dev/create-release/README.txt - phoenix - Git at Google

 Entrance script is _do-release-docker.sh_. Requires a local docker;
 for example, on macOS, Docker for Desktop installed and running.

 For usage, pass '-h':

  $ ./do-release-docker.sh -h

 ./do-release-docker.sh accepts the following options

   -d [path]    required. working directory. output will be written to "output" in here.
   -f           "force" -- actually publish this release. Unless you specify '-f', it will
                default to dry run mode, which checks and does local builds, but does not upload anything.
   -t [tag]     tag for the phoenix-rm docker image to use for building (default: "latest").
   -j [path]    path to local JDK installation to use building. By default the script will
                use openjdk8 installed in the docker image.
   -p [project] project to build, such as 'phoenix' or 'phoenix-connectors'; defaults to phoenix env var
   -r [repo]    git repo to use for remote git operations. defaults to ASF gitbox for project.
   -s [step]    runs a single step of the process; valid steps are: tag|publish-dist|publish-release.
                If none specified, runs tag, then publish-dist, and then publish-release.
                'publish-snapshot' is also an allowed, less used, option.
   -h           display usage information
   -x           debug. do less clean up. (env file, gpg forwarding on mac)

 For example, use the following command do a full dry run build of phoenix-thirdparty:

 ./do-release-docker.sh -d /tmp/thirdparty-build -p phoenix-thirdparty

 To run a build w/o invoking docker (not recommended!), use _do_release.sh_.

 Both scripts will query interactively for needed parameters and passphrases.
 For explanation of the parameters, execute:
  $ release-build.sh --help

 Before starting the RC build, run a reconciliation of what is in
 JIRA with what is in the commit log. Make sure they align and that
 anomalies are explained up in JIRA.

 See http://hbase.apache.org/book.html#maven.release
 (Even though the above documentation is for HBase, we use the same process for Phoenix.)

 Regardless of where your release build will run (locally, locally in docker, on a remote machine,
 etc) you will need a local gpg-agent with access to your secret keys. A quick way to tell gpg
 to clear out state and start a gpg-agent is via the following command phrase:

 $ gpgconf --kill all && gpg-connect-agent /bye

 Before starting an RC build, make sure your local gpg-agent has configs
 to properly handle your credentials, especially if you want to avoid
 typing the passphrase to your secret key.

 e.g. if you are going to run and step away, best to increase the TTL
 on caching the unlocked secret via ~/.gnupg/gpg-agent.conf
   # in seconds, e.g. a day
   default-cache-ttl 86400
   max-cache-ttl 86400

 Running a build on GCE is easy enough. Here are some notes if of use.
 Create an instance. 4CPU/15G/10G disk seems to work well enough.
 Once up, run the below to make your machine fit for RC building:

 Note that according to https://www.apache.org/legal/release-policy.html#owned-controlled-hardware
 Building an Apache release must be done on hardware owned and controlled by the committer.

 # Presuming debian-compatible OS, do these steps on the VM
 # your VM username should be your ASF id, because it will show up in build artifacts.
 # Follow the docker install guide: https://docs.docker.com/engine/install/debian/
 $ sudo apt-get install -y \
     apt-transport-https \
     ca-certificates \
     curl \
     gnupg2 \
     software-properties-common
 $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
 $ sudo add-apt-repository -y \
    "deb [arch=amd64] https://download.docker.com/linux/debian \
    $(lsb_release -cs) \
    stable"
 $ sudo apt-get update
 $ sudo apt-get install -y docker-ce docker-ce-cli containerd.io
 # Follow the post installation steps: https://docs.docker.com/engine/install/linux-postinstall/
 $ sudo usermod -aG docker $USER
 # LOGOUT and then LOGIN again so $USERID shows as part of docker group
 # Test here by running docker's hello world as your build user
 $ docker run hello-world

 # Follow the GPG guide for forwarding your gpg-agent from your local machine to the VM
 #   https://wiki.gnupg.org/AgentForwarding
 # On the VM find out the location of the gpg agent socket and extra socket
 $ gpgconf --list-dir agent-socket
 /run/user/1000/gnupg/S.gpg-agent
 $ gpgconf --list-dir agent-extra-socket
 /run/user/1000/gnupg/S.gpg-agent.extra
 # On the VM configure sshd to remove stale sockets
 $ sudo bash -c 'echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config'
 $ sudo systemctl restart ssh
 # logout of the VM

 # Do these steps on your local machine.
 # make sure gpg-agent is running
 $ gpg-connect-agent /bye
 # Export your public key and copy it to the VM.
 # Assuming 'example.gce.host' maps to your VM's external IP (or use the IP)
 $ gpg --export example@apache.org > ~/gpg.example.apache.pub
 $ scp ~/gpg.example.apache.pub example.gce.host:
 # ssh into the VM while forwarding the remote gpg socket locations found above to your local
 #   gpg-agent's extra socket (this will restrict what commands the remote node is allowed to have
 #   your agent handle. Note that the gpg guide above can help you set this up in your ssh config
 #   rather than typing it in ssh like this every time.
 # Note that as of maven-gpg-plugin 3.0.1, with gnupg >= 2.1, the plugin uses
 #   `--pinentry-mode error`, which is apparently not supported over the `extra` socket. These
 #   instructions may require tweaking.
 $ ssh -i ~/.ssh/my_id \
     -R "/run/user/1000/gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
     -R "/run/user/1000/gnupg/S.gpg-agent.extra:$(gpgconf --list-dir agent-extra-socket)" \
     example.gce.host

 # now in an SSH session on the VM with the socket forwarding
 # import your public key and test signing with the forwarding to your local agent.
 $ gpg --no-autostart --import gpg.example.apache.pub
 $ echo "foo" > foo.txt
 $ gpg --no-autostart --detach --armor --sign foo.txt
 $ gpg --no-autostart --verify foo.txt.asc

 # install git and clone the main project on the build machine
 $ sudo apt-get install -y git
 $ git clone https://github.com/apache/phoenix.git
 # finally set up an output folder and launch a dry run.
 $ mkdir ~/build
 $ cd phoenix
 $ ./dev/create-release/do-release-docker.sh -d ~/build

 # for building the main repo specifically you can save an extra download by pointing the build
 # to the local clone you just made
 $ ./dev/create-release/do-release-docker.sh -d ~/build -r .git
	Entrance script is _do-release-docker.sh_. Requires a local docker;
	for example, on macOS, Docker for Desktop installed and running.

	For usage, pass '-h':

	$ ./do-release-docker.sh -h

	./do-release-docker.sh accepts the following options

	-d [path] required. working directory. output will be written to "output" in here.
	-f "force" -- actually publish this release. Unless you specify '-f', it will
	default to dry run mode, which checks and does local builds, but does not upload anything.
	-t [tag] tag for the phoenix-rm docker image to use for building (default: "latest").
	-j [path] path to local JDK installation to use building. By default the script will
	use openjdk8 installed in the docker image.
	-p [project] project to build, such as 'phoenix' or 'phoenix-connectors'; defaults to phoenix env var
	-r [repo] git repo to use for remote git operations. defaults to ASF gitbox for project.
	-s [step] runs a single step of the process; valid steps are: tag\|publish-dist\|publish-release.
	If none specified, runs tag, then publish-dist, and then publish-release.
	'publish-snapshot' is also an allowed, less used, option.
	-h display usage information
	-x debug. do less clean up. (env file, gpg forwarding on mac)

	For example, use the following command do a full dry run build of phoenix-thirdparty:

	./do-release-docker.sh -d /tmp/thirdparty-build -p phoenix-thirdparty

	To run a build w/o invoking docker (not recommended!), use _do_release.sh_.

	Both scripts will query interactively for needed parameters and passphrases.
	For explanation of the parameters, execute:
	$ release-build.sh --help

	Before starting the RC build, run a reconciliation of what is in
	JIRA with what is in the commit log. Make sure they align and that
	anomalies are explained up in JIRA.

	See http://hbase.apache.org/book.html#maven.release
	(Even though the above documentation is for HBase, we use the same process for Phoenix.)

	Regardless of where your release build will run (locally, locally in docker, on a remote machine,
	etc) you will need a local gpg-agent with access to your secret keys. A quick way to tell gpg
	to clear out state and start a gpg-agent is via the following command phrase:

	$ gpgconf --kill all && gpg-connect-agent /bye

	Before starting an RC build, make sure your local gpg-agent has configs
	to properly handle your credentials, especially if you want to avoid
	typing the passphrase to your secret key.

	e.g. if you are going to run and step away, best to increase the TTL
	on caching the unlocked secret via ~/.gnupg/gpg-agent.conf
	# in seconds, e.g. a day
	default-cache-ttl 86400
	max-cache-ttl 86400

	Running a build on GCE is easy enough. Here are some notes if of use.
	Create an instance. 4CPU/15G/10G disk seems to work well enough.
	Once up, run the below to make your machine fit for RC building:

	Note that according to https://www.apache.org/legal/release-policy.html#owned-controlled-hardware
	Building an Apache release must be done on hardware owned and controlled by the committer.

	# Presuming debian-compatible OS, do these steps on the VM
	# your VM username should be your ASF id, because it will show up in build artifacts.
	# Follow the docker install guide: https://docs.docker.com/engine/install/debian/
	$ sudo apt-get install -y \
	apt-transport-https \
	ca-certificates \
	curl \
	gnupg2 \
	software-properties-common
	$ curl -fsSL https://download.docker.com/linux/debian/gpg \| sudo apt-key add -
	$ sudo add-apt-repository -y \
	"deb [arch=amd64] https://download.docker.com/linux/debian \
	$(lsb_release -cs) \
	stable"
	$ sudo apt-get update
	$ sudo apt-get install -y docker-ce docker-ce-cli containerd.io
	# Follow the post installation steps: https://docs.docker.com/engine/install/linux-postinstall/
	$ sudo usermod -aG docker $USER
	# LOGOUT and then LOGIN again so $USERID shows as part of docker group
	# Test here by running docker's hello world as your build user
	$ docker run hello-world

	# Follow the GPG guide for forwarding your gpg-agent from your local machine to the VM
	# https://wiki.gnupg.org/AgentForwarding
	# On the VM find out the location of the gpg agent socket and extra socket
	$ gpgconf --list-dir agent-socket
	/run/user/1000/gnupg/S.gpg-agent
	$ gpgconf --list-dir agent-extra-socket
	/run/user/1000/gnupg/S.gpg-agent.extra
	# On the VM configure sshd to remove stale sockets
	$ sudo bash -c 'echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config'
	$ sudo systemctl restart ssh
	# logout of the VM

	# Do these steps on your local machine.
	# make sure gpg-agent is running
	$ gpg-connect-agent /bye
	# Export your public key and copy it to the VM.
	# Assuming 'example.gce.host' maps to your VM's external IP (or use the IP)
	$ gpg --export example@apache.org > ~/gpg.example.apache.pub
	$ scp ~/gpg.example.apache.pub example.gce.host:
	# ssh into the VM while forwarding the remote gpg socket locations found above to your local
	# gpg-agent's extra socket (this will restrict what commands the remote node is allowed to have
	# your agent handle. Note that the gpg guide above can help you set this up in your ssh config
	# rather than typing it in ssh like this every time.
	# Note that as of maven-gpg-plugin 3.0.1, with gnupg >= 2.1, the plugin uses
	# `--pinentry-mode error`, which is apparently not supported over the `extra` socket. These
	# instructions may require tweaking.
	$ ssh -i ~/.ssh/my_id \
	-R "/run/user/1000/gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
	-R "/run/user/1000/gnupg/S.gpg-agent.extra:$(gpgconf --list-dir agent-extra-socket)" \
	example.gce.host

	# now in an SSH session on the VM with the socket forwarding
	# import your public key and test signing with the forwarding to your local agent.
	$ gpg --no-autostart --import gpg.example.apache.pub
	$ echo "foo" > foo.txt
	$ gpg --no-autostart --detach --armor --sign foo.txt
	$ gpg --no-autostart --verify foo.txt.asc

	# install git and clone the main project on the build machine
	$ sudo apt-get install -y git
	$ git clone https://github.com/apache/phoenix.git
	# finally set up an output folder and launch a dry run.
	$ mkdir ~/build
	$ cd phoenix
	$ ./dev/create-release/do-release-docker.sh -d ~/build

	# for building the main repo specifically you can save an extra download by pointing the build
	# to the local clone you just made
	$ ./dev/create-release/do-release-docker.sh -d ~/build -r .git