Replies: 4 comments 15 replies
-
Re problem 4 (mavenCentral Vs gradlePluginPortal): the order has to be specific (not sure which way) or all together: during a recent 1.20.0 release dependabot eagerly updated one of my repos, and I got this failure:
used as
|
Beta Was this translation helpful? Give feedback.
-
Nico, thank you so much for all these details! My ideas:
I have a clear idea to fix the first point. But I'm going to propouse it in a new "thread" to avoid overlaping topics. |
Beta Was this translation helpful? Give feedback.
-
The changelog is an issue that I think that a lot of projects have (OSS and no OSS). There are a lot of proposals out there but I didn't find a good one. Random ideas:
In that project that I talked in the point 3 we found a solution that worked for us:
cat changelog/* >> CHANGELOG.md
rm -f changelog/* This solves nearly all the problems:
But it adds one big problem: What happen if someone doesn't add it? It's strange that a project ask you to do this so nearly no one will do it. My solution to this problem is to create a bot. That bot should have this features:
Things missing: We still need to add the correct milestone. The good part is that now we can create a bot that automatically add the milestone "next-release" to all the merged PRs. And then we just need to change the name of that milestone to the correct release and done. We can do that with another script. And we will not need any label. |
Beta Was this translation helpful? Give feedback.
-
Separating out the milestone discussion
|
Beta Was this translation helpful? Give feedback.
-
Hi all,
It's time to talk about the elephant in the room: our release process :)
I'm opening this discussion to provide an insight on how it currently looks like and how it can be improved. Sadly, the current release process is really manual and requires a lot of steps, which we should look into automatizing.
Moreover, there are some processes that are fundamentally broken, which we should look into.
How does the release process looks like today.
To kickoff a release of Detekt, there is some preparatory work that needs to be done & a list of steps to kickoff a release.
Preparatory work
housekeeping
,notable changes
,dependency
or any other label) as they will be used for the Changelog Generation scriptActual release process
detekt/Versions.kt at e052dbe94c24a8a3b323a9b023722455c7ff1ec4 · detekt/detekt
./gradlew publishToMavenLocal
./gradlew build
./gradlew publishAllPublicationsToMavenCentralRepository --max-workers 1
./gradlew publishPlugins -DautomatePublishing=true
./gradlew closeAndReleaseRepository
./gradlew applyDocVersion applySelfAnalysisVersion
./scripts/github-milestone-report.main.kts
./gradlew githubRelease
RC release process
Releasing a RC is essentially equivalent to releasing a stable version. The only difference is that, when generating the release notes, you'll have to
./scripts/github-milestone-report.main.kts -f
as it will filter out PRs already listed in the changelog.Point release process
When doing a point release, things are really similar, but you need to pay attention to a couple of extra points.
release/1.18.1
You need to cut a release branch from the release tag.releasing.gradle.kts
script here with the sha of the commit where you're bumping the version. This is needed as./gradlew githubRelease
will tagmain
otherwise../gradlew githubRelease
What are the problems
I see a number of problems with the current process. Here the one that comes on top of my mind.
RCs are pointless as we keep on merging things. Marked as 0 as I believe this is the root cause of our pain. We do RCs for historical reasons, but those are not Release Candidate in any form. Is just a way that we have to bundle our code and ask for some feedback from the community on the stability of Detekt. The problem is that between a RC1 and a RC2, we keep on merging changes that are not necessarily related to reported regression. So in a sense, we can't guarantee that RC2 is more stable than RC1. If we find regressions, we addresse them, but we can't guarantee that we haven't introduced more. I think that this can be addressed by either
main
branch, deprecate the RCs and switch to full semantic versioning. This is similar to what we have now. Essentially we will be releasing more often, but without RCs or similar. We will just release a 1.21.0 at a certain point in the future. Should there be a regression, we can address them and do a point release. This also mean that if we release 1.21.0 at Day0, and we merge a PR for a new rule at Day1, then we find a regression for 1.21.0, fix & merge it on Day2, we are effectively releasing 1.22.0 two day after the release of the previous minor. We would have to clarify to our users that we're changing this.Releases are built on local machine This needs to be changed. GPG Keys, Sonatype passwords and Gradle API keys should be stored as secrets on Github Actions. Specifically as we already have a Publish Snapshot workflow that is doing something similar so we already have most of the setup in-place.
Depending on Maven Local We can't discover at release time that our Gradle Plugin is broken. This adds a lot of burden to the release process and should instead be up to the PR author to make sure the Gradle Plugin works correctly. This should be easy to do with an Included build
Releasing using an older version of the Gradle plugin Similarly to the previous point, the whole release process is done with the previous version of the Detekt Gradle plugin. So by the time something breaks, that's too late as you already published a potentially broken plugin.
The Gradle plugin is not on Maven Central For some reason we're not publishing the Gradle Plugin to Maven Central (but only to Gradle Portal). I.e. we need to
./gradlew publishPlugins -DautomatePublishing=true
. I believe that this should be changed and I'm unsure to why was this set up in this way. It makes really hard to work with Maven Local as the Gradle Plugin marker is not published there (for the similar setup). Similarly, users of our SNAPSHOT can't easily try the Gradle Plugin as the marker is missing on Sonatype, etc.Release Notes are difficult to write I personally write the release notes, starting from the automated script. It's not an easy task as you need to go through all the PRs marked as
notable changes
and find a short sentence to describe it. Ideally we should have more precise labels likerules:added
,rules:new-config
,fixed:false-positive
,fixed:regression
and have a more categorized changelog. That's space for another topic.We're not always tagging the correct commit As the
./gradlew githubRelease
is done manually and always tags the commit on top ofmain
, we sometimes tag a wrong commit. This happens if, by the time the Release PR is merged, another PR got merged first. What this means is that we're effectively tagging a SHA with a version that contains a change that we haven't shipped. Should we make a point release from that tag, we will include extra changed that were not intended.PRs land without a milestone As mentioned above, we do have PRs landing without a milestone. This means that they won't show up in the release notes and people will have a hard time finding in which version such a change landed.
Release timing is unclear Not having a clear schedule makes hard for people to depend on us. As we don't know when say
1.20.x
will be out, it's hard for tools that are building on top of Detekt to decide when to release and so on.The Release PR can't be green till the release is available online The fact that we do have a "Prepare Detekt 1.21.0" PR that can't be merged till Detekt 1.21.0 is released and published to the public is a sympthom of our setup. In an ideal world we should:
Before we jump into solution mode, I'm happy to hear some opinions and alternatives on tools & solutions that could help us here.
Beta Was this translation helpful? Give feedback.
All reactions