022</updatedDate>
<updatedTimestamp>1668080903774</updatedTimestamp>
<description>io.substrait:substrait:1.2.4</description>
<provider>maven2</provider>
<releaseRepositoryId>releases</releaseRepositoryId>
<releaseRepositoryName>Releases</releaseRepositoryName>
<notifications>0</notifications>
<transitioning>false</transitioning>
</stagingProfileRepository>
...
...
</data>
</stagingRepositories> |
@jacques-n Please also confirm if uploaded native images to Github release is ok or need to be deleted
With this we could download binaries from Github release and use that: $ ./isthmus-macOS-2.0.0 -c "CREATE TABLE Persons ( firstName VARCHAR, lastName VARCHAR, zip INT )" "SELECT lastName, firstName FROM Persons WHERE zip = 90210"
{
"extensionUris": [{
"extensionUriAnchor": 1,
"uri": "/functions_comparison.yaml"
}], |
westonpace
left a comment
westonpace
left a comment
There was a problem hiding this comment.
I'm not really an expert on Java releases but I gave it an attempt. I have a few questions that are probably just my inexperience :)
| - uses: actions/checkout@v2 | ||
| with: | ||
| submodules: recursive | ||
| - uses: DeLaGuardo/setup-graalvm@5.0 | ||
| with: | ||
| graalvm: '22.0.0.2' | ||
| java: 'java17' | ||
| - name: Setup Gradle | ||
| uses: gradle/gradle-build-action@v2 | ||
| - name: Report Java Version | ||
| run: java -version | ||
| - name: Install GraalVM native image | ||
| run: gu install native-image | ||
| - name: Build with Gradle | ||
| run: gradle nativeImage | ||
| - name: Smoke Test | ||
| run: ./isthmus/src/test/script/smoke.sh | ||
| ./isthmus/src/test/script/tpch_smoke.sh | ||
| - name: Rename the artifact to OS-unique name | ||
| shell: bash | ||
| run: | | ||
| value=`mv isthmus/build/graal/isthmus isthmus/build/graal/isthmus-${{ matrix.os }}` | ||
| - name: Publish artifact | ||
| uses: actions/upload-artifact@master | ||
| with: | ||
| name: isthmus-${{ matrix.os }} | ||
| path: isthmus/build/graal/isthmus-${{ matrix.os }} | ||
| - uses: actions/checkout@v2 | ||
| with: | ||
| submodules: recursive | ||
| - uses: DeLaGuardo/setup-graalvm@5.0 | ||
| with: | ||
| graalvm: '22.0.0.2' | ||
| java: 'java17' | ||
| - name: Setup Gradle | ||
| uses: gradle/gradle-build-action@v2 | ||
| - name: Report Java Version | ||
| run: java -version | ||
| - name: Install GraalVM native image | ||
| run: gu install native-image | ||
| - name: Build with Gradle | ||
| run: gradle nativeImage | ||
| - name: Smoke Test | ||
| run: ./isthmus/src/test/script/smoke.sh | ||
| ./isthmus/src/test/script/tpch_smoke.sh | ||
| - name: Rename the artifact to OS-unique name | ||
| shell: bash | ||
| run: | | ||
| value=`mv isthmus/build/graal/isthmus isthmus/build/graal/isthmus-${{ matrix.os }}` | ||
| - name: Publish artifact | ||
| uses: actions/upload-artifact@master | ||
| with: | ||
| name: isthmus-${{ matrix.os }} | ||
| path: isthmus/build/graal/isthmus-${{ matrix.os }} |
There was a problem hiding this comment.
Can we avoid whitespace-only changes? It makes review trickier.
| - next | ||
| - next-major | ||
| - beta | ||
| - alpha |
There was a problem hiding this comment.
Do we need all these? Maybe just include the ones we actually use? Or main and next to show what could be done?
There was a problem hiding this comment.
This is only configuration. It will be good to have this already in place, and ONLY create this branch on the project when it is needed or there are reason for.
|
|
||
| We are using Sonatype OSSRH and there are repositories for `snapshots` / `staging` / `release`: | ||
| - If your library finalize with `1.4.3-XXXXX-SNAPSHOT` -> it is going to be deployed to Snapshots repository | ||
| - If your library finalize with `1.4.3-XXXXX-SNAPSHOT.YYYY` -> it is going to be deployed to Staging/Releases repository |
There was a problem hiding this comment.
What does it mean for a library to finalize? Does this mean the destination repository is based on the name of the artifacts? Or is the the value of the version field?
There was a problem hiding this comment.
Let me update that. The destination repository is based on the name of the artifacts. It will be:
We are using Sonatype OSSRH, the destination repository (snapshots / staging / release) is based on the name of the artifacts:
- For library name artifacts as
1.4.3-XXXXX-SNAPSHOT-> it is going to be deployed to Snapshots repository - For library name artifacts as
1.4.3-XXXXX-SNAPSHOT.YYYY-> it is going to be deployed to Staging/Releases repository - For library name artifacts as
1.4.3-XXXXX-> it is going to be deployed to Staging/Releases repository - For library name artifacts as
1.4.3-> it is going to be deployed to Staging/Releases repository
| #### 2. How many days do I have to approve the artifacts on the Staging repository? | ||
|
|
||
| Please review [OSSRH-24751](https://issues.sonatype.org/browse/OSSRH-24751) |
There was a problem hiding this comment.
What happens if a release is not approved in the time limit?
There was a problem hiding this comment.
There is not an option to recover that version. A initial proposal is to run a Job that after 5 days on staging environment automatically deploy that to release maven central, more detal at #102 (comment)
There was a problem hiding this comment.
Consider: OSSRH-86341
- Open staging repositories are dropped after 3 days of inactivity.
- Closed staging repositories are dropped after 21 days of inactivity.
- Released staging repositories are dropped within an hour or two of release.
| "Create a well-defined, cross-language specification for data compute operations" | ||
| ) | ||
| url.set("https://github.com/substrait-io/substrait-java") | ||
| properties.set(mapOf("country" to "PE", "dsusanibar.type.of" to "Java")) |
There was a problem hiding this comment.
Sorry, that was for my internal test, let me delete that.
| #signing | ||
| SIGNING_KEY_ID = 193EAE47 | ||
| SIGNING_PASSWORD = password | ||
| SIGNING_KEY = ALDqwcArqwfsdqweqwrwr |
There was a problem hiding this comment.
What is this value? Is it a dummy value? Or is it a secret?
There was a problem hiding this comment.
This is dummy value, real value is going to read at build time from Github secrets values.
Co-authored-by: Weston Pace <weston.pace@gmail.com>
davisusanibar
force-pushed
the
feature/release_to_sonatype
branch
from
2ecc7c2 to
57947e7
Compare
|
Hi @westonpace please if you could take a second chance to review it. |
davisusanibar
changed the title
This sounds good to me.
Let me make sure I understand. The substrait-java .jar file (for programmatic use) will be deployed to maven central. The isthmus binary executable (for scripting / command-line use) will be deployed to github That sounds reasonable to me. |
Please if we could handle this as an additional PR to we could continue with the scope of this PR. I mean the proposal is that initially deploy the artifacts into Staging automatically and deploy manually to maven central, then, when this end-to-end is working we could automate that without problems. If that won't be possible please let me know to I could send that feature into this PR
It will be: Sonatype OSSRH:
Github asset:
|
|
An additional PR for automated releases sounds fine to me. |
|
Hi team, please let me know when we could have a time to test the promote to Sonatype Staging Environment. Also please share the Key (ie: 103EEE97) sending to Ubuntu server at step |
Do you perhaps mean for us to run |
|
@jacques-n I think there is probably a more fundamental issue here around signing releases that you might have more experience / opinions on. The ASF policy mandates that all source releases be signed by the release manager (and optionally as many PMC members as want to participate) and all released artifacts be signed by a committer (preferably a PMC member). That seems a little extreme and not easily automated. If we wanted to automate it, then it requires putting all signers' keys into some centralized secret storage and so you end up with a single point of failure anyways. In that case, we might as well have a single "substrait" key that is stored in some kind of credentials vault (a github secret might be enough for now). |
Just send PR #104 for automation. |
Request was related about: (1) create public/private key, (2) send public key to ubuntu server, (3) share with me the ID generated on step 1 to update documentation with that value. |
|
I'm not certain I understand. If I don't sign the release with my private key then I'm not sure sharing my public key will be useful. |
In this case we are using Gradle Signing Plugin. It's configured on the project to read environment variables and use that as needed. This is the signing task For this reason we need to create public/private keys and then upload private key information into the Github project Secrets and also send public key to public server keys. |
|
Closing the loop, since some of this conversation happened externally. I have created secrets for this repository named |
|
Just to mention that is needed to decide what will be our first version to promote: v0.x.y or v1.0.0. To be aligned with Sustrait version that recommend version with format 0.x.y is needed to create a dummy tag (ie: v0.0.0) then semantic release process will increment that version number (ie: v0.1.0). Semantic release consider tags created by main branch, and increment that version number for next releases, if there aren't any tags then semantic release will create v1.0.0 tag and release 1.0.0 version. |
|
@davisusanibar Can we use the instructions here which use a token instead of a username / password? |
Yes, we are not using our user/password to login into UI dashboard, instead we are using tokens (at the end it's also a combination of a name and password codes but not linked to a end user) |
|
I have created the necessary secrets at the repository level (no promises they are all correct 😆 but let me know if it looks like any are not working when you try):
|
I agree that we should start with v0.1.0 but move quickly to v1.0.0 (e.g. don't need to wait for spec@1.0.0) |
This looks good. How do you see to have an option to test Github Credentials? This PR #107 help on that. Could be an option to merge that before, then run workflow manually and when all credentials are validate we could continue to merge this PR, if not let's continue with this PR merge and let's see. |
Ok. To start with v0.1.0 please help me to create a initial tag v.0.0.0 before to merge (Why? If not, semantic release will create a tag for us but this will have v1.0.0 format). |
* refine doc on Velox backend * revert pom change
Enable publishing to Sonatype OSSRH Co-authored-by: Weston Pace <weston.pace@gmail.com>
3 participants
This PR contains:
Second part to solve #43 , please at first time review/merge #100 that is needed to this PR