openwallet-foundation / acapy

ACA-Py is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://aca-py.org
Apache License 2.0
419 stars 512 forks source link

Transition plan for moving Hyperledger Aries Cloud Agent Python to OpenWallet Foundation acapy #3250

Open swcurran opened 1 month ago

swcurran commented 1 month ago

Latest Update: 2024.10.09

This description will evolve as the transition of ACA-Py into the [OpenWallet Foundation] (OWF) and the transfer of the repo (now done) is made operational. Bookmark this issue to learn about the approach, the progress, the timeline, and guidance on what you should do in updating your deployment to reference the new home for the repository.

Goals/Decisions

Details

swcurran commented 1 month ago

@WadeBarnes and @ryjones -- love to get your input on the plan. Same with new maintainers @thiagoromanos and @ff137, and any other deployers. Does this make it as easy as possible?

For those at the meeting today (@esune @jamshale @dbluhm @mepeltier @PatStLouis) -- note the subtle change I made to the repo that is to be kept at Hyperledger to be able to publish LTS releases. We'll create the fork immediately after the OWF move, but we'll only rename the repo to the current name when we have to publish an LTS release. That will allow the GitHub automatic redirect to work until that point -- which may be forever. 🤞

Feedback welcome!

WadeBarnes commented 1 month ago
  • If and when we must do a first 0.11 and/or 0.12 LTS release, we will rename the repo to the old "aries-cloudagent-python" name. At that point the the automatic GitHub redirect to the OWF repo will be stopped. Ideally, we won't ever have to do that, or when we do, the word is out amongst deployers about the change.

I don't think a rename back to aries-cloudagent-python would ever be needed. The artifacts, their names, and where they are published is independent of the name of the repository.

swcurran commented 1 month ago

Awesome! We were thinking that it would be needed for the GHCR namespace. If not — all the better! I’ve updated the plan in the issue description.

SeanBohan commented 1 month ago

Couple of housekeeping issues:

swcurran commented 1 month ago

Thanks, @SeanBohan.

Oh boy, a mission statement. :-). We’ll work on that. Can you direct me to some other Mission Statements of projects so we see the style of what is expected.

We have the bi-weekly ACA-Pug meeting tomorrow and will check in with the community on all three issues.

jamshale commented 1 month ago

One of the trickier things is the LTS. When we fork the openwallet-foundation repo back to hyperledger we'll need to change the name back to aries-cloudagent-python and adjust the github actions to point to hyperledger/aries-cloudagent-python again.

That's all good, but forking won't maintain any of the tags or releases. We'll need to manually create the tags and releases by commit id after forking. The existing images are still available after moving the repo. This is only to create new images and pypi packages.

All the existing github secrets will also be lost. They'll also need to be re-made after forking for publishing workflows.

We should make sure the forked repo no longer allows PR's except from a few users that will create patch releases.

esune commented 1 month ago

We'll need to manually create the tags and releases by commit id after forking. The existing images are still available after moving the repo. This is only to create new images and pypi packages.

Can pypi packages be pushed like it is possible with Docker images? If so, we could just manually push the relevant packages/images to the ghcr for the forked repo - this is only advisable if we expect the LTS releases to be replaced by new ones in the relatively near future and therefore we'd have to manually push only a limited amount of times.

We should make sure the forked repo no longer allows PR's except from a few users that will create patch releases.

+1 to this. Also issue creation (at least from external contributors) should be prevented and redirected to the new repo?

jamshale commented 1 month ago

You can manually publish both the pypi package and the ghrc.io images. For pypi you need the publishing account username/password and for ghrc.io you need a repo PAT with package:read,write,delete privileges.

Getting the github actions to work again and manually tagging the commits wouldn't be too hard with the correct repo rights either, but there is a few steps to do. Renaming the repo again after forking is critical for ghrc because that's how it decides the namespace.

dbluhm commented 1 month ago

I've produced images for a repo where the image name doesn't exactly match the name of the repo. I think the org name must match but the repo name is not required to be in the image name.

jamshale commented 1 month ago

Another thing to consider is changing the project and package name will change the references in plugins. For the managed plugin repo we can do this ourselves but in unmanaged plugins like traction innkeeper they will break if they install the new package without updating the source code.

swcurran commented 1 month ago

I’m hoping this is not an issue:

One of the trickier things is the LTS. When we fork the openwallet-foundation repo back to hyperledger we'll need to change the name back to aries-cloudagent-python and adjust the github actions to point to hyperledger/aries-cloudagent-python again.

The point of moving-and-forking-back before we merge the PRs that we’ve made for the move is that the forked version will not have changed from what was working in Hyperledger before the move. Is that not right? My hope is that the GHAs should still work, except for the repo name change from “aries-cloudagent-python” to “aries-cloudagent-python-lts”.

jamshale commented 1 month ago

I didn't describe this very well. The forking back will work yes if we do it before merging the PR's, but I'm pretty sure we lose the github secrets and the tags/releases after forking back.

The existing artifacts for the releases will still work via redirects but to create new LTS releases via github actions I'm pretty sure we need to recreate the pypi secrets and the tags.

ryjones commented 1 month ago

@jamshale correct. I will ask you all to reconsider any plan to fork it back to Hyperledger.

swcurran commented 1 month ago

We don’t need all the tags — we just need the two (or perhaps 5) we already have, and we know where they belong. Can we not add back or get new secrets? And the tags we need are on branches.

@ryjones — if we don’t have a hyperledger-based repo, how will we produce the needed PyPi and GHCR artifacts for LTS releases. We’re not doing the fork for fun — we think it is necessary.

WadeBarnes commented 1 month ago

We don’t need all the tags — we just need the two (or perhaps 5) we already have, and we know where they belong. Can we not add back or get new secrets? And the tags we need are on branches.

@ryjones — if we don’t have a hyperledger-based repo, how will we produce the needed PyPi and GHCR artifacts for LTS releases. We’re not doing the fork for fun — we think it is necessary.

It might be possible to publish the releases from the repo in OWF. The PyPi packages for sure. As far as the images in the GHCR are concerned, provided the correct permissions are used it might be possible to publish an image to the Hyperledger repos from and OWF repo. Have not tried, but technically it could work.

WadeBarnes commented 1 month ago

I think @ryjones has a point, we should try to do everything from the repo in OWF and then figure out what to do from there if we find something is not possible.

swcurran commented 1 month ago

Talking to @WadeBarnes and based on what @ryjones has said, here is what we now think is possible, without having to do a link:

Please review/confirm/adjust this and I'll update the description of this issue with the latest thinking.

jamshale commented 1 month ago

I think this is a good approach. It makes things a lot simpler. We could possibly generate the 0.11.lts and 0.12.lts artifacts for the new package and image names as well. Then someone on the hyperledger artifacts could move to the OWF artifacts without needing to upgrade.

As mentioned before. It is possible to do both the pypi publish and image uploads via command line for the old locations if someone has the correct account credentials. This really shouldn't happen very often.

ryjones commented 1 month ago

@jamshale For GHCR, it looks like we add a token (not using the runtime token) with access. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

I added ACAPY_PUB to OWF's secrets. the user is hyperledger-bot. You should be able to publish to Hyperledger's GHCR with that combination

claudiotorrens commented 1 month ago

Hello guys, the ACA-Py demo link does not work: https://aca-py.org/latest/gettingStarted/AriesDeveloperDemos/

ryjones commented 1 month ago

@claudiotorrens where did you find that link?

ryjones commented 1 month ago

@claudiotorrens it exists in 0.12.2 and 1.0.1? the correct link is https://aca-py.org/main/gettingStarted/ACA-PyDeveloperDemos/ as it was renamed