Mercurial > p > roundup > code
changeset 7529:05448536f154
Update for release.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 11 Jul 2023 00:38:22 -0400 |
| parents | b8f012c7c5a7 |
| children | ed2bc951277b |
| files | RELEASE.txt |
| diffstat | 1 files changed, 43 insertions(+), 31 deletions(-) [+] |
line wrap: on
line diff
--- a/RELEASE.txt Mon Jul 10 01:19:38 2023 -0400 +++ b/RELEASE.txt Tue Jul 11 00:38:22 2023 -0400 @@ -33,8 +33,10 @@ CHANGES.txt (set date for version as well) roundup/__init__.py website/www/index.txt (current stable version, release highlights) - website/www/conf.py (update copyright, version from __init__.py) - scripts/Docker/Docker update value of org.opencontainers.image.version + website/www/conf.py (update copyright, version auto-set from + roundup/__init__.py) + scripts/Docker/Dockerfile update value of + org.opencontainers.image.version 3a. Update license end date in COPYING.txt 3b. Update doc/acknowledgements.txt (add section for release, churn contributers etc.). (Use hg churn -c -r ####..####) @@ -128,6 +130,26 @@ with all available Python versions. 11a. (TBD how to test wheel binary distribution before uploading.) +11b. Generate GPG signature file + + cd dist + gpg --detach-sign --armor -u 1F2DD0CB756A76D8 <filename>.tar.gz + + you should be prompted to use the roundup release key. If not you + can add --local=roundup-devel@lists.sourceforge.net. + This will create a file by the name <filename>.tar.gz.asc. + + Move file to website/www/signature directory + + mv <filename>.tar.gz.asc ../webite/www/signature/. + hg add ../website/www/signature/<filename>.tar.gz.asc + # commiting the file will be done in step 12 + cd .. + + Add a link to the signature to doc/security.txt. Add a new link + to the start of the signature list in doc/security.txt (look for + the word multicol). + 12. Assuming all is well commit and tag the release in the version-control system. a) hg commit ... # commit any edits from steps 1-5 @@ -137,32 +159,11 @@ 13. Upload source distribution to PyPI - requires you sign up for a pypi account and be added as a maintainer to roundup. Ask existing - maintainer for access. You can do this two ways: - - python3 setup.py sdist upload --repository pypi - - which rebuilds the source distribution tarball and uploads it. - This means that you have uploaded something that is not tested, - also it does not have a gpg signature. It should be the same as - the tarball you tested but.... + maintainer for access. Do this using twine (pip install twine). - A better way to do this is to use twine (pip install twine). - You need to sign the tarball. This can be done with: - - cd dist - gpg --detach-sign --armor -u 1F2DD0CB756A76D8 <filename>.tgz - - you should be prompted to use the roundup release key. If not you - can add --local=roundup-devel@lists.sourceforge.net. - This will create a file by the name <filename>.tgz.asc. The original directions used twine to upload the tarball and the signature, but as of May 2023, PyPI no longer accepts signature - files. - - So we publish the signature as part of the website. Move the file - to the website/www/signatures directory. Commit the .asc signature - file to mercurial. Add a new list item at the start of the - signature list in doc/security.txt (look for the word multicol). + files. So we publish the signature as part of the website. Use twine to upload the distribution tarball. E.G. @@ -178,6 +179,15 @@ the gpg asc files and place the .whl.asc in the signature directory. + Another way to upload is to use: + + python3 setup.py sdist upload --repository pypi + + BUT this rebuilds the source distribution tarball and uploads it. + This means that you have uploaded something that is not tested. + Also the metadata in the file changes and will not match the GPG + signature you commited in step 12. So use twine. + 14. Refresh website. website/README.txt https://www.roundup-tracker.org/ should state that the stable @@ -205,9 +215,10 @@ 17a. install docker 17b. run: (issues, how to release a version e.g. to update alpine for security issues. Currently thinking that release tag is - rounduptracker/roundup:2.2.0-1, -2 etc? Then add a tag + rounduptracker/roundup:2.2.0-1, -2 etc. Then add a tag rounduptracker/roundup:2.2.0 that moves to always tag - the latest -N release??) + the latest -N release. Also roundup:latest points to the + newest -N for the newest roundup version.) docker build -t rounduptracker/roundup:2.2.0 \ --build-arg="source=pypi" -f scripts/Docker/Dockerfile . @@ -303,13 +314,14 @@ > save [ saves both keys, will need the private key and passphrase ] -EXPORT NEW KEY -============== +EXPORT NEW PUBLIC KEY +===================== $ gpg --export -a roundup-devel@lists.sourceforge.net >> \ tools/roundup.public.pgp.key -then edit roundup.public.pgp.key keeping only the last key stat starts +then edit roundup.public.pgp.key keeping only the last key that starts with: -----BEGIN PGP PUBLIC KEY BLOCK----- -Commmit new key to mercurial. +and add back the preamble that describes where to find doc for +it. Commmit new key to mercurial.