Table of Contents generated with DocToc
<Project Name>: release-build configurationThis file is a placeholder ahead of the release-management skill family landing. None of the release-* skills exist yet, see docs/release-management/README.md. The values below are what release-rc-cut and release-verify-rc will read.
Per-project build invocation, expected artefact set, digest selection, and license-verification configuration. Adopters copy this file into their own <project-config>/release-build.md and fill every TODO with their project's equivalents.
TODO: name the canonical build command that produces the source artefact (and any convenience binary artefacts the project publishes). For Maven projects this is typically mvn -Papache-release clean install; for Python projects a combination of python -m build and twine; for Cargo projects cargo package --list; etc.
Example shape:
# From the release branch tip, at the release tag: mvn -Papache-release clean install
TODO: list the artefacts the build invocation produces and the release ships. Each entry: filename pattern, content type, whether it is the canonical source artefact or a convenience binary.
Example shape:
apache-<project>-<version>-source-release.zip, canonical source artefact (required, signed, checksummed).apache-<project>-<version>-bin.tar.gz, convenience binary (optional, signed, checksummed).
The canonical source artefact is the one the [VOTE] thread votes on. Convenience binaries do not vote, but ship under the same signature regime.
TODO: list which digests the project publishes alongside each artefact. ASF baseline is sha512; many projects also publish sha256 for older downstream tools. md5 is no longer accepted per ASF infrastructure guidance.
Example shape:
sha512, required.sha256, published for downstream-tool compatibility.
TODO: list any binary content the source artefact must NOT contain (per release-verify-rc's no-prohibited-binaries check). The default list is conservative, .class, .jar, .so, .dylib, .dll, .exe, pre-built minified JS bundles checked into the source tree. Project-specific exclusions go here.
Example shape:
*.class,*.jar, Java compiled output never ships in source.assets/vendor/**/*.min.js, vendored minified JS that has a source-checked counterpart; flagged on every source-release verification.
TODO: point at the project's Apache RAT configuration. RAT checks every source file carries the required license header.
Example shape:
- RAT plugin config:
pom.xml ยง rat-maven-plugin.- RAT excludes file:
rat-excludes.txt.
release-verify-rc runs RAT against the unpacked source artefact and reports any file with a missing or wrong header. Project- specific excludes belong in the RAT-excludes file, not in this configuration; this file documents where the excludes live so the agent can resolve them.