Add automatic signing and uploading releases

[ppkarwasz]

This adds support for:

• the verification of reproducibility of source archives.
• signing of releases.
• the generation of vote and announce e-mails.
• the upload for releases to the staging Subversion repository

[ppkarwasz]

There are some things left to fix:

• I can not use crazy-max/ghaction-import-gpg, probably we need an INFRA ticket to install it on the repo. In the meantime I am using actions/setup-java, which is allowed to run.
• The generate-email.sh script might need some massaging.
• You might consider inlining the generate-email.sh script or run it in a different job, so the sign-and-upload does not require a Git checkout.

[swebb2066]

The instruction in the just added release instructions can be simplified. Can you include the changes in this PR. Or should I do it and add it to the branch?

I find it always useful to write instructions before writting the code.

[swebb2066]

The reviewer should confirm the uploaded source code is not corrupt and
is identical to the package generated by the Github action.

This is what I have put in the review kit I created

[swebb2066]

"Apache ${PROJECT_NAME} is a logging framework for C++"

[swebb2066]

Add ref: v${{project-version}}-RC${{release-candidate}

Rational: Preparing a release begins with the assignment of a tag. (e.g. I have already assigned v1.3.0-RC1 )

[swebb2066]

Add
release-candidate:
description: The tag suffix (a number) appended to "v${{project-version}}-RC"
required: true

Rational: Preparing a release begins with the assignment of a tag. (e.g. I have already assigned v1.3.0-RC1 )

[swebb2066]

The date should be taken from the commit.

[swebb2066]

The date should be taken from the commit. This script could require a parameter or read it from a file in the build directory.

[ppkarwasz]

That would probably be the ideal solution.

In Log4j we had a chicken-and-egg problem, because changing the timestamp for the JAR files requires the modification of the Maven project.build.outputTimestamp property, which requires a commit, which modifies the timestamp, etc. 😉

We could however solve the problem by overriding the COMMIT_DATE of the commit that just modifies project.build.outputTimestamp.

[swebb2066]

I see that running an action on tag assignment is possible.

We could perform this action GITHUB_REF matches v[0-9].[0-9].[0-9]-RC[0-9]

[ppkarwasz]

In Log4j we run the release action on each push to a release/<version> branch. Would that be an option for Log4cxx?

The advantage of making a branch vs a tag is that we don't stall a release if the main branch receives new commits.

[ppkarwasz]

@swebb2066,

Thank You for the remarks, they made me realize there is still a lot to do before we automatize all Apache Logging Services releases. I will resolve the conversations above once I have actually resolved them in this PR (i.e. don't stall the Apache Log4cxx release for this PR).

I opened a brainstorming thread on dev@logging to see how the ideal Apache Logging Services release process and release review process should look like.

[rm5248]

I don't see anything obviously wrong with what has been proposed here, we'll just have to test it out and see that it works.

[swebb2066]

don't stall the Apache Log4cxx release for this PR

The release is currently stalled anyway because logging.staged.apache.org is broken

[ppkarwasz]

don't stall the Apache Log4cxx release for this PR

The release is currently stalled anyway because logging.staged.apache.org is broken

Not anymore: https://logging.staged.apache.org/log4cxx/1.3.0/

[swebb2066]

Not anymore: https://logging.staged.apache.org/log4cxx/1.3.0/

I have commenced the release process