This page describes Apache Shiro’s release process.


Release notes

Before starting the release process, you need to update the RELEASE-NOTES file in the source code repository.

You can copy/paste the detail from the Github release note page in plain text.

Create the Release and Vote

  1. Ensure you are using JDK 11+ and Maven 3.6+ (last release done with JDK 11, and Maven 3.6.3) for the following steps.

  2. Run Apache RAT to ensure that we're Apache compliant:

    > mvn apache-rat:check

    Resolve any errors as necessary (usually amounts to placing the ASF license header at the top of files).

  3. Execute the maven commands below to go through the release process. If there are any errors that you can't resolve, contact the dev@shiro.apache.org mailing list.

    GPG Installed

    This release process requires the gpg binary to be in your command $PATH and your code signing key configured for your account.

    If your Apache key is not your primary key, see below.

    Commands:

    # test if the build works
> mvn verify site site:stage -Pdocs,apache-release

# actual release
> mvn release:prepare
> mvn release:perform

    If your Apache GPG key is not your primary key,, create the following profile and enter your GPG key ID in the appropriate property.
    If you have some errors during the test phase when launching the     mvn release:perform you can disable test by adding a skip profile in your $HOME/.m2/settings.xml and uncomment the skip properties:

    maven settings
      <profiles>
    <profile>
      <id>apache-release</id>
      <properties>
        <!-- do not use this setting in normal circumstances. -->
        <!-- maven.test.skip.exec>true</maven.test.skip.exec -->
        <gpg.keyname>0x12345678</gpg.keyname>
      </properties>
    </profile>
  </profiles>

  <activeProfiles>
    <activeProfile>apache-release</activeProfile>
  </activeProfiles>
  4. Log in to https://repository.apache.org. Navigate to "Staging Repositories" (on the left nav panel). Find the repository starting with 'org.apache.shiro', (the staging repo is now closed automatically), copy the URL for the next step.

  5. Publish the release source artifact to the Apache dist dev repo:

    # checkout the repo
> svn co https://dist.apache.org/repos/dist/dev/shiro/

# create the release directory
> cd shiro
> mkdir 1.12.0

# copy releases sources artifacts
> cp <SHIRO_LOCAL_ROOT_PROJECT>/target/shiro-root-1.12.0-source-release.zip* .
# you should now have *.zip, *.zip.asc and *.zip.sha512 files

# commit and push to the repo
> svn add 1.12.0
> svn commit -m "[release-vote] 1.12.0"
  6. Create the Shiro Github release https://github.com/apache/shiro/releases/new :
    1. Select the tag corresponding to the release shiro-root-1.12.0 
    2. Select the previous tag on the editor panel shiro-root-1.11.0 
    3. Generate the release notes by clicking to the according button on the editor panel
    4. Select the check box to set this version as the latest release  if needed (for non-production release, select the pre-release  checkbox)
    5. Then publish the release

  7. Send out the VOTE email to the dev@shiro.apache.org mailing list. Here's a good template:

    Subject: [VOTE] Release Apache Shiro 1.12.0

This is a call to vote in favor of releasing Apache Shiro version 1.12.0.

We solved 2 Issues: 

https://github.com/apache/shiro/releases/tag/shiro-root-1.12.0

Maven Staging repo:
<URL_OF_THE_CLOSED_REPO_FROM_ABOVE_STEP> (e.g. https://repository.apache.org/content/repositories/orgapacheshiro-92/)
<URL_OF_THE_CLOSED_REPO_FROM_ABOVE_STEP/*-source-release.zip> (e.g. https://repository.apache.org/content/repositories/orgapacheshiro-92/shiro-root-1.12.0-source-release.zip)

Dist Staging Repository:
https://dist.apache.org/repos/dist/dev/shiro/1.12.0/  

Project website (just for informational purposes, not to be voted upon):
http://shiro.apache.org/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours. 

[ ] +1
[ ] +0
[ ] -1 (please include reasoning)

  8. To verify the reproducibility of the release by comparing the tag and the source repo, users can execute the maven command line:

    mvn install artifact:compare -Pdocs,apache-release -DskipITs -DskipTests -Dreference.repo='https://repository.apache.org/content/repositories/orgapacheshiro-1056/'

After a Successful Vote

Central Release

Release the Nexus staging repository to Maven Central:

Log in to https://repository.apache.org. Navigate to "Staging Repositories" (on the left nav panel). Find the repository starting with 'org.apache.shiro' and release it. 

This will sync to Maven Central in a couple of hours.

Push the Git tag:

# Set an environment variable to be used below
export RELEASE="1.12.0"
# push the tag
git push asf shiro-root-$RELEASE

Update the Shiro Github Milestone (new)

Update the SHIRO Github project milestone versions.

https://github.com/apache/shiro/milestones

Put the distribution on the ASF web servers

svn mv https://dist.apache.org/repos/dist/dev/shiro/${RELEASE} https://dist.apache.org/repos/dist/release/shiro/ -m "Adding Shiro Release ${RELEASE}"

Remove any other release from svn (so they are only available on the archive):

find . -maxdepth 1 -a -type d -a \( -name "1.*" -o -name "2.*" \) -a -not -name "$RELEASE" -exec svn rm '{}' +
svn status 
svn commit

Publish the apidocs

publish apidocs
# check out shiro-site repository
git clone git@github.com:apache/shiro-site.git && cd shiro-site

# now create apidocs dir
mkdir src/site/assets/static/$RELEASE
rsync -avP ../apache-shiro/target/staging/* src/site/assets/static/$RELEASE/.

# commit the new site
git commit -a -m "apidocs $RELEASE"
git push

Then commit and push.

Publish the static site

This is the site for shiro.apache.org

Run Maven (see: https://github.com/apache/shiro-site/blob/main/CONTRIBUTING.adoc)

Add an announcement blog post with the release notes

For CVE/Vulnerability update the security-reports.adoc with the relevant information

Other things to do after a release

Important: If you make a MAJOR release, please mail to press@a.o first!
They will help you phrase the mails and make the project and milestone more visible!

For any other regular release:

  1. Make an announcement as a Shiro blog article. You can look at a previous announcement as an example.
  2. NOTE: If there is a CVE/Vulnerability contained in this release, follow the notification steps on the on the Official Apache Security Page before continuing. (e.g. public disclosure of the CVE)
  3. Make the same announcement on the Shiro user list (subject: [ANNOUNCE] Apache Shiro <version> released) and CC the developer list.
    dev@shiro.apache.org, users@shiro.apache.org, announce@shiro.apache.org.
  4. Make the same announcement on the Apache Announcement list: announce@apache.org. Be sure to send it from your @a.o mail address.

  5. Update the Apache Shiro Wikipedia page to reflect the latest release information.

  6. Twitter about it on our channel @ApacheShiro
  7. Deactivate your skip profile in your settings.xml if you have skip-test-properties!

  • No labels