These steps need to be performed once by each person doing releases.
Conscrypt is built on Linux, Mac, and Windows, so ensure you have access to machines running all three. The 1.0.0 release was made with the following configuration:
The following software is necessary and may not be installed by default:
If you haven't deployed artifacts to Maven Central before, you need to setup your OSSRH (OSS Repository Hosting) account and signing keys.
gpg --keyserver pgp.mit.edu --send-key <key ID>
).Contact an existing Conscrypt maintainer to get the keystore containing the code signing certificate.
Add your OSSRH credentials, GPG key information, and the code signing keystore details to $HOME/.gradle/gradle.properties
.
signing.keyId=<8-character-public-key-id> signing.password=<key-password> signing.secretKeyRingFile=<your-home-directory>/.gnupg/secring.gpg signingKeystore=<path-to-keystore> signingPassword=<keystore-password> ossrhUsername=<ossrh-username> ossrhPassword=<ossrh-password> checkstyle.ignoreFailures=false
These steps need to be performed once per X.Y
release series.
We use a branch named <major>.<minor>.x
for all releases in a series.
Create the branch and push it to GitHub:
$ git checkout -b 1.0.x master $ git push upstream 1.0.x
In the GitHub UI, go to Settings -> Branches and mark the new branch as protected, with administrators included and restrict pushes to administrators.
Update the master branch's version to the next minor snapshot.
$ git checkout -b bump-version master # Change version in build.gradle to X.Y+1-SNAPSHOT $ git commit -a -m 'Start X.Y+1 development cycle' # Push to GitHub and get reviewed like normal
Cherry-pick any desired master changes since the branch was created.
$ git checkout 1.0.x $ git cherry-pick <revision>
# Change version in build.gradle to this version's number $ git commit -a -m 'Preparing version 1.0.0' $ git tag -a 1.0.0 -m 'Version 1.0.0'
Push both the branch and the new tag to GitHub.
$ git push upstream 1.0.x $ git push upstream 1.0.0
The deployment for Linux uses Docker running CentOS 6.6 in order to ensure that we have a consistent deployment environment on Linux.
From the conscrypt source directory:
$ docker build -t conscrypt-deploy release
Start a Docker container that has the deploy environment set up for you. The Conscrypt source is cloned into /conscrypt
.
$ docker run -it --rm=true conscrypt-deploy
Note that the container will be deleted after you exit. Any changes you have made (e.g., copied configuration files) will be lost. If you want to keep the container, remove --rm=true
from the command line.
Copy your OSSRH credentials and GnuPG keys to your docker container. In Docker:
# mkdir /root/.gradle
Find the container ID in your bash prompt, which is shown as [root@<container-ID> ...]
. In host:
$ docker cp ~/.gnupg <container-ID>:/root/ $ docker cp ~/.gradle/gradle.properties <container-ID>:/root/.gradle/ $ docker cp <path to cert keystore> <container-ID>:/root/certkeystore
You'll also need to update signing.secretKeyRingFile
and signingKeystore
in /root/.gradle/gradle.properties
to point to /root/.gnupg/secring.gpg
and /root/certkeystore
, respectively.
Create the initial build
$ git checkout 1.0.x $ ./gradlew conscrypt-openjdk:build $ ./gradlew -Dorg.gradle.parallel=false publish
Note the BoringSSL commit used for this build.
$ cd /usr/src/boringssl $ git log -n 1
Go to the OSSRH UI and note the ID of the new staging repository. It should be in the form of orgconscrypt-NNNN
.
See BUILDING for instructions for setting up the build environment.
$ git checkout <revision> $ cd build64 $ ninja
$ gradlew conscrypt-openjdk:build $ gradlew conscrypt-openjdk:publish -Dorg.gradle.parallel=false -PrepositoryId=<repository-id>
See BUILDING for instructions for setting up the build environment.
$ git checkout <revision> $ cd build.x86 $ ninja $ cd ../build.arm $ ninja
$ ./gradlew conscrypt-openjdk:build $ ./gradlew conscrypt-openjdk:publish -Dorg.gradle.parallel=false -PrepositoryId=<repository-id>
close
button at the top of the staging repo list.release
button at the top of the staging repo list.You can see the complete process for releasing to Maven Central on the [OSSRH site] (http://central.sonatype.org/pages/releasing-the-deployment.html).
It will take several hours for the jars to show up on Maven Central.
The Android build is not yet integrated into the Docker container, so on any machine with the Android SDK installed, do the following:
$ ./gradlew conscrypt-android:build $ ./gradlew conscrypt-android:publish -Dorg.gradle.parallel=false
Once the platform-specific jars have shown up on Maven Central, return to the Docker container and build the Uber jar.
# If you left the container, reattach to it $ docker container attach {CONTAINER_ID} $ ./gradlew conscrypt-openjdk-uber:build -Dorg.conscrypt.openjdk.buildUberJar=true $ ./gradlew conscrypt-openjdk-uber:publish -Dorg.gradle.parallel=false -Dorg.conscrypt.openjdk.buildUberJar=true
Finally, document and publicize the release.
conscrypt@googlegroups.com
). The title should be something that clearly identifies the release (e.g.Conscrypt <tag> Released
).