Add dependency promotion/demotion step to release checklist

emlun · emlun · commit ee3ecf3ec485 · 2024-02-13T18:04:39.000+01:00
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -6,13 +6,22 @@ Release candidate versions
 
  1. Make sure release notes in `NEWS` are up to date.
 
- 2. Run the tests one more time:
+ 2. Review the diff from the previous version for any changes to the public API,
+    and adjust the upcoming version number accordingly.
+
+    If any implementation dependencies have been added to method signatures in
+    the public API, including `throws` declarations, change these dependencies
+    from `implementation` to `api` dependency declarations in the relevant
+    Gradle build script. Conversely, remove or downgrade to `implementation` any
+    dependencies no longer exposed in the public API.
+
+ 3. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 3. Update the Java version in the [`release-verify-signatures`
+ 4. Update the Java version in the [`release-verify-signatures`
     workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
 
     See the `openjdk version` line of output from `java -version`:
@@ -34,21 +43,21 @@ Release candidate versions
 
     Commit this change, if any.
 
- 4. Tag the head commit with an `X.Y.Z-RCN` tag:
+ 5. Tag the head commit with an `X.Y.Z-RCN` tag:
 
     ```
     $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
     ```
 
     No tag body needed.
 
- 5. Publish to Sonatype Nexus:
+ 6. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
- 6. Push to GitHub.
+ 7. Push to GitHub.
 
     If the pre-release makes significant changes to the project README, such
     that the README does not accurately reflect the latest non-pre-release
@@ -66,7 +75,7 @@ Release candidate versions
     $ git push origin main 1.4.0-RC1
     ```
 
- 7. Make GitHub release.
+ 8. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Check the pre-release checkbox.
@@ -76,7 +85,7 @@ Release candidate versions
     - Note the JDK version shown by `java -version` in step 3.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
- 8. Check that the ["Reproducible binary"
+ 9. Check that the ["Reproducible binary"
     workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
 
@@ -86,7 +95,16 @@ Release versions
 
  1. Make sure release notes in `NEWS` are up to date.
 
- 2. Make a no-fast-forward merge from the last (non release candidate) release
+ 2. Review the diff from the previous version for any changes to the public API,
+    and adjust the upcoming version number accordingly.
+
+    If any implementation dependencies have been added to method signatures in
+    the public API, including `throws` declarations, change these dependencies
+    from `implementation` to `api` dependency declarations in the relevant
+    Gradle build script. Conversely, remove or downgrade to `implementation` any
+    dependencies no longer exposed in the public API.
+
+ 3. Make a no-fast-forward merge from the last (non release candidate) release
     to the commit to be released:
 
     ```
@@ -108,13 +126,13 @@ Release versions
     $ git branch -d release-1.4.0
     ```
 
- 3. Remove the "(unreleased)" tag from `NEWS`.
+ 4. Remove the "(unreleased)" tag from `NEWS`.
 
- 4. Update the version in the dependency snippets in the README.
+ 5. Update the version in the dependency snippets in the README.
 
- 5. Update the version in JavaDoc links in the READMEs.
+ 6. Update the version in JavaDoc links in the READMEs.
 
- 6. Update the Java version in the [`release-verify-signatures`
+ 7. Update the Java version in the [`release-verify-signatures`
     workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
 
     See the `openjdk version` line of output from `java -version`:
@@ -134,40 +152,40 @@ Release versions
         java: ["17.0.7"]
     ```
 
- 7. Amend these changes into the merge commit:
+ 8. Amend these changes into the merge commit:
 
     ```
     $ git add NEWS README */README .github/workflows/release-verify-signatures.yml
     $ git commit --amend --reset-author
     ```
 
- 8. Run the tests one more time:
+ 9. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 9. Tag the merge commit with an `X.Y.Z` tag:
+10. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
-10. Publish to Sonatype Nexus:
+11. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-11. Push to GitHub:
+12. Push to GitHub:
 
     ```
     $ git push origin main 1.4.0
     ```
 
-12. Make GitHub release.
+13. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
@@ -176,6 +194,6 @@ Release versions
     - Note the JDK version shown by `java -version` in step 6.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
-13. Check that the ["Reproducible binary"
+14. Check that the ["Reproducible binary"
     workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
