[RELENG-28] Release artifacts to Maven Central Created: 30/Mar/16 Updated: 13/Nov/18 Resolved: 29/Oct/18 |
|
| Status: | Resolved |
| Project: | releng |
| Component/s: | Autorelease |
| Affects Version/s: | unspecified |
| Fix Version/s: | None |
| Type: | Improvement | ||
| Reporter: | Thanh Ha (zxiiro) | Assignee: | Thanh Ha (zxiiro) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| Issue Links: |
|
||||||||
| Description |
|
I've been told that in order to release artifacts to Maven Central we need to follow the instructions for OSSRH. http://central.sonatype.org/pages/ossrh-guide.html |
| Comments |
| Comment by Thanh Ha (zxiiro) [ 30/Mar/16 ] |
|
OSSRH has some minimal requirements that need to be met in order to release. http://central.sonatype.org/pages/requirements.html One issue I see from the requirements is our SCM section URLs point to project wiki pages. As the OSSRH documentation states this URL is supposed to be the URL to your git repository. |
| Comment by Thanh Ha (zxiiro) [ 30/Mar/16 ] |
|
According to Sonatype the recommended way is OSSRH. They do allow some sites to publish to Maven Central but these sites must be trusted and meet their requirements before they'll allow syncing. I think we should just use OSSRH as that's the easier path forward. With that said it looks like we have some more work to do before we can push to OSSRH in regards to our pom metadata. |
| Comment by Colin Dixon [ 12/Apr/16 ] |
|
So the current problem is fixing all the pom files so that SCM URLs point to our git repositories. That should be relatively easy to script. |
| Comment by Michael Vorburger [ 19/Jul/16 ] |
|
I suggest we make this depends on |
| Comment by Michael Vorburger [ 19/Jul/16 ] |
|
How about https://git.opendaylight.org/gerrit/#/c/42052/ ? |
| Comment by Thanh Ha (zxiiro) [ 18/Aug/18 ] |
|
I've applied for an account here: |
| Comment by Thanh Ha (zxiiro) [ 18/Aug/18 ] |
|
This should cover the staging job side of things: https://gerrit.linuxfoundation.org/infra/12318 |
| Comment by Thanh Ha (zxiiro) [ 18/Aug/18 ] |
|
Looks like Maven Central requires PGP signatures in order to release to it. We need to get Sigul automation in place to sign the artifacts during the staging job. |
| Comment by Michael Vorburger [ 20/Aug/18 ] |
|
Yeah. I do this for what I have up on http://repo1.maven.org/maven2/ch/vorburger/. What is Sigul? |
| Comment by Andrew Grimberg [ 20/Aug/18 ] |
|
It's an infrastructure component that we're rolling out to projects that LF hosts. It's a secure way of allowing automated PGP signing of artifacts (detached signature for most or embedded in the case of RPM packages) We've had the sigul server itself available for some time but it's taken us a while to build most of the framework needed to actually use it in jobs. This framework is finally available and we're rolling out the final components into our CI infrastructure over the next few weeks. Once it's in place we can update jobs to take advantage of it. |
| Comment by Thanh Ha (zxiiro) [ 29/Oct/18 ] |
|
OSSRH requires that the sigul public key be available on a public key server. We've uploaded it. Discussed with agrimberg regarding also adding the Checksum, Javadoc, and Sources checks to our own Nexus ruleset too (and eventually signature validation) considering we need those anyway. |
| Comment by Thanh Ha (zxiiro) [ 29/Oct/18 ] |
|
Patch proposed https://gerrit.linuxfoundation.org/infra/12318 This should be available in global-jjb v0.27 assuming it gets merged. |