This guide explains the proper path to implementing Apache Trusted Releases (ATR) automation and how to test the workflow.
Based on Apache developer feedback:
“Once you have achieved automated release signing, then you could test ATR automation.”
Step 1: Implement Automated Release Signing ↓ Step 2: Onboard to ATR ↓ Step 3: Test ATR Automation ↓ Step 4: Use in Production
Your project must meet these three conditions:
✅ Reproducible builds: All artifacts can be built reproducibly
build.gradle.kts:252, DOCKER_PUBLISHING.md:19⚠️ Staging validation: CI deploys artifacts to a staging environment
❌ Trusted hardware verification: Artifacts reproduced on trusted hardware before publication
| Requirement | Status | Action Needed |
|---|---|---|
| Reproducible builds | ✅ READY | None - Jib provides this |
| Staging validation | ⚠️ PARTIAL | Add explicit staging step |
| Trusted hardware verification | ❌ MISSING | Add manual PMC approval gate |
| ASF signing key | ❌ NOT REQUESTED | File INFRA JIRA ticket |
| ATR onboarding | ❌ BLOCKED | Wait for signing to be ready |
| ATR testing | ❌ BLOCKED | Wait for onboarding |
Purpose: Validate workflow logic without touching ATR platform.
How to run:
release_version: 0.0.1-testrelease_candidate: rc1dry_run: ✅ true (default)What it tests:
Expected result: Green checkmark, no errors, artifacts available for download.
Purpose: Verify you can reach the ATR platform.
Included in: The validate-atr job runs automatically in every test workflow execution.
What it tests:
Check results: Look at the workflow summary for connectivity status.
Purpose: Test artifact creation locally before any GitHub Actions.
# 1. Create a test tag git tag v0.0.1-test-rc1 -m "Test release" # 2. Build the project ./gradlew clean build test # 3. Create distribution artifacts mkdir -p build/distributions # Create source tarball tar czf build/distributions/solr-mcp-0.0.1-test-rc1-src.tar.gz \ --exclude='.git' \ --exclude='build' \ --exclude='.gradle' \ --exclude='*.iml' \ --exclude='.idea' \ . # Generate checksums cd build/distributions sha512sum solr-mcp-0.0.1-test-rc1-src.tar.gz > solr-mcp-0.0.1-test-rc1-src.tar.gz.sha512 sha256sum solr-mcp-0.0.1-test-rc1-src.tar.gz > solr-mcp-0.0.1-test-rc1-src.tar.gz.sha256 # 4. Verify artifacts ls -lh build/distributions/ sha512sum -c solr-mcp-0.0.1-test-rc1-src.tar.gz.sha512
Expected result: All artifacts created successfully, checksums verify.
Purpose: Test GitHub Actions syntax and job dependencies.
# Install act (https://github.com/nektos/act) to run workflows locally brew install act # macOS # or: curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash # Run workflow locally (requires Docker) act workflow_dispatch \ -W .github/workflows/atr-release-test.yml \ -j compose-release \ --input release_version=0.0.1-test \ --input release_candidate=rc1 \ --input dry_run=true
Note: act may not perfectly replicate GitHub's environment, but catches basic errors.
Prerequisites:
ASF_USERNAME secret configured in GitHubHow to run:
Test artifact upload:
Run workflow: ATR Release Process (TEST) - release_version: 0.0.1-test - release_candidate: rc1 - dry_run: false ⚠️ Set to FALSE - skip_vote: false
Verify upload on ATR:
Test vote resolution (skip upload):
Run workflow: ATR Release Process (TEST) - release_version: 0.0.1-test - release_candidate: rc1 - dry_run: false - skip_compose: true ⚠️ Skip artifact creation - skip_vote: true ⚠️ Go straight to finish
Check ATR platform:
asf-uid not foundCause: ASF_USERNAME secret not configured or empty.
Fix:
ASF_USERNAME = your ASF IDCause: Either ATR platform is down, or project not onboarded.
Fix:
validate-atr job output for connectivity detailsCause: Repository settings don't allow OIDC token creation.
Fix:
id-token: write permission (already configured)Cause: Actions repository not accessible or branch reference incorrect.
Fix:
@main (ATR docs say not to tag versions)Before attempting a real release with ATR:
release-publish.yml workflow still works for Docker/MCPEach job writes a summary visible at the top of the job output:
Download test artifacts to verify locally:
# After workflow completes gh run list --workflow=atr-release-test.yml gh run view <RUN_ID> gh run download <RUN_ID> # Verify downloaded artifacts cd test-release-artifacts-0.0.1-test-rc1/ sha512sum -c *.sha512
| Feature | Test Workflow | Real Workflow |
|---|---|---|
| File | atr-release-test.yml | atr-release.yml |
| Default Mode | Dry run | Live |
| Creates Tags | Yes (automatically) | No (must exist) |
| Uploads to ATR | Optional | Always (if secrets present) |
| Sends Emails | Never | Yes (after vote) |
| Docker Publish | No | Yes (after vote) |
| MCP Registry | No | Yes (after vote) |
| Artifact Retention | 7 days | 30 days |
| Use Case | Testing & validation | Production releases |
Update .github/workflows/release-publish.yml to add a manual verification gate:
jobs: # NEW: Add this job before publish-docker manual-verification: name: Manual Build Verification Required runs-on: ubuntu-latest needs: validate-release steps: - name: Request PMC verification uses: trstringer/manual-approval@v1 with: approvers: apache-pmc-members # Replace with actual PMC GitHub team minimum-approvals: 1 issue-title: "Verify reproducible build for ${{ inputs.release_version }}" issue-body: | ## PMC Verification Required Before proceeding with release ${{ inputs.release_version }}, a PMC member must: ### Verification Steps: 1. Check out tag: `v${{ inputs.release_version }}-${{ inputs.release_candidate }}` 2. Run build: `./gradlew clean build` 3. Compare checksums with CI artifacts: - Download CI artifacts from this workflow run - Compare local vs CI checksums: `sha512sum -c *.sha512` 4. If checksums match, approve this issue ### Checksums to verify: - Source tarball SHA512 - JAR SHA512 Approve this issue to continue the release. publish-docker: needs: manual-verification # Add this dependency # ... rest of job
File a JIRA ticket with ASF INFRA:
Project: INFRA Summary: Request automated signing key for Apache Solr MCP Description: Apache Solr MCP project requests a signing key for automated release signing. Project: Apache Solr MCP Repository: https://github.com/apache/solr-mcp PMC: Apache Solr PMC We meet the requirements: 1. Reproducible builds: Yes (using Jib) 2. Staging validation: Yes (GitHub Actions with artifact uploads) 3. Trusted hardware verification: Yes (manual PMC approval gate) Please provision: - 4096-bit RSA signing key - Encrypted revocation certificate in private repo - Add public key to project KEYS file Contact: [Your ASF email]
INFRA will provide instructions, but typically:
# In release-publish.yml, after build step: - name: Sign artifacts with ASF infrastructure env: ASF_SIGNING_KEY: ${{ secrets.ASF_SIGNING_KEY }} # Provided by INFRA run: | # Import signing key (INFRA will provide exact commands) echo "$ASF_SIGNING_KEY" | gpg --import # Sign all artifacts cd build/distributions for file in *.tar.gz *.jar; do gpg --armor --detach-sign "$file" done # Verify signatures for file in *.asc; do gpg --verify "$file" done
Once automated signing is working:
# Development discussions echo "subscribe" | mail dev-subscribe@tooling.apache.org # User support echo "subscribe" | mail users-subscribe@tooling.apache.org
Send email to dev@tooling.apache.org:
Subject: Request ATR onboarding for Apache Solr MCP Hello ATR team, Apache Solr MCP would like to join the ATR Alpha program. Project Details: - Name: Apache Solr MCP - Repository: https://github.com/apache/solr-mcp - PMC: Apache Solr - Release Manager: [Your name/ASF ID] Automated Signing Status: - Reproducible builds: ✅ Implemented (Jib) - Staging validation: ✅ Implemented (GitHub Actions) - Trusted hardware verification: ✅ Implemented (manual PMC gate) - ASF signing key: ✅ Provisioned by INFRA (ticket: INFRA-XXXXX) We are ready to test ATR automation. Thanks, [Your name]
After onboarding approval, add:
Repository Settings → Secrets → Actions: ASF_USERNAME=your-asf-id
ATR is designed for fully automated releases. Without automated signing:
By implementing signing first:
Until automated signing + ATR are ready, continue using:
.github/workflows/release-publish.yml
This workflow:
atr-release-test.yml)If you encounter issues not covered here: