@blackwinter can you help me how to review this? what should I try to run?

First of all, you should review the updated steps in MAINTAINING.md. Do they make sense to you? Are they sufficiently simple, fool-proof, without providing too many opportunities for mistakes?

Then you could run various scenarios (without actually pushing/publishing anything!). Different branches/detached head, different publishVersions, with and without providing the required tags (which should be cleaned up afterwards!). The most basic task would be clean which then just prints the version; you could also generate the distribution with assemble.

If you need more guidance we should meet for a "review session".

I followed the MAINTINGING.md locally creating snapshots, rc and releases with tags. This seems to work for the main part.

Two things may need some adjustments:

1. The documentation is not very clear with regard to the signing creadentials and that additionally to the gradle credentials git needs gpg credentials to be able to create a signed tag. Documentation should be more clear when gpg credentials are needed. In my current test it seems that only for creating a release and not for creating a rc signing credentials for gradle are needed. This propably should be done in another ticket
   We should add:
   • How to add gpg credentials to git, as it is a prerequisite for creating a signed tag.
   • We should make it more explicit for what we need gradle signing credentials
   • Update the signing credentials code block (keyName seems to be unnecessary also " are not needed for file paths):

signing.gnupg.homeDir=/home/user/.gnupg # <--- no "..."
signing.password=...
# depending on gradle plugin versions etc. you may need to use:
signing.keyId=[last 8 sign of the gpg keys]
signing.secretKeyRingFile=/home/user/.gnupg/secring.gpg # <--- no "..."

• Hint that one has to create a keyring gpg --keyring secring.gpg --export-secret-keys > ~/.gnupg/secring.gpg
• For further info https://docs.gradle.org/current/userguide/signing_plugin.html#sec:signatory_credentials

2. When building a release candidate this is handled as Snapshot and the build gets a -SNAPSHOT suffix, is this correct? @dr0i I remember that you complained when I was uploading the last release candidate for the first time that the runner archives should not have SNAPSHOT in the name and the build should be named "metafacture-core-A.B.C-rcN" See test 4.

For further context what I tested:

Created a new branch on this basis testBranchGradle

1. ./gradlew assemble without -PpublishVersion

$./gradlew assemble

> Configure project :
Making snapshot build: testBranchGradle-SNAPSHOT
...
BUILD SUCCESSFUL in 17s
109 actionable tasks: 44 executed, 65 up-to-date

2. ./gradlew clean

$ ./gradlew clean
> Configure project :
Making snapshot build: testBranchGradle-SNAPSHOT
...

BUILD SUCCESSFUL in 1s
34 actionable tasks: 34 executed

./gradlew assemble with -PpublishVersion=

 $ ./gradlew assemble -PpublishVersion=TestCase

> Configure project :
Making snapshot build: TestCase-SNAPSHOT
...
BUILD SUCCESSFUL in 22s
108 actionable tasks: 106 executed, 2 up-to-date

Create a tag: git tag -s metafacture-core-7.0.1-rc8

4. ./gradlew assemble -PpublishVersion=7.0.1-rc8

 ./gradlew assemble -PpublishVersion=7.0.1-rc8

> Configure project :
Making release candidate build: 7.0.1-rc8-SNAPSHOT
...
BUILD SUCCESSFUL in 11s
108 actionable tasks: 43 executed, 65 up-to-date

5. ./gradlew assemble -PpublishVersion=7.0.1-rc9 fails because the tag has a different name.

 ./gradlew assemble -PpublishVersion=7.0.1-rc9

FAILURE: Build failed with an exception.

* Where:
Build file '/home/tobias/git/metafacture-core/build.gradle' line: 369

* What went wrong:
A problem occurred evaluating root project 'metafacture-core'.
> HEAD has no matching annotated tag: metafacture-core-7.0.1-rc9

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 492ms

When adding a commit and creating a new tag this works.

7. When changes were added but not commited,

$ ./gradlew assemble -PpublishVersion=7.0.1-rc9

FAILURE: Build failed with an exception.

* Where:
Build file '/home/tobias/git/metafacture-core/build.gradle' line: 355

* What went wrong:
A problem occurred evaluating root project 'metafacture-core'.
> Working copy has modifications

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 1s

8. Interestingly release candidates do not complain if singing credentials in gradle.properties are added or not. It always seems to work.

9. Try to create a release, without tag, fails as intended.

$ ./gradlew assemble -PpublishVersion=7.0.1

FAILURE: Build failed with an exception.

* Where:
Build file '/home/tobias/git/metafacture-core/build.gradle' line: 369

* What went wrong:
A problem occurred evaluating root project 'metafacture-core'.
> HEAD has no matching annotated tag: metafacture-core-7.0.1

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 498ms

10. Try to create a release, with matching tag, but without signing credentials fails as intended.

$ ./gradlew assemble -PpublishVersion=7.0.1

> Configure project :
Making release build: 7.0.1

> Task :metafacture-runner:signArchives FAILED

[Incubating] Problems report is available at: file:///home/tobias/git/metafacture-core/build/reports/problems/problems-report.html

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':metafacture-runner:signArchives'.
> Cannot perform signing task ':metafacture-runner:signArchives' because it has no configured signatory

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.14.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD FAILED in 3s
91 actionable tasks: 33 executed, 58 up-to-date

10 Building release with tag and credentials works:

$ ./gradlew assemble -PpublishVersion=7.0.1

> Configure project :
Making release build: 7.0.1

[Incubating] Problems report is available at: file:///home/tobias/git/metafacture-core/build/reports/problems/problems-report.html

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.14.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD SUCCESSFUL in 13s
109 actionable tasks: 12 executed, 97 up-to-date

Thanks a lot for the thorough review! Does this mean you approve the pull request?

The documentation is not very clear with regard to the signing creadentials and that additionally to the gradle credentials git needs gpg credentials to be able to create a signed tag.

Just to be clear: This isn't related to the current pull request; signed tags have already been part of the workflow.

In my current test it seems that only for creating a release and not for creating a rc signing credentials for gradle are needed.

That's correct and hasn't changed with this pull request. Why do think release candidates should be signed?

It seems to be new

Is there something missing here? What "seems to be new"?Section has been updated by @TobiasNx.

Interestingly release candidates do not complain if singing credentials in gradle.properties are added or not. It always seems to work.

See above.

Thanks a lot for the thorough review! Does this mean you approve the pull request?

yes

The documentation is not very clear with regard to the signing creadentials and that additionally to the gradle credentials git needs gpg credentials to be able to create a signed tag.

Just to be clear: This isn't related to the current pull request; signed tags have already been part of the workflow.

Yes, but testing the changes showed a couple of flaws in our documentation.

In my current test it seems that only for creating a release and not for creating a rc signing credentials for gradle are needed.

That's correct and hasn't changed with this pull request. Why do think release candidates should be signed?

MAINTINGING.md says the following:

When building a release candidate this is handled as Snapshot and the build gets a -SNAPSHOT suffix, is this correct?

Again, this behaviour hasn't changed:

See also:

To upload to Sonatype you need (as well for the release candidate as for the release) a gradle.properties in the root directory that looks like this:

I see, thanks. I'll leave it for @dr0i to give his reasons for the comment (introduced in e95332d).

We need signing all files when uploading to maven central. There are other possibilities to using gpg but why not using gpg ?

Can you please elaborate? How is the signing currently done in master and how is it (not) done here? I can't see any changes related to signing...

Idk, you came up with the question in #700 (comment) . I don't see that you removed any information re signing so I am (still) good.
I am unasigning me here.

So it's a discussion between you and @TobiasNx then. Maybe you can continue elsewhere if there's nothing actually blocking this pull request?

Perhaps I am wrong, but there are still two questions for @dr0i that were not answered. Both are related to release candidates:

One regarding the SNAPSHOT suffix on release candidates:

2. When building a release candidate this is handled as Snapshot and the build gets a -SNAPSHOT suffix, is this correct? @dr0i I remember that you complained when I was uploading the last release candidate for the first time that the runner archives should not have SNAPSHOT in the name and the build should be named "metafacture-core-A.B.C-rcN" See test 4.

Create a tag: git tag -s metafacture-core-7.0.1-rc8

./gradlew assemble -PpublishVersion=7.0.1-rc8

./gradlew assemble -PpublishVersion=7.0.1-rc8

Configure project :
Making release candidate build: 7.0.1-rc8-SNAPSHOT
...
BUILD SUCCESSFUL in 11s
108 actionable tasks: 43 executed, 65 up-to-date

(See here: #700 (comment)) To be specific I uploaded the RC only to Github packages: https://github.com/metafacture/metafacture-core/releases/tag/metafacture-core-7.0.0-rc1)

One regarding the Singing of release candidates, see #700 (comment):
I saw that when building a RC no gradle credentials for signing were needed but the documentation states that RCs need signing. @blackwinter asked why release candidates need signing and why @dr0i introduced the requirement here: https://github.com/metafacture/metafacture-core/wiki/Maintainer-Guidelines/_compare/bff60478201c92d05baee267ce470bde22dfb2b4...e95332d7a06f81ef3bf1ab1d777c08d93856ffb6

Sorry to keep belaboring this point, but neither of your questions is related to the modifications made here. The behaviour is unchanged. It's okay to discuss and maybe improve the documentation and/or the code, but any action to be taken is out-of-scope for this pull request, isn't it?

@blackwinter talked to @dr0i go ahead, we will adjust any documentation later.