Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backporting Release key README changes to nodejs/node version branches #595

Closed
nschonni opened this issue Jul 25, 2020 · 5 comments · Fixed by #654
Closed

Backporting Release key README changes to nodejs/node version branches #595

nschonni opened this issue Jul 25, 2020 · 5 comments · Fixed by #654

Comments

@nschonni
Copy link
Member

docker-node now has a script for pulling the keys from README with https://github.com/nodejs/docker-node/blob/master/update-keys.sh
I noticed that the README changes for adding the release keys doesn't appear to be backported to the branches for @richardlau addition. If the branches are kept in sync, they could be specific to the release line over in docker-node as well.
@aduh95
Copy link
Contributor

aduh95 commented Jan 8, 2021

Related nodejs/node#36835

@richardlau
Copy link
Member

For my particular case, I've cherry-picked the commit for my key onto v10.x-staging (nodejs/node#36835 (comment)).

Might be worth having a discussion anyway re. policy. https://github.com/nodejs/Release/blob/master/GOVERNANCE.md#adding-new-releasers doesn't currently mention anything about a release line needing to have the key in the README for that line before a releaser can sign a release on that line.

@mhdawson mhdawson mentioned this issue Jan 11, 2021
Closed
@mhdawson mhdawson mentioned this issue Jan 26, 2021
Closed
@BethGriggs
Copy link
Member

We discussed this in the last release WG meeting, and the suggestion was to cherry-pick the keys (or any key updates) on to all of the active release branches.

I will leave this open as a reminder to add a note to our docs.

@nschonni
Copy link
Member Author

Awesome @BethGriggs!
What is the right branches to pull down keys per version? We might be able to drop the requirement for people to add to the keys.json if we can just pull and parse them out of the MD files for correct branches

@BethGriggs
Copy link
Member

Now that we're backporting releaser's keys to all active release branches by default, it should be possible to extract the valid keys for a given release from the major release branch (vN.x). That is assuming you're always checking against the latest HEAD of those branches.

It should also be possible to extract the valid keys from the tagged version of the source, or from the source tarball download (e.g. https://github.com/nodejs/node/tree/v15.8.0#release-keys or https://nodejs.org/download/release/latest-v15.x/node-v15.8.0.tar.gz).

BethGriggs added a commit to BethGriggs/Release that referenced this issue Mar 19, 2021
@BethGriggs
doc: add note to cover backporting GPG keys
bbe08de 
Fixes: nodejs#595
@BethGriggs BethGriggs mentioned this issue Mar 19, 2021
Merged
BethGriggs added a commit that referenced this issue Mar 22, 2021
@BethGriggs
doc: add note to cover backporting GPG keys (#654)
23cdb6c 
Fixes: #595
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: add note to cover backporting GPG keys BethGriggs/Release
4 participants
@nschonni @richardlau @BethGriggs @aduh95