Initial Setup

The following steps must only be performed only once:

Signing Keys

Release files must be signed with an OpenPGP compatible key. If you do not already have a key for signing Apache releases, follow the developer instructions in the Daffodil KEYS file to generate a key and add it to the KEYS file. Follow the contributor workflow and create a review branch and pull request to commit your changes to the KEYS file. Once merged, perform the following steps:

• Clone the Apache Dist Daffodil release directory, copy the KEYS file, and commit it:

  
  

  Code Block
  language bash
  $ svn checkout https://dist.apache.org/repos/dist/release/incubator/daffodil/ daffodil-dist $ cp daffodil.git/KEYS daffodil-dist $ cd daffodil-dist $ svn ci -m "Update Apache Daffodil KEYS"

    

• Add your key fingerprint to https://id.apache.org. To get your fingerprint, run the following

Below are the steps one should follow to create a new Apache Daffodil release.

...

Initial Setup

The following steps must only be performed once to setup signing keys and the file distribution SVN repository.

Signing Keys

Release files must be signed with an OpenPGP compatible key. If you do not already have a key for signing Apache releases, follow the developer instructions in the Daffodil KEYS file to generate a key and add it to the KEYS file. Follow the contributor workflow and create a review branch and pull request to commit your changes to the KEYS file. Once merged, perform the following steps:

• Clone the Apache Dist Daffodil release directory, copy the KEYS file, and commit it

  :

  Code Block
  language bash
  $ svngpg checkout https://dist.apache.org/repos/dist/release/incubator/daffodil/ daffodil-dist $ cp daffodil.git/KEYS daffodil-dist $ cd daffodil-dist $ svn ci -m "Update Apache Daffodil KEYS"

    

  Add your key fingerprint to https://id.apache.org. To get your fingerprint, run the following

  --fingerprint KEYID

  
  

• Send your key to a keyserver via the command:

  Code Block
  language bash
  $ gpg --send-keys KEYID

  
  

For more information on signing keys, visit How to OpenPGP and Signing Releases.

Container Software

To improve reproducibilty and to minimize the effects and variability of a the users environment, release candidates should be created using the "Daffodil release candidate container". Note that although commands to use this container have been tested with and use podman, you should be able to replace podman with docker if you would rather use it instead. Install the container software of choice using your systems package manager or from the containers website. For example:

$ sudo 

...

dnf 

...

Send your key to a keyserver via the command:

$ gpg --send-keys KEYID

For more information on signing keys, visit How to OpenPGP and Signing Releases.

Creating a Release Candidate

...

Prior to creating the release candidate, the version setting in build.sbt should contain the -SNAPSHOT keyword. Create and merge a pull request to remove this keyword in preparation for a non-snapshot release.

To improve reproducibilty and to minimize the effects and variability of a users environment, release candidates should be created using the Daffodil release candidate container. Although the following commands use and have been tested with podman, you should be able to replace podman with docker if you would rather use docker. Install docker or podman using your systems package manager or from the containers website. For example:

$ sudo dnf install podman

install podman

Preparing for a Release Candidate

The following steps should be performed prior to creating a release canditate:

1. Create a [DISCUSS] thread on dev@daffodil.apache.org to make a decision as a community if the timing is correct for a release and what open issues should be resolved for a release. Ensure there is at leas 72 hours for discussion before moving forward.
     
2. Upon agreement, someone should volunteer to be the "Release Manager" to take the responsibility to prepare the release candidate.
     

3. Prior to creating the release candidate, the version setting in build.sbt should contain the -SNAPSHOT keyword. Create and merge a pull request to remove this keyword in preparation for a non-snapshot release.
   

Creating a Release Candidate

Below are the steps one should follow to create a new Apache Daffodil release candidate.   

1. Build the Daffodil release candidate image:

   Code Block
   language bash
   $ podman build -t daffodil-release-candidate /path/to/daffodil.git/containers/release-candidate/

   This may take 20-30 minutes the first time, but should be significantly faster in subsequent runs unless something changes in the image where a full rebuild is needed.
       

2. Run the daffodil release candidate container:

   Code Block
   language bash
   $ podman run -it \ -v ~/.gitconfig:/root/.gitconfig \ -v ~/.gnupg/:/root/.gnupg/ \ -v ~/.ssh/:/root/.ssh/ \ daffodil-release-candidate

      

3. The container will periodically ask for user input (e.g. usenames, passwords) to sign and publish release files. This includes:
     

   1. Release candidate label. For example: rc1 if this is the first release candidate for a version
        
   2. Long format of your signing key ID. This can be found by running gpg --list-secret-keys --keyid-format long 
        
   3. Git commit name and email. This is the name and email you want to show up as the "Comitter" when creating a git tag or commit.
       
   4. Apache user name and password. This is the username and password credentials used to log in at https://id.apache.org.
       
   5. GitHub SSH key password. The Daffodil repository will be cloned using SSH authentication. If you your SSH key is password protected, you may be prompted for that password.
        
   6. Private GPG password. The release process will sign artifacts with your GPG key–you will be prompted for a password to sign this these artifacts.
        

4. After entering the necessary information, this script will perform the following actions:
   
   

   1. Create a zip of the source
      
      
   2. Create tgz, zip, msi, and rpm of the helper binary
      
      
   3. Create sha256 and sha512 checksum and ASCII armored detached signatures of the above files
      
      
   4. Move the above files to the Apache dist dev directory
      
      
   5. Create javadoc and scaladoc and move to the daffodil site repository docs directory for this release
      
      
   6. Stages jars/poms to https://repository.apache.org
      
      
   7. Create a signed git tag
      
      
5. Once the script completes, you should verify all the files. The script will list the files and locations to verify. This includes:
   
   
   1. Verify the checksums and signatures created in the Apache dist directories are correct
      
      
   2. Verify the staged jars/poms at https://repository.apache.org/ are correct. To do so, visit that url, login in the top right using id.apache.org credentials, select "Staging Repositories" on the left, and find the orgapachedaffodil-XXXX repository. Inspect the "Content" tab to make sure the appropriate jars are uploaded and appear valid.
      
      
   3. Verify the git tag is correct
      
      
   4. Verify the javadoc and scala docs in the daffodil site repository are correct
     
6. If any of the above do not look correct perform the following steps:
     
   1. Drop the published jars/poms (at https://repository.apache.org - check the box for the staging repository just created and choose "Drop" at the top)
       
   2. Type exit  to close the container. All files created in the container will be deleted.
       
   3. Fix the issue and repeat the "Create Release Candidate" process from the beginning.
        
7. After verifying all is correct, run the commands provided at the end of the script to perform the following:
      
   1. Commit the release artifacts
        
   2. Push the new tag
        
   3. Update the daffodil site repository
        
   4. Close the staged files in the Apache repsitory
        
   You are now done with the container.
   1. Type exit  to close
   it
   1. the container.

Update the Website

Create a new release file in the site/_releases/ directory in the Daffodil Site Repository, updating the page to include a summary of the changes and links/descriptions of the bugs that were fixed in this release. Parameters that must be set because this is a release candidate include:

...