Creating a flink-shaded release

Introduction

The Apache Flink project periodically declares and publishes releases. A release is one or more packages of the project artifact(s) that are approved for general public distribution and use. They may come with various degrees of caveat regarding their perceived quality and potential for change, such as “alpha”, “beta”, “incubating”, “stable”, etc.

The Flink community treats releases with great importance. They are a public face of the project and most users interact with the project only through the releases. Releases are signed off by the entire Flink community in a public vote.

Each release is executed by a Release Manager, who needs to be a Apache Flink committer and is selected by the Flink PMC members. This document describes the process that the Release Manager follows to perform a release. Any changes to this process should be discussed and adopted on the dev@ mailing list.

Please remember that publishing software has legal consequences. This guide complements the foundation-wide Product Release Policy and Release Distribution Policy.

Overview

The release process consists of several steps:

1. Decide to release
2. Prepare for the release
3. Build a release candidate
4. Vote on the release candidate
5. If necessary, fix any issues and go back to step 3.
6. Finalize the release
7. Promote the release
8. Update flink-shaded dependencies in other repositories

Decide to release

Deciding to release and selecting a Release Manager is the first step of the release process. This is a consensus-based decision of the entire community.

Anybody can propose a release on the dev@ mailing list, giving a solid argument and nominating a committer as the Release Manager (including themselves). There’s no formal process, no vote requirements, and no timing requirements. Any objections should be resolved by consensus before starting the release.

In general, the community prefers to have a rotating set of 3-5 Release Managers. Keeping a small core set of managers allows enough people to build expertise in this area and improve processes over time, without Release Managers needing to re-learn the processes for each release. That said, if you are a committer interested in serving the community in this way, please reach out to the community on the dev@ mailing list.

Checklist to proceed to the next step

1. Community agrees to release
2. Community selects a Release Manager

Prepare for the release

Before your first release, you should perform one-time configuration steps. This will set up your security keys for signing the release and access to various release repositories.

To prepare for each release, you should audit the project status in the JIRA issue tracker, and do necessary bookkeeping. Finally, you should create a release branch from which individual release candidates will be built.

There was a change being made to the way how the flink-shaded releases are organized within git due to the fact that bugfix releases happen quite rarely. Changes were only performed on master. x.0 releases would be created by tagging the relevant commit on the master branch. This was done to reduce unnecessary effort. If it comes to a point where a bugfix release becomes necessary, one should go ahead and create a release branch release-x.0  (to match the naming scheme of the past branches) which should be based on the tag with the same name release-x.0.

One-time setup instructions

GPG Key

You need to have a GPG key to sign the release artifacts. Please be aware of the ASF-wide release signing guidelines. If you don’t have a GPG key associated with your Apache account, please create one according to the guidelines.

Determine your Apache GPG Key and Key ID, as follows:

gpg --list-keys

This will list your GPG keys. One of these should reflect your Apache account, for example:

--------------------------------------------------
pub   2048R/845E6689 2016-02-23
uid                  Nomen Nescio <anonymous@apache.org>
sub   2048R/BA4D50BE 2016-02-23

Here, the key ID is the 8-digit hex string in the pub line: 845E6689.

Now, add your Apache GPG key to the Flink’s KEYS file both in dev and release repositories at dist.apache.org. Follow the instructions listed at the top of these files. (Note: Only PMC members have write access to the release repository. If you end up getting 403 errors ask on the mailing list for assistance.) PMC member can refer following scripts to add your Apache GPG key to the KEYS in the release repository.

wget https://dist.apache.org/repos/dist/release/flink/KEYS -O NEW_KEYS  
(gpg --list-sigs <YOUR_KEY_ID> && gpg --armor --export <YOUR_KEY_ID>) >> ~/NEW_KEYS
svn co https://dist.apache.org/repos/dist/release/flink flink-dist-release
cd flink-dist-release
cp ../NEW_KEYS KEYS
svn ci -m "[flink] Add <YOUR_NAME>'s public key"

Configure git to use this key when signing code by giving it your key ID, as follows:

git config --global user.signingkey 845E6689

You may drop the --global option if you’d prefer to use this key for the current repository only.

You may wish to start gpg-agent to unlock your GPG key only once using your passphrase. Otherwise, you may need to enter this passphrase hundreds of times. The setup for gpg-agent varies based on operating system, but may be something like this:

eval $(gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info)
export GPG_TTY=$(tty)
export GPG_AGENT_INFO

Access to Apache Nexus repository

Configure access to the Apache Nexus repository, which enables final deployment of releases to the Maven Central Repository.

1. You log in with your Apache account.
2. Confirm you have appropriate access by finding org.apache.flink under Staging Profiles.
3. Navigate to your Profile (top right dropdown menu of the page).
4. Choose User Token from the dropdown, then click Access User Token. Copy a snippet of the Maven XML configuration block.

5. Insert this snippet twice into your global Maven settings.xml file, typically ${HOME}/.m2/settings.xml. The end result should look like this, where TOKEN_NAME and TOKEN_PASSWORDare your secret tokens:

   settings.xml

   <settings>
      <servers>
        <server>
          <id>apache.releases.https</id>
          <username>TOKEN_NAME</username>
          <password>TOKEN_PASSWORD</password>
        </server>
        <server>
          <id>apache.snapshots.https</id>
          <username>TOKEN_NAME</username>
          <password>TOKEN_PASSWORD</password>
        </server>
      </servers>
    </settings>

Verify that a Release Build Works

Run mvn -Prelease clean install to ensure that the build processes that are specific to that profile are in good shape.

Checklist to proceed to the next step

1. Release Manager’s GPG key is published to dist.apache.org
2. Release Manager has org.apache.flink listed under Staging Profiles in Nexus
3. Release Manager’s Nexus User Token is configured in settings.xml

Build a release candidate

The core of the release process is the build-vote-fix cycle. Each cycle produces one release candidate. The Release Manager repeats this cycle until the community approves one release candidate, which is then finalized.

Prepare environment

Check out the commit from which you intend to create the release, and run these commands in the flink-shaded directory:

# Set up a few environment variables to simplify Maven commands that follow.
# (We use bash Unix syntax in this guide.)
export RELEASE_VERSION="4.0"
export NEXT_VERSION="5.0"
# This must be incremented for each release candidate
export RC_NUM="1"
export TAG="release-${RELEASE_VERSION}-rc${RC_NUM}"
FLINK_SHADED_DIR=$(pwd)

Build and stage Java artifacts with Maven

We now need to do several things:

• Create the source release archive
• Deploy jar artifacts to the Apache Nexus Repository, which is the staging area for deploying the jars to Maven Central
• Note: Please do not use VPN or change your IP address when stage artifacts to Apache Nexus Repository, it may lead to multiple staging repositories which is unexpected.

# tag release commit
git tag -s ${TAG} -m "${TAG}"

# create source release
cd ${FLINK_SHADED_DIR}/tools
RELEASE_VERSION=$RELEASE_VERSION releasing/create_source_release.sh 

# stage maven artifacts
cd ${FLINK_SHADED_DIR}/tools
releasing/deploy_staging_jars.sh

cd ${FLINK_SHADED_DIR}

Review all staged artifacts (https://repository.apache.org/). They should contain a .pom and .jar file for each module. Carefully review any new artifacts.

Close the staging repository on Apache Nexus. When prompted for a description, enter “Apache Flink-shaded, version X, release candidate Y”.

Stage source on dist.apache.org

Copy the source release to the dev repository of dist.apache.org.

1. If you have not already, check out the Flink section of the dev repository on dist.apache.org via Subversion. In a fresh directory:

   svn checkout https://dist.apache.org/repos/dist/dev/flink --depth=immediates
   
   # make a directory for the new release
   mkdir flink/flink-shaded-${RELEASE_VERSION}-rc${RC_NUM} 
   
   # copy Flink source distributions, hashes, and GPG signature
   mv ${FLINK_SHADED_DIR}/tools/release/* flink/flink-shaded-${RELEASE_VERSION}-rc${RC_NUM}
   
   pushd flink
   svn add flink-shaded-${RELEASE_VERSION}-rc${RC_NUM}
   svn commit -m "Add flink-shaded ${RELEASE_VERSION}-rc${RC_NUM}"
   popd

2. Verify that files are present.

Propose a pull request for website updates

The final step of building the candidate is to propose a website pull request.

1. The docs/data/additional_components.yml must be updated to contain the new release: you there need to update the source source_release_url, source_release_asc_url and source_release_sha512_url in flink-shaded

2. Add a new entry to docs/data/release_archive.yml under flink_shaded . You will need to add the version and release_date. The release_date is the date you make today, but needs to be updated to the actual release date when the release is official completed. 

Do NOT update the "Pre-bundled hadoop" entries for the main Flink releases.

Finally, propose a pull request with these changes. (Don’t merge before finalizing the release.)

Checklist to proceed to the next step

1. Maven artifacts deployed to the staging repository of repository.apache.org
2. Source distribution deployed to the dev repository of dist.apache.org
3. Website pull request proposed to list the release

You can (optionally) also do additional verification by:

1. Check hashes (e.g. shasum *.sha512 > checklist.chk; shasum -c checklist.chk)

2. Check signatures (e.g. gpg --verify flink-shaded-3.0-source-release.tar.gz.asc flink-shaded-3.0-source-release.tar.gz)
3. grep for legal headers in each file.

Vote on the release candidate

Once you have built and individually reviewed the release candidate, please share it for the community-wide review. Please review foundation-wide voting guidelines for more information.

Start the review-and-vote thread on the dev@ mailing list. Here’s an email template; please adjust as you see fit.

echo " 

From: Release Manager
To: dev@flink.apache.org
Subject: [VOTE] Release flink-shaded ${RELEASE_VERSION}, release candidate #${RC_NUM}
Content:

Hi everyone,
Please review and vote on the release candidate #${RC_NUM} for the version ${RELEASE_VERSION}, as follows:
[ ] +1, Approve the release
[ ] -1, Do not approve the release (please provide specific comments)


The complete staging area is available for your review, which includes:
* JIRA release notes [1],
* the official Apache source release to be deployed to dist.apache.org [2], which are signed with the key with fingerprint $(git config user.signingKey) [3],
* all artifacts to be deployed to the Maven Central Repository [4],
* source code tag \"${TAG}\" [5],
* website pull request listing the new release [6].

The vote will be open for at least 72 hours. It is adopted by majority approval, with at least 3 PMC affirmative votes.

Thanks,
Release Manager

[1] link
[2] https://dist.apache.org/repos/dist/dev/flink/flink-shaded-${RELEASE_VERSION}-rc${RC_NUM}
[3] https://dist.apache.org/repos/dist/release/flink/KEYS
[4] link
[5] https://github.com/apache/flink-shaded/releases/tag/${TAG}
[6] link
"

If there are any issues found in the release candidate, reply on the vote thread to cancel the vote. There’s no need to wait 72 hours. Proceed to the Fix Issues step below and address the problem. However, some issues don’t require cancellation.

If there are no issues, reply on the vote thread to close the voting. Then, tally the votes in a separate email. Here’s an email template; please adjust as you see fit.

From: Release Manager
To: dev@flink.apache.org
Subject: [RESULT] [VOTE] flink-shaded 3.0, release candidate #3

I'm happy to announce that we have unanimously approved this release.

There are XXX approving votes, XXX of which are binding:
* approver 1
* approver 2
* approver 3
* approver 4

There are no disapproving votes.

Thanks everyone!

Checklist to proceed to the finalization step

1. Community votes to release the proposed candidate, with at least three approving PMC votes

Fix any issues

Any issues identified during the community review and vote should be fixed in this step.

Code changes should be proposed as standard pull requests to the master branch and reviewed using the normal contributing process. Then, relevant changes should be cherry-picked into the release branch. The cherry-pick commits should then be proposed as the pull requests against the release branch, again reviewed and merged using the normal contributing process.

Once all issues have been resolved, you should go back and build a new release candidate with these changes.

Checklist to proceed to the next step

1. Issues identified during vote have been resolved, with fixes committed to the release branch.

Finalize the release

Once the release candidate has been reviewed and approved by the community, the release should be finalized.

Deploy artifacts to Maven Central Repository

Use the Apache Nexus repository to release the staged binary artifacts to the Maven Central repository. In the Staging Repositories section, find the relevant release candidate orgapacheflink-XXX entry and click Release. Drop all other release candidates that are not being released.

Deploy source and binary releases to dist.apache.org

Copy the source and binary releases from the dev repository to the release repository at dist.apache.org using Subversion. Make sure to remove the rc-${RC_NUM} suffix.

svn move -m "Release Flink-shaded ${RELEASE_VERSION}" https://dist.apache.org/repos/dist/dev/flink/flink-shaded-${RELEASE_VERSION}-rc${RC_NUM} https://dist.apache.org/repos/dist/release/flink/flink-shaded-${RELEASE_VERSION}

Git tag

Create a new Git tag for the released version by copying the tag for the final release candidate, as follows

git tag -s "release-${RELEASE_VERSION}" ${TAG} -m "release-${RELEASE_VERSION}"
git push upstream release-${RELEASE_VERSION}

Mark the version as released in JIRA

In JIRA, inside version management, hover over the current release and a settings menu will appear. Click Release, and select today’s date.

Checklist to proceed to the next step

• Maven artifacts released and indexed in the Maven Central Repository
• Source distribution available in the release repository of dist.apache.org
• Source distribution removed from the dev repository of dist.apache.org
• Release tagged in the source code repository
• Release version finalized in JIRA. (Note: Not all committers have administrator access to JIRA. If you end up getting permissions errors ask on the mailing list for assistance.)

Promote the release

Once the release has been finalized, the last step of the process is to promote the release within the project and beyond. Please wait for 24h after finalizing the release in accordance with the ASF release policy.

Merge website pull request

Merge the website pull request to list the release. Make sure to regenerate the website as well, as it isn't build automatically.

Apache mailing lists

Announce on the dev@ mailing list that the release has been finished.

From: Release Manager
To: dev@flink.apache.org
Subject: [ANNOUNCE] Apache Flink-shaded X.Y released

The Apache Flink community is very happy to announce the release of Apache Flink-shaded X.Y.

The flink-shaded project contains a number of shaded dependencies for Apache Flink.

Apache Flink® is an open-source stream processing framework for distributed, high-performing, always-available, and accurate data streaming applications.

The release is available for download at:
https://flink.apache.org/downloads.html
 
The full release notes are available in Jira:
<jira release notes link>
 
We would like to thank all contributors of the Apache Flink community who made this release possible!
 
Regards,
Release Manager

Recordkeeping

Use reporter.apache.org to seed the information about the release into future project reports.

Checklist to declare the process completed

1. Website pull request to list the release merged
2. Release recorded in reporter.apache.org.
3. Release announced on the dev@ mailing list.
4. Prepare for the next development iteration by creating/merging a PR bumping the flink-shaded version (e.g. 725c0caf3ab)

Update flink-shaded dependency in other repositories

Repositories that have the flink-shaded dependency included and need updates (flink-shaded  and shaded dependency versions):

• apache/flink:pom.xml
• apache/flink-benchmarks:pom.xml

Improve the process

It is important that we improve the release processes over time. Once you’ve finished the release, please take a step back and look what areas of this process and be improved. Perhaps some part of the process can be simplified. Perhaps parts of this guide can be clarified.

If we have specific ideas, please start a discussion on the dev@ mailing list and/or propose a pull request to update this guide. Thanks!