实操经验 | Apache 基金会顶级项目版本管理和发布流程

本文主要是介绍实操经验 | Apache 基金会顶级项目版本管理和发布流程，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

前言

前段时间，Apache SeaTunnel经过几个月的迭代和架构升级，终于迎来第一个正式2.3.0版本，我也有幸作为本次的Release Manager，体验了一把从0到1的Apache发版流程，不得不说Apache基金会在项目的版本管理这块有着完善的规范和严谨的流程，整个发版过程周期很长，其中也踩了不少的坑，俗话说好记性不如烂笔头，所以笔者写了一篇文章来记录整个过程（以Apache SeaTunnel为例），希望这篇文章能够让小白快速入门Apache项目版本管理和发布。

Tips: Release Manager需要有Apache LDAP账号，也就意味着你需要首先成为项目的Committer才有资格

环境准备

GIT

用于clone项目源代码到本地

GPG

用于生成数字签名，为你的每一次操作留下痕迹

SHASUM

用于为文件生成签名

SVN

用于拉取Apache Release SVN仓库

MAVEN

用于编译项目

物料准备

配置GPG KEY

新建key

gpg --gen-key

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.gpg: 已创建目录‘/home/hadoop/.gnupg’
gpg: 新的配置文件‘/home/hadoop/.gnupg/gpg.conf’已建立
gpg: 警告：在‘/home/hadoop/.gnupg/gpg.conf’里的选项于此次运行期间未被使用
gpg: 钥匙环‘/home/hadoop/.gnupg/secring.gpg’已建立
gpg: 钥匙环‘/home/hadoop/.gnupg/pubring.gpg’已建立
请选择您要使用的密钥种类：(1) RSA and RSA (default)(2) DSA and Elgamal(3) DSA (仅用于签名)(4) RSA (仅用于签名)
您的选择？ 1
RSA 密钥长度应在 1024 位与 4096 位之间。
您想要用多大的密钥尺寸？(2048)4096
您所要求的密钥尺寸是 4096 位
请设定这把密钥的有效期限。0 = 密钥永不过期<n>  = 密钥在 n 天后过期<n>w = 密钥在 n 周后过期<n>m = 密钥在 n 月后过期<n>y = 密钥在 n 年后过期
密钥的有效期限是？(0) 0
密钥永远不会过期
以上正确吗？(y/n)y

如上所示，选择项分别为：

1
4096
0
y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"真实姓名：tyrantlucifer
电子邮件地址：tyrantlucifer@apache.org
注释：The key of Apache SeaTunnel
您选定了这个用户标识：“tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>”更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)？o
您需要一个密码来保护您的私钥。

如上所示，你需要为这个key指定个人信息以及加密密码，需要填写

姓名
邮箱（Apache邮箱）
key注释
密码（很重要，不要忘记，要记住哟）

file

我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
我们需要生成大量的随机字节。这个时候您可以多做些琐事(像是敲打键盘、移动
鼠标、读写硬盘之类的)，这会让随机数字发生器有更好的机会获得足够的熵数。
gpg: 密钥 0983DF85 被标记为绝对信任
公钥和私钥已经生成并经签名。gpg: 正在检查信任度数据库
gpg: 需要 3 份勉强信任和 1 份完全信任，PGP 信任模型
gpg: 深度：0 有效性：  1 已签名：  0 信任度：0-，0q，0n，0m，0f，1u
pub   4096R/0983DF85 2022-12-28
密钥指纹 = AE63 FC40 ECCD 600D 724B  5625 05FD AE73 0983 DF85
uid                  tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub   4096R/B7023D46 2022-12-28

验证key

gpg --list-keys

/home/hadoop/.gnupg/pubring.gpg
-------------------------------
pub   4096R/0983DF85 2022-12-28
uid                  tyrantlucifer (The key of Apache SeaTunnel) <tyrantlucifer@apache.org>
sub   4096R/B7023D46 2022-12-28

Tips: 0983DF85就是你的公钥缩写

上传key到公共服务器

gpg --keyserver keyserver.ubuntu.com --send-key 0983DF85

验证key是否正常上传

命令行验证

gpg --keyserver keyserver.ubuntu.com --search-keys 0983DF85

网站验证

OpenPGP Keyserver (ubuntu.com)

file

Tips: 该截图是我之前已经上传好的key，和上一步骤生成的key不一致是正常的

配置maven

创建主密码

mvn --encrypt-master-password <apache password>

新建文件`~/.m2/settings-security.xml`

<settingsSecurity><master><!-- 这里填入上一步输出的密码 --></master>
</settingsSecurity>

加密Apache LDAP 密码

mvn --encrypt-password <apache password>

新增配置

编辑你本地maven环境的配置文件，一般路径为~/.m2/setting.xml，添加

<settings><servers><server><id>apache.snapshots.https</id><username> <!-- APACHE LDAP USERNAME --> </username><password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password></server><server><id>apache.releases.https</id><username> <!-- APACHE LDAP USERNAME --> </username><password> <!-- APACHE LDAP ENCRYPTED PASSWORD，上一步加密的密码 --> </password></server><server><id>gpg.passphrase</id><passphrase><!-- GPG KEY PASSWORD --></passphrase></server></servers>
</settings>

项目版本准备

分支准备

mkdir -p ~/seatunnel-release-prepare
cd ~/seatunnel-release-prepare
git clone git@github.com:apache/seatunnel.git
cd seatunnel
git checkout -b ${RELEASE.VERSION}-release

更新release-note

vim release-note.md
git add release-note.md
git commit -m "[Release][${RELEASE.VERSION}][release-note] Add release-note"
git push

预编译测试

mvn release:prepare -Prelease -Darguments="-DskipTests" -DdryRun=true -Dusername=${GITHUB USERNAME}

编译

mvn release:clean
mvn release:prepare -Prelease -Darguments="-DskipTests" -DpushChanges=false -Dusername=${GITHUB USERNAME}

提交代码

git push
git push origin --tags

部署jar包

上传jar包

mvn release:perform -Prelease -Darguments="-DskipTests" -Dusername=${GITHUB USERNAME}

关闭stage仓库

https://repository.apache.org/#stagingRepositories

file

上传SVN

拉取release和dev仓库到本地

mkdir -p ~/seatunnel-release-prepare/dev
mkdir -p ~/seatunnel-release-prepare/release
cd ~/seatunnel-release-prepare/dev
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/dev/seatunnel
cd ~/seatunnel-release-prepare/release
svn --username=${APACHE LDAP username} co https://dist.apache.org/repos/dist/release/seatunnel

上传key到dev和release仓库

Tips: 只有第一次发版的Release Manager才需要做这一步

cd ~/seatunnel-release-prepare/dev/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"

cd ~/seatunnel-release-prepare/release/seatunnel
gpg -a --export ${GPG USERNAME} >> KEYS
svn add KEYS
svn --username=${APACHE LDAP USERNAME} commit -m "Add ${APACHE LDAP USERNAME} GPG key"

上传源码包和二进制包到dev仓库

复制源码包和二进制包

 mkdir -p ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}cp -f ~/seatunnel-release-prepare/seatunnel/seatunnel-dist/target/*.tar.gz ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}cd ~/seatunnel-release-prepare/dev/${RELEASE.VERSION}

生成签名

 shasum -a 512 apache-seatunnel-${RELEASE.VERSION}-src.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512shasum -b -a 512 apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz >> apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512

生成GPG签名

 gpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-src.tar.gzgpg --armor --detach-sig apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz

检查文件签名

 shasum -c apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.sha512shasum -c apache-seatunnel-${RELEASE.VERSION}-bin.tar.gz.sha512

检查数字签名

导入(Release Manager不需要做这一步)

curl https://dist.apache.org/repos/dist/dev/seatunnel/KEYS >> KEYS
gpg --import KEYS
gpg --edit-key "${GPG username of releaser}"> trustPlease decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)1 = I don't know or won't say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menuYour decision? 5> save

检查gpg数字签名

gpg --verify apache-seatunnel-${RELEASE.VERSION}-src.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-src.tar.gz
gpg --verify apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz.asc apache-seatunnel-${RELEASE.VERSION}-seatunnel-bin.tar.gz

提交所有文件至dev仓库

 svn add *svn --username=${APACHE LDAP USERNAME} commit -m "release ${RELEASE.VERSION}"

邮件发起投票

dev@seatunnel.apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel 2.3.0Hello SeaTunnel Community,This is a call for vote to release Apache SeaTunnel () version 2.3.0Release notes:
https://github.com/apache/seatunnel/blob/2.3.0/release-note.mdThe release candidates:
https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0 Git tag for the release:
https://github.com/apache/seatunnel/tree/2.3.0Maven 2 staging repository:
https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/Release Commit ID:
https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988aKeys to verify the Release Candidate: 
https://downloads.apache.org/seatunnel/KEYSThe vote will be open for at least 72 hours or until necessary numbers of votes are reached.Please vote accordingly:[ ] +1 approve[ ] +0 no opinion[ ] -1 disapprove with the reasonChecklist for reference:[ ] Download links are valid.[ ] Checksums and PGP signatures are valid.[ ] Source code artifacts have correct names matching the current release.[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.[ ] All files have license headers if necessary.[ ] No compiled archives bundled in source archive.More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+Checklist--Best Regards
Chao Tian

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0Hi SeaTunnel Community,Thanks, everyone, I will close this vote thread and the results will be tallied.Best wishes!
Chao Tian

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0Hi SeaTunnel community,This vote now closes since 72 hours have passed.The vote PASSES with3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs  6 (+1 non-binding) votes from the developer from the communityJun Gao, 
TaoZex, 
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.The vote thread: https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
[general@apache.org](mailto:general@apache.org)> to get
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.Best wishes,
Chao Tian

general@apache.org投票

发起投票

[VOTE] Release Apache SeaTunnel() 2.3.0Hello IPMC, This is an official vote for the Apache
SeaTunnel() 2.3.0  that we have been working toward.To learn more about Apache SeaTunnel(), please see:https://seatunnel.apache.orgThe Apache SeaTunnel () community has voted and approved the release.Vote thread:https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9gResult thread:https://lists.apache.org/thread/6c0463dsoh8r0gmvqo67lttgy4o40xstRelease changes:https://github.com/apache/seatunnel/blob/2.3.0/release-note.mdThe release candidates:https://dist.apache.org/repos/dist/dev/seatunnel/2.3.0Maven 2 staging repository:https://repository.apache.org/content/repositories/orgapacheseatunnel-1015/org/apache/seatunnel/Git tag for the release:https://github.com/apache/seatunnel/tree/2.3.0Release Commit ID:https://github.com/apache/seatunnel/commit/d7280abbe9e72262640836182a7f090a5706988aKeys to verify the Release Candidate:https://downloads.apache.org/seatunnel/KEYSGPG user ID:tyrantluciferThe vote will be open for at least 72 hours or until necessary numbers
of votes are reached.Please vote accordingly:[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove with the reasonChecklist for reference:[ ] Download links are valid.
[ ] Checksums and PGP signatures are valid.
[ ] DISCLAIMER is included.
[ ] Source code artifacts have correct names matching the current release.
[ ] LICENSE and NOTICE files are correct for each SeaTunnel repo.
[ ] All files have license headers if necessary.
[ ] No compiled archives bundled in source archive.More detail checklist please refer:
https://cwiki.apache.org/confluence/display/Release+ChecklistThe following votes are carried over from the SeaTunnel dev mailing list:+1(binding)
David,
William-Guowei,
Calvin KirsBest Regards,
Chao Tian

关闭投票

[VOTE] Release Apache SeaTunnel() 2.3.0Hi IPMC,Thanks, everyone, I will close this vote thread and the results will be tallied.Best wishes!
Chao Tian

归票

[RESULT] [VOTE] Release Apache SeaTunnel() 2.3.0Hi SeaTunnel community,This vote now closes since 72 hours have passed.The vote PASSES with3 (+1 binding) votes from the IPMC,
David,
Guo Wei,
Calvin Kirs  6 (+1 non-binding) votes from the developer from the communityJun Gao, 
TaoZex, 
hailin0,
Peng Yuan,
Zongwen Li,
Guangdong Liu
and no further 0 or -1 votes.The vote thread: https://lists.apache.org/thread/98oc6q6vghlg8qpfyf5yttzy925tfp9g Thanks for your participation, I will now bring the vote to
[general@apache.org](mailto:general@apache.org) <mailto:
approval by the IPMC.
If this vote passes also, the release is accepted and will be published.Best wishes,
Chao Tian

正式发版

从dev仓库移动文件至release仓库

svn mv https://dist.apache.org/repos/dist/dev/seatunnel/${RELEASE.VERSION} https://dist.apache.org/repos/dist/release/seatunnel/

发布maven仓库

file

发送通知邮件

dev@seatunnel.apache.org

Hi all,We are glad to announce the release of Apache SeaTunnel() ${RELEASE.VERSION}.Once again I would like to express my thanks to your help.SeaTunnel: SeaTunnel() is a distributed, high-performance data integration platform for the synchronization and transformation of massive
data (offline & real-time).Apache SeaTunnel() website: http://seatunnel.apache.org/Downloads: https://seatunnel.apache.org/download/Release Notes:https://github.com/apache/seatunnel/blob/${RELEASE.VERSION}/release-note.mdDocuments: https://seatunnel.apache.org/docs/${RELEASE.VERSION}/intro/aboutTwitter: https://twitter.com/ASFSeaTunnelSeaTunnel() Resources:
- GitHub: https://github.com/apache/seatunnel
- Issue: https://github.com/apache/seatunnel/issues
- Mailing list: dev@seatunnel.apache.org- Apache SeaTunnel() Team

总结

作为一名Apache Release Manager需要做的前期准备工作有很多且很繁琐，需要更多的耐心和细心，由于所有的仓库都在国外，任何一个步骤都会可能因为网络延迟而失败，但不要因此气馁，唯有不断的尝试才能走向最终的胜利，希望本篇文章能够帮助到初次发版的Release Manager，让大家少走弯路。