sonatype deployment broken

[lsf37]

It looks like a few things changed slightly since the last time we deployed a release on sonatype.

After a few smaller updates (setting repo URL), and after a successful ./mvn-deploy run, the sonatype website complains about the following when I stage the release:

• missing javadoc
• missing sources
• missing gpg signature

I think I can address the gpg myself, but I'm a bit lost at the other two artefacts, because I thought we do produce them already. The might just be tweak needed in one of the pom.xml files, but without digging into them much more deeply, I couldn't see what exactly.

[lsf37]

@regisd -- do you know enough about maven to see what is missing there without digging too deep?

Unfortunately this means I won't be able to finish the release today, but I should be able to have another look next week, potentially tomorrow already.

[regisd]

To be honest, I want to apologise for making JFlex use Maven (commit 523d7a940cc179494f80af1eb71c721778c3417c). It was hype at the time, and promised exciting features ; but I never recovered from the trough of disillusionment. Builds are not reproducible, nor consistent, nor fast. In my opinion, the only good thing about Maven is the central repo, which is used or supported by all build tools now (Gradle, Ivy, Buildr, Bazel, etc.)

That, being said, happy to help here. Where are you exactly in the release process? I see the doc has been updated (at least README.md is) but the POM is still at 1.7.0-SNAPSHOT and I don't see a v1.7 branch.

[regisd]

Those artifacts are not built automatically, I've updated the release doc in PR #321

[lsf37]

No worries, if there is one thing I've learned about build systems, then it is that all of them suck in some way :-)

I was almost at the end of the release process, but abandoned the branch and deleted the tag after I ran into the deployment problems. I might take the time to update the instructions a bit more and maybe add a script for packing up the zip+tar files (the one I had locally is not going to work any more, and it's better to put it in the repo anyway).

[regisd]

OK, so the release branch is https://github.com/jflex-de/jflex/tree/branch-1.7.0 but I haven't done anything special on it. Don't forget to merge #320 in master before running the post-release.pl, so that the aggregated-java-sources is updated automatically (hopefully)

[lsf37]

I've started another test deployment. It did generate javadoc and and source jars, but didn't pick them up for upload.

Ran out of time for today, will look at it again tomorrow.

[regisd]

Hmmm. According to http://maven.apache.org/plugins/maven-deploy-plugin/examples/deploying-sources-javadoc.html

mvn org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy-file -Durl=file:///home/me/m2-repo \
                                                                            -DrepositoryId=some.repo.id \
                                                                            -Dfile=./path/to/artifact-name-1.0.jar \
                                                                            -DpomFile=./path/to/pom.xml \
                                                                            -Dsources=./path/to/artifact-name-1.0-sources.jar \
                                                                            -Djavadoc=./path/to/artifact-name-1.0-javadoc.jar

This looks ugly.

[lsf37]

So I'm making some (slow) progress on this. Turns out I (almost) lost my private key for the release signature, which explains the trouble I had with the gpg plugin. Now managed to restore it from backup and that part is fine. Now back to automating the source and javadoc deploy.

I still need to address a few small code cleanup things for the two features that still went into 1.7.0.

[regisd]

Sorry I can't help more here. I guess we should automate the release of the SNAPSHOTs in the future, so that you don't suffer every 2 years when there is an actual release.

[lsf37]

That might help, although javadoc, sources, and signing are exactly the things we'd leave out for SNAPSHOTs :-)

[regisd]

Only releases can be uploaded to the central repository. But Sonatype OSS hosting allows to deploy development version binaries (snapshots) https://central.sonatype.org/pages/ossrh-guide.html

[lsf37]

They do, it’s just that the docs that I found for deployment specifically recommended leaving out java doc and sources to speed things up. Doesn’t mean we’d have to do that, of course. Signing is different, because it does need the private key and passphrase.

[regisd]

• I don't think we are killing Travis with a few builds per year. I'd like to have a more comprehensive regular build, and avoid last minute surprises when we deploy
• I'd rather reduce the build matrix (it also makes the CI deploy phase more complex, because we don't want to run it on every cell of the build matrix. I'm trying to simplify that in #332 btw)
• The private key can probably be saved in Travis, like we do with the GITHUB_TOKEN