foster/forgejo-docs
0
0
Fork 0
mirror of https://codeberg.org/forgejo/docs.git synced 2025-01-22 02:15:25 -05:00
Code Issues Activity

docs: updates on the release process and how to debug it

Browse source
This commit is contained in:
Earl Warren 2023-07-07 17:24:20 +02:00 committed by Caesar Schinas
parent a8459ae139
commit ef44ed51c1
No known key found for this signature in database
GPG key ID: AE9108461BEA5ACF
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
developer/RELEASE.md
View file

@ -70,7 +70,7 @@ Reach out to packagers and users to manually verify the release works as expecte
### Forgejo release publication
- Push the vX.Y.Z-N tag to https://forgejo.octopuce.forgejo.org/forgejo/forgejo
- Push the vX.Y.Z-N tag to https://forgejo.octopuce.forgejo.org/forgejo-release/forgejo
It will trigger a workflow to:
@ -95,11 +95,14 @@ VPN and its role is to copy and sign release artifacts.
If the publishing the release needs debug, it can be done manually:
- https://forgejo.octopuce.forgejo.org/forgejo-release/runner-debug has the same secrets as https://forgejo.octopuce.forgejo.org/forgejo-release/runner
- Make the changes, tag with vX.Y.Z-N and force push the tag to https://forgejo.octopuce.forgejo.org/forgejo-release/runner-debug
- Make the changes, commit them, tag the commit with vX.Y.Z-N and force push the tag to https://forgejo.octopuce.forgejo.org/forgejo-release/runner-debug. Note that it does not matter that the tag is not on a commit that matches the release because this action only cares about the tag: it does not build any content itself, it copies it from one organization to another. However it matters that it matches a SHA that is found in the destination repository of the release otherwise it won't be able to set the tag (setting a tag on a non-existing sha does not work).
- Watch the action run at https://forgejo.octopuce.forgejo.org/forgejo-release/runner-debug/actions
- To skip one of the publish phases (binaries or container images), delete it and commit in the repository before pushing the tag
- Reflect the changes in a PR at https://code.forgejo.org/forgejo/runner to make sure they are not lost
It can also be done from the CLI with `forgejo-runner exec` and
providing the secrets from the command line.
### Securing the release token and cryptographic keys
For both the Forgejo runner and Forgejo itself, copying and signing the release artifacts (container images and binaries) happen on a Forgejo isntance running [behind a VPN](infrastructure#octopuce) to safeguard the token that has write access to the Forgejo repository as well as the cryptographic key used to sign the releases.