)]}' { "log": [ { "commit": "45e3436fc7ed3226201fdba777f74b91e89ececa", "tree": "613308f798ba65918db7d67175bca5f81ce864e6", "parents": [ "8ae77fc90526086101e34a9cac1a9a5b0b1a3de1" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Jan 30 12:56:28 2026 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Feb 16 15:08:46 2026 -0500" }, "message": "Improve error handling of the check-release script\n\n- If we fail to download dist/maven files (e.g. incorrect URL, temporary\n server issue), we currently ignore it and end up with confusing errors\n about non-reproducible builds. Instead, detect the failure and error.\n- Detect if the DIST_URL parameter is empty and error. This URL is\n required and leads to weird behaviors if accidentally excluded.\n\nThese changes required some refactorings, including moving the\ntest_files and print_results functions/colors to the top of the script\nand adding a usage function\n" }, { "commit": "8ae77fc90526086101e34a9cac1a9a5b0b1a3de1", "tree": "2f6703cb2aacee8c3c6e3cba2ec921b1ef69fb2e", "parents": [ "d2a3051c1856e5bdb8983d212742b970d04b45b7" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Jan 28 14:45:15 2026 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Jan 28 15:06:38 2026 -0500" }, "message": "Ensure SBT release builds are built on Java 17\n\nDaffodil 4.0.0 and newer requires a minimum of Java 17 to build, so we\nmust build on Java 17. Note that the plugin class files are built with\nJava 8 compatibility so the plugin still works on older versions of\nJava. It is only the Daffodil Saver components used when daffodilVersion\nis 4.0.0 or newer where the classes are built with Java 17.\n" }, { "commit": "d2a3051c1856e5bdb8983d212742b970d04b45b7", "tree": "42b5c583fa1ff8db5f781658a12906d72596412f", "parents": [ "31ab54e89b0e9cf50e70c62f503d85c9e402a8c2" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Jan 26 12:06:05 2026 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Jan 28 12:43:44 2026 -0500" }, "message": "Update all dependencies\n\nOur core dependencies do not have any breaking changes--no updates are\nneeded. The major version bumps are mainly about requring Node 24\nsupport and not breaking API or functionality changes.\n\nThis ensures we have the latest bug and CVE fixes, including in\ntransitive dependencies.\n" }, { "commit": "31ab54e89b0e9cf50e70c62f503d85c9e402a8c2", "tree": "058c0a1ec3ef104cb2614ed9752b3f3bdcabfada", "parents": [ "bb0d73ca634037aa36f5900f56d0d48b3e99a70c" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Thu Nov 13 13:08:33 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Jan 06 15:26:28 2026 -0500" }, "message": "Use getExecOutput instead of exec when stdout is needed\n\nWhen we need to capture the stdout of a command, we currently call exec\nwith a custom stdout handler that copies stdout to a mutable variable.\nBut getExecOutput already does this, returning an object that contains\nstdout (and stderr and the exit code which we don\u0027t need).\n\nThis switches out exec calls to getExecOutput when we need stdout, which\nsimplifies the code and removes a number of mutable variables.\n\nDAFFODIL-3055\n" }, { "commit": "bb0d73ca634037aa36f5900f56d0d48b3e99a70c", "tree": "05d5bfeb61d6379025139fcd9d51469005af407c", "parents": [ "185730e94832371b42cdae0957afdd47a70f7bdb" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Dec 12 09:00:49 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Dec 12 10:02:36 2025 -0500" }, "message": "Remove user input from the build release container\n\nWhen building a release for checking reproducible builds, we currently\nrequire that users manually select the project name and enter the\nrelease candidate label. This can make it difficult to script and can\nlead to errors when entering the information. This user input is really\njust relic of when we required a lot more information. The current\nscript only needs couple of pieces of information (project name and\noptional release label), so manual input isn\u0027t the best way to get that\ninformation anymore.\n\nThis changes the script so the project name and optional release label\nmust be provided as arguments to the script, removing all user input.\nValidation is added to ensure the project name is one of the expected\nprojects and the pre-release label (if provided) is a valid release\ncandidate label.\n" }, { "commit": "185730e94832371b42cdae0957afdd47a70f7bdb", "tree": "2c97ca62bcf001357349de34b6ff96d0dddfe385", "parents": [ "ab907efcfffb4d27e95b441c45b3f3739128cb98" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Dec 08 07:31:33 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Dec 08 09:06:38 2025 -0500" }, "message": "Change how we save svn credentials\n\nModern svn does not store passwords in the ~/.subversion/servers file.\nInstead it stores them in ~/.subversion/auth/ using a custom file\nformat. This changes how we write the svn authentication credentials to\nuse the correct format so that workflow actions do need to provide\nusername/passwords.\n\nThis also adds parenthesis when calling os.homedir. Node.js has magic\nthat allows os.homedir to do what one expects within template strings,\nbut really the correct way to use it is to call it as a function.\n" }, { "commit": "ab907efcfffb4d27e95b441c45b3f3739128cb98", "tree": "8a8b4dc04a8628f4c44ff49a260a2c71b3f84964", "parents": [ "91847b4f79f339f581f17050b2b586944340021e" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Dec 05 14:26:22 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Dec 05 15:13:53 2025 -0500" }, "message": "Fix \"path not defined\" error\n\nWe don\u0027t have the path module imported which lead to a path not define\nerror. To be consistent with the rest of the code, use template literals\nto build the svn path.\n" }, { "commit": "91847b4f79f339f581f17050b2b586944340021e", "tree": "3c851ae5c6626261b00598a45d3e769964d27345", "parents": [ "ce252f5e2fe92cf5378a20613ad0051ed6471608" ], "author": { "name": "olabusayoT", "email": "50379531+olabusayoT@users.noreply.github.com", "time": "Tue Nov 04 12:23:29 2025 -0500" }, "committer": { "name": "olabusayoT", "email": "50379531+olabusayoT@users.noreply.github.com", "time": "Thu Nov 13 11:52:42 2025 -0500" }, "message": "Make `gpg`, `svn` and `nexus` credentials optional\n\n- we only care about them if do_publish is true. do_publish is based on the value of `publish` input as well as whether it is a tag, snapshot or asf build.\n- if do_publish is true, then `gpg_signing_key` is required and it\u0027d error out if not provided. If do_publish is false, we generate a key that expires in 1 day for signing and verification (public key is stored as artifact, while private key is used for signing) without input from the user\n- we write the SVN credentials to the default svn config dir servers file ~/.subversion/servers, so the post step doesn\u0027t have to worry about svn credentials, it can access it thanks to main step\n- update comments and documentation\n\nDAFFODIL-3041\n" }, { "commit": "ce252f5e2fe92cf5378a20613ad0051ed6471608", "tree": "aed1e002544292cf000d73f5fcbbde8f694c1efb", "parents": [ "96c296db29fc0c2909d72536b2d9673cfe436f4c" ], "author": { "name": "olabusayoT", "email": "50379531+olabusayoT@users.noreply.github.com", "time": "Thu Sep 18 15:53:28 2025 -0400" }, "committer": { "name": "olabusayoT", "email": "50379531+olabusayoT@users.noreply.github.com", "time": "Tue Nov 04 11:49:19 2025 -0500" }, "message": "Enable SBOM generation during release\n\n- add sbom plugin to main.js\n- Add SBOM-related configurations to container\u0027s build.sbt and plugins.sbt\n- Wrap release file downloads in a conditional check for pre-existing release directory\n- update check-release/README.md with detailed workflow setup instructions.\n- Add SBOM-related configurations to enable XML format publishing during the release process.\n- verify reproducibility of sbom artifacts\n- Add detailed testing instructions for the release-candidate action in its README.\n\nDAFFODIL-2993\n" }, { "commit": "96c296db29fc0c2909d72536b2d9673cfe436f4c", "tree": "2870114c7811550d3fdf67f9a4573d4c7930c090", "parents": [ "e8563982080529c0b47b473e8b096c6ebbcd153f" ], "author": { "name": "Shane Dell", "email": "shanedell100@gmail.com", "time": "Wed Oct 08 21:30:34 2025 -0400" }, "committer": { "name": "Shane Dell", "email": "32347414+shanedell@users.noreply.github.com", "time": "Tue Oct 21 14:27:58 2025 -0400" }, "message": "Update java version to 17 for daffodil-vscode\n" }, { "commit": "e8563982080529c0b47b473e8b096c6ebbcd153f", "tree": "ec08b7b1c70dd679e91093e9a0ea9c58cc896043", "parents": [ "e657ed5fac5753a3058734e67e65e20c4ea58750" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Sep 22 12:55:17 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Sep 23 13:22:50 2025 -0400" }, "message": "Do not include existing SVN artifacts in uploaded zip\n\nWhen the release-cadidate action does not publish a release (e.g.\nsnapshot build, triggered fromh workflow_dispatch), the action creates a\nzip of the created artifacts so that they can be verified. However, it\ncan also include artifacts that already existed in SVN. This can lead to\nconfusion since there are unexpected files. This fixes the logic of how\nwe list artifacts to ensure we only include artifacts that were created\nby the action so it excludes files that were already in SVN.\n\nThis also renames the \"release\" directory where artifacts are stored to\n\"release-download\"--this makes its naming more clear that the zip\ncontains downloaded artifacts rather that locally built artifacts, and\nmakes the naming working better with the check-release container.\n\nDAFFODIL-3040\n" }, { "commit": "e657ed5fac5753a3058734e67e65e20c4ea58750", "tree": "ae55daa7cca5d851eef022a49be19c95c3d6910c", "parents": [ "2917e163b3475620da2e190de0de5b4c202bffc6" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Sep 09 19:38:10 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Thu Sep 11 07:12:21 2025 -0400" }, "message": "Change check-release container to Ubuntu\n\nSomething with the Fedora check-release container can lead to issues\nwith gpg validation, something about lock files alreay existing and\ntiming out. It isn\u0027t clear exactly what the problem is, but it does not\noccur on Ubuntu. So this switches the check-release container to Ubuntu.\nThis also makes it consistent with the build-release container which is\nalso Ubuntu based so they can share the same base image.\n\nThe only issue with this is Ubuntu wget seems to create index.html.tmp\nfiles that it doesn\u0027t delete--other systems do delete these files. This\nseems to be a known issue with some versions of wget, so we just delete\nany tmp files if they exist. This is also useful in cases where users\ndirectly run the script on Ubuntu systems without the container.\n" }, { "commit": "2917e163b3475620da2e190de0de5b4c202bffc6", "tree": "b53344770421e1f18ba587b5bb182318a283b837", "parents": [ "0ccfc7ef770463b9d73e75c4361c0a4bb84a695f" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Sep 08 07:42:04 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Sep 09 09:48:33 2025 -0400" }, "message": "Output count of total failures\n\nWith the amount of lines output, it can be difficult to notice a small\nnumber of failures. This keeps a count of all failures and outputs the\ntotal at the end to make it more obvious if all tests passed or not.\n\nThe main difficulty in keeping a count is that most of the checks are\ndone in \"find ... -exec\", and the exec doesn\u0027t have a way to increment a\nbash variable since it occurs in a separate process space. To get around\nthis, we add a new \"test_files\" function that accepts a list of files\n(retrieved using the same find command) and a string of commands to run\non each file, using {} to reference each file similar to -exec. Checking\nthe result of the command evaluation happens in the same process space,\nso we can check for failure and increment a variable. This new function\nalso handles printing pass/fail results. The all means the new function\nis a bit more complex, but does make the actual tests more clear.\n\nThis also changes the recursive diff to use the new test_files function,\nallowing us to compare files individually so we can list both matching\nand non-matching files. This makes it more clear exactly which files are\nchecked for reproducibility. This also switches to using cmp since we no\nlonger need the recursive capabilities that diff provides.\n\nAlso add missing quotes in some places and rewrite RPM signature removal\nto avoid potential issues with spaces in files names.\n\nDAFFODIL-3039\n" }, { "commit": "0ccfc7ef770463b9d73e75c4361c0a4bb84a695f", "tree": "69c48c358ef3e40a39eb433f820bf63b4e38a985", "parents": [ "8d4ed58bf33be3ddf642d278511a44c11be5463d" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Aug 29 13:23:04 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Sep 09 09:43:06 2025 -0400" }, "message": "Modify check-release script to work with SBT and VS Code releases\n\nThe dist directory for SBT and VS Code releases includes an extra\n\u0027daffodil-sbt/\u0027 or \u0027daffodil-vscode/\u0027 directory, compared to normal\ndaffodil releases. And the value provided to --cut-dir does not consider\nthese extra directories, so downloaded directory tree structure doesn\u0027t\nactaully match the structure created by the build-release container,\ncausing the reproducible diff to fail.\n\nTo avoid needing to detect and specify different cut dir values based on\nthe release type, this moves the wget logic to a new \u0027download_dir\u0027\nfunction that calculates the value of cut-dirs so that it only keeps the\nlast directory.\n\nSo for example, all dist artifacts are downloaded to a\ndirectory matching the version (e.g. 1.0.0-rc1/) and all maven artifacts\nare downloaded to a directory matching the maven profile (e.g.\norgapachedaffodil-1234/). Note that the build-container does not include\nthe maven profile directory, so after it is downloaded we move the\ncontents out of that directory.\n\nThis matches the structure that the build-release container creates\nallowing reproducible diffs to work.\n\nDAFFODIL-2971\n" }, { "commit": "8d4ed58bf33be3ddf642d278511a44c11be5463d", "tree": "021e8025e2e4bde963eab052ab27aa59965c9951", "parents": [ "73c6ae307547df2461d968713e148ad58e11f680" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Thu Sep 04 08:17:59 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Sep 08 12:22:05 2025 -0400" }, "message": "Improve checking of RPM reproducibility\n\nWhen dist RPMs are created, they are signed with an embedded signature.\nThis can make reproducibility difficult. To handle this, we currently use\nrpmsign --delsign to delete the embedded signatures before performing\nthe diff. But rpmsign --delsign sometimes deletes the signature in a way\nthat is technically correct in that the RPM does not have a signature,\nbut the RPM is still not identical to the same RPM that was never\nsigned.\n\nTo allow for checking reproducibility, this replaces the delsign logic\nwith a custom function that just copies the signature header from the\nlocally built RPM to the dist RPM. This ensures the signatures headers\nare exactly the same, and allows us to ensure all other bytes are\nidentical.\n\nThis no longer needs the rpmsign command and is removed from the\ncontainer and command checks.\n\nDAFFODIL-3037\n" }, { "commit": "73c6ae307547df2461d968713e148ad58e11f680", "tree": "d149d31bf16a979d7be9affb331f4fc9f77fec84", "parents": [ "c96c906ce1a4d1593c62a48c4baf8733e0d218fb" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Aug 29 13:21:12 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Sep 02 07:30:32 2025 -0400" }, "message": "Use Java 17 for building Daffodil release candidates\n\nThe VS Code extension and SBT plugin still support Java 8, so we install\nboth jdk8 and jdk17 and then add a new function to set all java\nbinaries use the correct version.\n\nDAFFODIL-3017\n" }, { "commit": "c96c906ce1a4d1593c62a48c4baf8733e0d218fb", "tree": "f8bce7318e1051db076d3f0e5091d5b8429951f8", "parents": [ "b58aefa0a0cd68a47e89116a04576be7da8f4b64" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon May 19 15:46:26 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon May 19 15:56:40 2025 -0400" }, "message": "Fix typo in release tag extraction\n" }, { "commit": "b58aefa0a0cd68a47e89116a04576be7da8f4b64", "tree": "07925f063a21a32a457115f20fb0fd64b4273828", "parents": [ "3645831b7f80d5e4c1c1f165aa8b2fd70790509c" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Apr 09 14:09:50 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Apr 09 14:11:50 2025 -0400" }, "message": "Fix check-release RPM artifact verification\n\n- RPM maintains a separate keychain for public gpg keys. When building\n the check-release container, run rpm --import to import keys to that\n keychain\n- Modify a check-release message to make it more clear it is verifying\n embedded RPM signatures and not the detached .asc signatures\n- The rpm -K option succeeds even if the RPM does not have a gpg\n signature. To require that an RPM both has an embedded gpg signature and\n that it is valid, we grep for a specific string output only when both\n conditions hold\n- When checking reproducibility, we delete the signature embedded in\n RPMs. But this means if you run the script again that signure will be\n missing and signature/sha512 verification will fail. To prevent this,\n we backup RPMs to a temporary directory prior to deleting signatures\n and then restore them when the reproducible build check is done\n\nDAFFODIL-2971\n" }, { "commit": "3645831b7f80d5e4c1c1f165aa8b2fd70790509c", "tree": "e92e5a04229957fba1ae921e7ff751bb8331c10b", "parents": [ "2d49422d519772dc655d40040ee8c82ca803590c" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Apr 07 15:30:05 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Apr 09 14:09:12 2025 -0400" }, "message": "Fix directory where we create release sha512sum files\n\nAccidentally left off arfifact.parentPath so sha512sum files were\ncreated but not in the correct directory where the artifact lives.\n\nDAFFODIL-2971\n" }, { "commit": "2d49422d519772dc655d40040ee8c82ca803590c", "tree": "459f2fbf11f0880f07afc1f174087652c24a2222", "parents": [ "dc50b4620963af83704a12aac5ec54f9580b7ec5" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Mar 19 08:45:10 2025 -0400" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Apr 07 15:07:06 2025 -0400" }, "message": "Switch to the new way of building windows installer\n\n- Update the build-release container to install Inno Setup and use\n packageWindowsBin to build the new EXE installer\n- This new method creates reproducible windows installers, so there is\n no need for msidiff or anything related anymore--windows installer\n builds are now bit-for-bit-identical\n\nDAFFODIL-2980\n" }, { "commit": "dc50b4620963af83704a12aac5ec54f9580b7ec5", "tree": "7cc4651c2ce3e8fe3830a50f0f2fd91d895dfdd9", "parents": [ "c638da4559b47214fd9920d9ecf5e33e5e7ecd95" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Mar 07 14:03:17 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Mar 19 08:43:20 2025 -0400" }, "message": "Change how we determine the project version\n\nWith the use of the daffodil-release-cadndiate action, projects are\nrequired to specify their version in a VERSION file in the root of the\nrepository. This is a much easier way to get the version instead of\ngrepping and cutting files.\n\nWe also change the select so it doesn\u0027t exit on error, instead letting\nthe user try to reselect a project to build.\n\nDAFFODIL-2972\n" }, { "commit": "c638da4559b47214fd9920d9ecf5e33e5e7ecd95", "tree": "3770453202b488fe91575119650f09cd613b98a5", "parents": [ "7dba75bad7f72486e801f5a8409689dbb86febf3" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Fri Mar 07 13:30:11 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Mar 10 08:01:18 2025 -0400" }, "message": "Move check-release script into a container\n\nThe check release script requires a number of tools that might not be\navilable on some systems. To make it easier to test on those, this moves\nthe check-release script into a container that includes all the\nnecessary dependencies.\n\nNote that the script can still be run without the container if the tools\nexist on the system, so having the ability to run containers is not\nstrictly required to run the verification script. And most tools the\nscript uses can be installed on most systems. The one exception is\nmsidiff which is only needed to check build reproducibility. This also\nremoves options from wget that are not necessary and aren\u0027t available on\nall versions of wget, making it easier to run the script without a\ncontainer.\n\nDAFFODIL-2972\n" }, { "commit": "7dba75bad7f72486e801f5a8409689dbb86febf3", "tree": "e99104da897c0b90c6bec75787ba77d0f04a5aae", "parents": [ "d301b2d03eea288f14d72e08603e70c492a34483" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Feb 26 11:08:16 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Wed Feb 26 11:12:24 2025 -0500" }, "message": "Add script to check releases\n\nThis includes downloading release artifacts from ASF Dist and Maven\nstaging repo, verifying all checksums and gpg signatures, and optionally\ncomparing against a local build for reproducibility.\n\nDAFFODIL-2971\n" }, { "commit": "d301b2d03eea288f14d72e08603e70c492a34483", "tree": "a8b45fe675372cf46c156b78046ab434275d5b5a", "parents": [ "42b85395b2bb1c4efae9ff41b2a9f6e4a7441983" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Feb 24 12:05:58 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Feb 25 12:11:05 2025 -0500" }, "message": "Add GitHub action to create release candidates\n\nAlthough the release candidate container has helped to make builds\nreproducible and limit the amount of setup needed, it is still difficult\nto setup in some environments. This adds a custom GitHub action and\nworkflow to build/publish release candidates.\n\nTo implement this, the new custom GitHub action is called\n\"release-candidate\" and prepares the GitHub CI environment for creating\na release candidate for ASF. This includes things like SBT settings for\npublishing to ASF maven repositories, creating directories for artifacts\non dist.apache.org, importing signing keys, and creating the source\nartifact. Workflows using this action only need to publish artifacts\n(e.g. using sbt publishSigned) and write helper binaries to a provided\nartifacts directory. The post script of the action will then sign,\nchecksum, and commit the artifacts.\n\nDAFFODIL-2971\n" }, { "commit": "42b85395b2bb1c4efae9ff41b2a9f6e4a7441983", "tree": "b922f296638fccbf3e494e45e1316b69ffc0dd17", "parents": [ "f738d9720d7199e82cb19d9fa0b6d705830d816d" ], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Feb 24 11:18:12 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Tue Feb 25 11:58:33 2025 -0500" }, "message": "Add a container for building releases\n\nThis container is similar to the existing build-release-candidate\ncontainer, but is simplified to remove all logic around publishing and\nsigning. Instead, this builds all artifacts in a similar environment to\none that artifacts will be created in the future (e.g. we know use\nUbuntu). This will allow us to more easily locally build artifacts using\nthis container and compare them against release candidates to verify\nreproducibility.\n\nDAFFODIL-2971\n" }, { "commit": "f738d9720d7199e82cb19d9fa0b6d705830d816d", "tree": "632c1dd67db3e03c9577750173a51545f2c89de9", "parents": [], "author": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Feb 24 11:05:41 2025 -0500" }, "committer": { "name": "Steve Lawrence", "email": "slawrence@apache.org", "time": "Mon Feb 24 11:05:41 2025 -0500" }, "message": "Initial commit\n" } ] }