update CONTRIBUTING.md to include signed artifact github upload (#73)

cdimascio · carmine · web-flow · commit d2167329ee87 · 2024-09-01T09:16:20.000-04:00
* Delete .github/workflows/codeql.yml

* remove codeql workflow - its configured through settings

* fix javadoc

* remove codeql workflow - its configured through settings

* fix javadoc

* update CONTRIBUTING.md

---------

Co-authored-by: carmine &lt;carmine@everco.ai&gt;
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -41,32 +41,42 @@ Run the following to ensure the package step succeeds.
 mvn clean test jacoco:report package 
 ```
 
-### Publish to MavenCentral
-
-Contributors are not responsible for deploying to mavencentral.
+## Release Process
 
-**Maven Central**
-
-- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
-- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
-- https://oss.sonatype.org/#profile;User%20Token
-  - get oss.sonatype token
-
-To publish a gpg key:
+### Build
 
+Build sources and javadoc
 ```shell
-gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
-````
+mvn clean test jacoco:report package 
+```
 
-where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key
+Generate signed artifacts locally
+```shell
+mvn verify -P release-sign-artifacts -DperformRelease=true
+```
 
+### Publish to Maven Central
 
+Deploy
 ```shell
 mvn clean test jacoco:report package deploy -DperformRelease=true
 ```
+When first publishing to staging repos, you most close and release from OSS Sonatype. To do this
+- navigate to https://oss.sonatype.org/#stagingRepositories
+- select repository
+- press the `close` button
+- press the `release` button
+
+#### Artifacts upload
+- Upload change log
+  ```shell
+  gh release create v3.0.1 -F CHANGELOG.md
+  ```
 
-Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then  `release`
-
+- Attach 'signed' artifacts (needed for OpenSSF Security Score)
+  ```shell
+  gh release upload target/*.jar.asc --clobber       
+  ```
 ### Publish to Github Packages
 
 _Note: This step can only be run by maintainers._
@@ -88,13 +98,49 @@ Add `distributionManagement` to `pom.xml`
 mvn deploy -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
 # or
 mvn clean test jacoco:report package deploy  -Dregistry=https://maven.pkg.github.com/cdimascio -Dtoken=XXXX
+```
+
+## Notes
+
+
+### Publish to MavenCentral
 
+Contributors are not responsible for deploying to mavencentral.
+
+**Maven Central**
+
+- Publish with Maven - https://central.sonatype.org/publish/publish-maven/
+- GPG Setup - https://central.sonatype.org/publish/requirements/gpg/
+- https://oss.sonatype.org/#profile;User%20Token
+  - get oss.sonatype token
+
+To publish a gpg key:
+
+```shell
+gpg --send-keys 5BE1414D5EAF81B48F2E77E1999F818C080AF9C1
+````
+
+where `5BE1414D5EAF81B48F2E77E1999F818C080AF9C1` is the public key
+
+
+```shell
+mvn clean test jacoco:report package deploy -DperformRelease=true
+```
+
+Generate signed artifacts locally without deploying
+
+```shell
+mvn verify -P release-sign-artifacts -DperformRelease=true
 ```
 
+Navigate to https://oss.sonatype.org/#stagingRepositories, select repository, then press the `close` button, then  `release`
+
+
 https://docs.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-apache-maven-for-use-with-github-packages
 
 
-OpenSSF Security Scorecard
+### OpenSSF Security Scorecard
 - Get Analysis Result: https://api.securityscorecards.dev/#/results/getResult
 - Step Security - Secure Your Repo Analysis + auto PR - https://app.stepsecurity.io/securerepo
 - Step Security - For Repo - https://app.stepsecurity.io/github/cdimascio/actions/dashboard
+
