New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make release process simpler #4974
Comments
I have some comments for the git/github part of the process. I wonder how should we handle merging in terms of approval(s). AFAIU the current process is:
Usually there are at least 2 ppl involved in every merge. Would we want to (could we even?) perform the We could still have |
if we have more automation, i'd prefer having fewer merges. in fact i think we can get away with just one to check the changelog, and the other git-flow merges can be done without going through pull requests, or at least without going through approval & CI for pull requests. i've added a link to our current process documentation to the top of my original post.
all artifacts except the source tarball are uploaded automatically. |
Thanks for pointing to the current writeup! I obviously missed some steps. If you think that release branch into master can be automatic that's fine with me (though I'm not a git guru). What are the proposed next steps? one person writes a first version of the python script or we do it collectively somehow? |
I would suggest pairing or mobbing to get going on the first version. I would love to be involved in this, if anyone would like a hand - UK time zone. There are some things around making the release process itself automatically testable - which we found were quite important - in order to make the Python code refactorable, for example. |
@claremacrae that sounds good, and thanks for offering to help! i am probably free this weekend to pair or mob, if that works for you. happy if other people want to join. |
@brianlheim thanks - this weekend’s fine for me too! Shall we talk via Slack to sort it out - If you could @ me there, I’ll see it on my phone. |
I’m also happy for others to join too, of course. |
@brianlheim and I talked yesterday about the tagging process. As I understand it, the SuperCollider release process has the release manager add the tag manually and then upload the sources. if that’s correct, then I just wanted to note that github may take care of some of that... With ApprovalTests.cpp, we open a new release page, with the tag included in the URL, and then we drag in one artefact (the single header). When we save the release page, github automatically adds the source tarball and zip. For an example, see https://github.com/approvals/ApprovalTests.cpp/releases/tag/v.10.2.1 - the .hpp was the thing we added manually. |
FTR: The tagging should always be done manually and ideally even be signed by the release manager so that downstreams (e.g. Linux distributions) can verify the signature and check the authenticity of the release. I'm not entirely sure, but assume you are referring to the source tarball (in regards to "upload the sources") in this case. That being said: As travis is in use for CI, I'm not entirely sure how happy the maintainers would be about switching to github actions (if that even makes sense). |
this is possible with github.com/github/hub.
i'm OK with this script being run locally since it's relatively fast, reliable, and easy to automate; fiddling with CI is relatively time-intensive by comparison.
it's a no from me :) i would like to avoid investing further in microsoft-specific technology if it can be avoided as there's a big risk of vendor lock-in, and i know some community members are already unhappy that we've remained on GitHub after the acquisition.
wasn't aware of this, but it makes sense. we can definitely do that. would you still consider the tagging to be manual if it's created by a script, run manually by the release manager, which performs validation checks and asks for confirmation? |
Yes, as long as it is done on the release manager's machine and not on a random remote CI machine (some projects actually do that by just auto-tagging every push to master, which IMHO is a really really bad security and release practice). That all being said: Please be aware, that as most downstreams follow TOFU in regards to the usage of trusted upstream PGP keys, it is essential, that a chain of trust is established from then on. This means:
As a sidenote: Whatever you do, don't use Thunderbird's enigmail without making sure, that your key pairs are alright (double check your signatures!). It has a track record of messing up your keys in use by auto-generating new one's due to the p=p stuff in there. I'm not entirely sure whether this is finally removed/fixed, but has proven an issue for many users and projects alike. Another sidenote: If you are interested in securing your key using a hardware token, look into nitrokey or alternatively yubikey. |
On the dev meeting on May 2, 2021 we decided to push it to 3.13 milestone and divide this into smaller actionable items |
I’m still really happy to help with this, when you get to it... |
I'm pinning the issue for now, since we haven't fully addressed it for the 3.12 release |
Motivation
the release process is very complicated and involves lots of manual actions. automating most or all of it would help a lot.
Description of Proposed Feature
a set of scripts (in python) to automate every step of the release process, and use cues for the manual steps.
Plan for Implementation
at the dev call yesterday @joshpar , @jrsurge , @dyfer and i all expressed interest in working on this together. others are of course welcome to help too!
the current plan is to have a python script. i think @claremacrae 's suggestion here is really great (quoting from a Slack conversation):
https://github.com/approvals/ApprovalTests.cpp/tree/master/build
The text was updated successfully, but these errors were encountered: