Merge branch 'release/1.13.0' into develop

* release/1.13.0:
  don't include actual email addresses
  save 1.13.0 vote result
  shorten/simplify gpg key sending commands
  update link to rc verification instructions
  fix typos in step 9 re: running the binary
  improve step 9 artifact verification gpg tips
  fix tarball explosion in release step 9 🧯
  cucumber.adoc: fix list continuations
  further improve release steps 6 and 9
  release step 6: fix sanity check example
  improve staging doc and commands in release step 8
  doc: remove errant config but keep :sectlinks:
  clean during artifact build release step 6
  FINERACT-2326: Do not remove external id if transaction got not replayed
  FINERACT-2326: Fix `Trial Balance Summary with asset owner` report
  FINERACT-2326: Loan point in time API now properly handles future dates
  improve release branch email template
  improve release process kickoff email template

Author: meonkeys

buildSrc/src/main/resources/email/release.step01.headsup.message.ftl

@@ -20,9 +20,7 @@
 -->
 Hello everyone,
 
-... based on our "How to Release Apache Fineract" process (https://cwiki.apache.org/confluence/x/DRwIB) as well as the "Releases" chapter in the docs (https://fineract.apache.org/docs/current/#_releases),
-
-I will create a ${project['fineract.release.version']} branch off develop in our git repository at https://github.com/apache/fineract on ${project['fineract.releaseBranch.date']}.
+... based on our release process (https://fineract.apache.org/docs/current/#_releases), I will create a release/${project['fineract.release.version']} branch off develop in our git repository at https://github.com/apache/fineract on ${project['fineract.releaseBranch.date']}.
 
 The release tracking umbrella issue for tracking all activity in JIRA is FINERACT-${project['fineract.release.issue']!'0000'} (https://issues.apache.org/jira/browse/FINERACT-${project['fineract.release.issue']!'0000'}).
 

buildSrc/src/main/resources/email/release.step03.branch.message.ftl

@@ -20,13 +20,13 @@
 -->
 Hello everyone,
 
-... as previously announced, I've just created the release branch for our upcoming ${project['fineract.release.version']} release.
+... as previously announced, I've created the branch for our upcoming ${project['fineract.release.version']} release. The branch name is release/${project['fineract.release.version']}.
 
-You can continue working and merging PRs to the develop branch for future releases, as always.
+You can continue working and merging PRs into the develop branch for future releases, as always.
 
-The DRAFT release notes are on https://cwiki.apache.org/confluence/display/FINERACT/${project['fineract.release.version']}+-+Apache+Fineract . Does anyone see anything missing?
+I started the DRAFT release notes at https://cwiki.apache.org/confluence/display/FINERACT/${project['fineract.release.version']}+-+Apache+Fineract . Please help me by filling in "Summary of changes". Does anyone see anything else missing?
 
-Does anyone have any last minutes changes they would like to see cherry-picked to branch ${project['fineract.release.version']}, or are we good go and actually cut the release based on this branch as it is?
+Does anyone have any last minute changes for the release branch, or are we good to go and actually cut the release based on this branch as it is?
 
 I'll initiate the final stage of actually creating the release on ${project['fineract.release.date']} if nobody objects.
 

buildSrc/src/main/resources/email/release.step10.vote.message.ftl

@@ -42,7 +42,7 @@ Please indicate if you are a binding vote (member of the PMC). Note: PMC members
 
 Please also indicate with "Tested: YES/NO/PARTIAL" if you have locally built and/or tested these artifacts and/or a clone of the code checked out to the release commit, following the form:
 
-Tested: YES ... Verified integrity and signatures of release artifacts locally, built from source, ran jar/war: Did everything mentioned in the current release candidate verification guidance ( https://lists.apache.org/thread/hym94pdy3nk9gjspkz4qonv2v15n5dpo ). If you did more than that, please specify.
+Tested: YES ... Verified integrity and signatures of release artifacts locally, built from source, ran jar/war: Did everything mentioned in the current release candidate verification guidance ( https://fineract.apache.org/docs/rc/#_artifact_verification ). If you did more than that, please specify.
 
 Tested: NO ... No testing performed on release candidate, e.g. relying on testing performed by other contributors and/or output of GitHub Actions, while exercising my right to vote.
 

buildSrc/src/main/resources/email/release.step11.vote.message.ftl

@@ -38,45 +38,45 @@ Here are the detailed results:
 <#list project['fineract.vote'].approve.binding>
 Binding +1s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 
 
 <#list project['fineract.vote'].approve.nonBinding>
 Non binding +1s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 
 
 <#list project['fineract.vote'].disapprove.binding>
 Binding -1s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 
 <#list project['fineract.vote'].disapprove.nonBinding>
 Non binding -1s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 
 
 <#list project['fineract.vote'].noOpinion.binding>
 Binding +0s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 
 <#list project['fineract.vote'].noOpinion.nonBinding>
 Non binding +0s:
     <#items as item>
-- ${item.name} (${item.email})
+- ${item.name}
     </#items>
 </#list>
 

buildSrc/src/main/resources/vote/result.1.13.0.json

@@ -0,0 +1,56 @@
+{
+  "approve": {
+    "binding": [
+      {
+        "name": "James Dailey",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Victor Manuel Romero Rodriguez",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Terence Monteiro",
+        "email": "[email protected]"
+      }
+    ],
+    "nonBinding": [
+      {
+        "name": "Adam Monsen",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Bharath Gowda",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Aleksandar Vidakovic",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Ed Cable",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Felix van Hove",
+        "email": "[email protected]"
+      },
+      {
+        "name": "Ahmed adel",
+        "email": "[email protected]"
+      }
+    ]
+  },
+  "disapprove": {
+    "binding": [
+    ],
+    "nonBinding": [
+    ]
+  },
+  "noOpinion": {
+    "binding": [
+    ],
+    "nonBinding": [
+    ]
+  }
+}

fineract-doc/src/docs/en/chapters/features/journal-entry-aggregation.adoc

@@ -1,11 +1,4 @@
 = Journal Entry Aggregation
-:experimental:
-:source-highlighter: highlightjs
-:toc: left
-:toclevels: 3
-:icons: font
-:sectlinks:
-:sectnums:
 
 == Overview
 The Journal Entry Aggregation Job is a Spring Batch-based solution designed to efficiently aggregate journal entries in the Fineract system. This job processes journal entries in configurable chunks, improving performance and resource utilization when dealing with large volumes of financial transactions.

fineract-doc/src/docs/en/chapters/release/configuration-gpg.adoc

@@ -151,7 +151,7 @@ sub cv25519/4FGHIJ56 2022-04-16 [E] [expires: 2024-04-16] <6>
 +
 <2> GPG created a revocation certificate and its directory. If your private key is compromised, you need to use your revocation certificate to revoke your key.
 +
-<3> The public key uses the Ed25519 ECC (Elliptic Curve Cryptography) algorithm and shows the expiration date of 16 Apr 2024. The public key ID `0x7890ABCD` matches the last 8 characters of key fingerprint. The `[SC]` indicates this key is used to sign (prove authorship) and certify (issue subkeys for encryption, signature and authentication operations).
+<3> The public key uses the Ed25519 ECC (Elliptic Curve Cryptography) algorithm and shows the expiration date of 16 Apr 2024. The public key ID `7890ABCD` matches the last 8 characters of key fingerprint. The `[SC]` indicates this key is used to sign (prove authorship) and certify (issue subkeys for encryption, signature and authentication operations).
 <4> The key fingerprint (`ABCD EFGH IJKL MNOP QRST UVWX YZ12 3456 7890 ABCD`) is a hash of your public key.
 +
 <5> Your name and your email address are shown with information about the subkey.
@@ -186,7 +186,7 @@ IMPORTANT: Please contact a PMC member to add your GPG public key in Fineract's
 +
 [source,bash]
 ----
-gpg --send-keys ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ABCD
+gpg --send-keys 0xYZ1234567890ABCD
 ----
 +
 Before doing this, make sure that your default keyserver is hkp://keyserver.ubuntu.com/. You can do this by changing the default keyserver in ~/.gnupg/dirmngr.conf:
@@ -200,9 +200,7 @@ Alternatively you can provide the keyserver with the send command:
 +
 [source,bash]
 ----
-gpg \
-  --keyserver 'hkp://keyserver.ubuntu.com:11371' \
-  --send-keys ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890ABCD
+gpg --keyserver keyserver.ubuntu.com --send-keys 0xYZ1234567890ABCD
 ----
 +
 Another option to publish your key is to submit an armored public key directly at https://keyserver.ubuntu.com/. You can create the necessary data with this command by providing the email address that you used when you created your key pair:

fineract-doc/src/docs/en/chapters/release/process-step06.adoc

@@ -4,42 +4,32 @@
 
 Create source and binary tarballs.
 
-// FIXME - clean this up? focus on what commands should actually be run
-
 [source,bash,subs="attributes+"]
 ----
-./gradlew --rerun-tasks srcDistTar binaryDistTar <1>
+./gradlew clean srcDistTar binaryDistTar
 ----
-<1> The source tarball might not be created if `--rerun-tasks` is omitted.
+
+Check that `fineract-provider/build/classes/java/main/git.properties` exists. If so, continue. If not, you're likely encountering https://github.com/n0mer/gradle-git-properties/issues/233[this bug], and you need to re-run the command above to create proper source and binary tarballs. That `git.properties` file is supposed to end up at `BOOT-INF/classes/git.properties` in `fineract-provider-{revnumber}.jar` in the binary release tarball. Its contents are displayed at the `/fineract-provider/actuator/info` endpoint. It may be possible to fix this heisenbug entirely by https://github.com/gradle/gradle/issues/34177#issuecomment-3051970053[modifying our git properties gradle plugin config] in `fineract-provider/build.gradle`, perhaps by changing where `git.properties` is written.
 
 Look in `fineract-war/build/distributions/` for the tarballs.
 
-Make sure to do some sanity checks. The source tarball and the code in the release branch (at the commit with the release tag) should match.
+Do some sanity checks. The source tarball and the code in the release branch (at the commit with the release tag) should match.
 
 [source,bash,subs="attributes+"]
 ----
 cd /fineract-release-preparations
-tar -xvf path/to/apache-fineract-src-{revnumber}.tar.gz
+tar -xvzf path/to/apache-fineract-src-{revnumber}.tar.gz
 git clone [email protected]:apache/fineract.git
 cd fineract/
 git checkout tags/{revnumber}
 cd ..
 diff -r fineract apache-fineract-src-{revnumber}
 ----
 
-// FIXME - add output example
-
-Make sure the code compiles and tests pass on the uncompressed source. Do as much testing as you can and share what you did. Here's the bare minimum check:
-
-[source,bash,subs="attributes+"]
-----
-./gradlew build -x test -x doc
-----
+Make sure the code compiles and tests pass on the uncompressed source. You should at the very least do exactly what you will ask the community to do in <<Step 9: Verify Distribution Staging>>.
 
 Ideally you'd build code and docs and run every possible test and check, but https://github.com/apache/fineract/actions[running everything has complex dependencies, caches, and takes many hours]. It is rarely done in practice offline / local / on developer machines. But please, go ahead and run the test and doc tasks, and more! Grab a cup of coffee and run everything you can. See the various builds in `.github/workflows/` and try the same things on your own. We should all hammer on a release candidate as much as we can to see if it breaks and fix it if so. All that of course improves our final release.
 
-Finally, inspect `apache-fineract-bin-{revnumber}.tar.gz`. Make sure the `fineract-provider-{revnumber}.jar` can be run directly, and the `fineract-provider.war` can be run with Tomcat.
-
 NOTE: We don't release any artifacts to Apache's Maven repository.
 
 == Gradle Task

fineract-doc/src/docs/en/chapters/release/process-step08.adoc

@@ -2,7 +2,7 @@
 
 == Description
 
-Finally create a directory with release name ({revnumber} in this example) in https://dist.apache.org/repos/dist/dev/fineract and add the following files in this new directory:
+Next we'll stage the release candidate. Create a new folder and add these files:
 
 * apache-fineract-bin-{revnumber}.tar.gz
 * apache-fineract-bin-{revnumber}.tar.gz.sha512
@@ -11,16 +11,18 @@ Finally create a directory with release name ({revnumber} in this example) in ht
 * apache-fineract-src-{revnumber}.tar.gz.sha512
 * apache-fineract-src-{revnumber}.tar.gz.asc
 
-These files (or "artifacts") make up the release candidate.
-
-Upload these files to ASF's distribution dev (staging) area:
+These files (or "artifacts") comprise the release candidate. Upload these files to https://www.apache.org/legal/release-policy.html#stage[ASF's distribution dev/staging area] like so:
 
 [source,bash,subs="attributes+"]
 ----
+# this is a remote operation
 svn mkdir https://dist.apache.org/repos/dist/dev/fineract/{revnumber}
+# create local svn-tracked folder "{revnumber}"
 svn checkout https://dist.apache.org/repos/dist/dev/fineract/{revnumber}
-cp path/to/files/* {revnumber}/
+# prepare to upload
+cp path/to/new/folder/* {revnumber}/
 cd {revnumber}/
+# actual upload occurs here
 svn add * && svn commit
 ----
 

fineract-doc/src/docs/en/chapters/release/process-step09.adoc

@@ -21,8 +21,7 @@ Make sure release artifacts are hosted at https://dist.apache.org/repos/dist/dev
 ----
 # source tarball signature and checksum verification steps
 # we'll check the source tarball first
-version={revnumber}
-src=apache-fineract-src-$version.tar.gz
+src=apache-fineract-src-{revnumber}.tar.gz
 
 # upon success: prints "Good signature" and returns successful exit code
 # upon failure: prints "BAD signature" and returns error exit code
@@ -33,43 +32,75 @@ gpg --verify $src.asc
 gpg --print-md SHA512 $src | diff - $src.sha512
 
 # binary tarball signature and checksum verification steps and outputs are similar
-bin=apache-fineract-bin-$version.tar.gz
+bin=apache-fineract-bin-{revnumber}.tar.gz
 gpg --verify $bin.asc
 gpg --print-md SHA512 $bin | diff - $bin.sha512
 ----
 
-For folks new to https://www.gnupg.org/[GnuPG], there are a couple things to note. First, if it says the source or binary tarball detached signature is correct, that's great! That's the most important part.
+Look for `Good signature` in the `gpg` output:
 
-Second, if you've imported `KEYS` but gpg warns you the key used for signing is not trusted, you can tell gpg you trust the key to squelch the warning. Ideally you meet the alleged key owner in person and check their ID first. Once you trust their identity matches, you then indicate your trust for their key.
+[source,text,subs="attributes+"]
+----
+$ gpg --verify $bin.asc
+gpg: assuming signed data in 'apache-fineract-bin-{revnumber}.tar.gz'
+gpg: Signature made Sat 11 Oct 2025 05:46:42 PM PDT
+gpg:                using EDDSA key 250775BDB5FE7D53E4AF95C00E895A1A7A090CFC
+gpg: Good signature from "Adam Monsen <[email protected]>" [unknown]
+----
+
+That's the most important part.
+
+You may see this warning:
 
-Start with `gpg --edit-key KEYID`, substituting the signing key id for `KEYID`. At the `gpg>` prompt, run the `trust` command and choose `4` (I trust fully). You could also choose `3` (marginal), but do _not_ choose `5` (ultimate).
+[source,text]
+----
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+----
 
-TIP: Consider also https://en.wikipedia.org/wiki/Key_signing_party[signing] and https://en.wikipedia.org/wiki/Web_of_trust[uploading] each other's keys.
+You may choose to ignore it. To squelch this warning, you must extend your https://en.wikipedia.org/wiki/Web_of_trust[web of trust], by, for example, https://en.wikipedia.org/wiki/Key_signing_party[signing the release manager's key].
+
+Now it's time to build and run the release candidate.
 
 === Build from source
 
-[source,bash]
+[source,bash,subs="attributes+"]
 ----
 tar -xzf $src
-cd apache-fineract-src-$version
-gradle build -x test -x doc
+cd apache-fineract-src-{revnumber}
+./gradlew build -x test -x doc
 cd ..
 ----
 
 === Run from binary
 
-Before running this you must first start a database server and ensure the `fineract_default` and `fineract_tenant` databases exist. Then:
+Before running Fineract you must first start a <<Database support,supported relational database server>> and ensure the `fineract_default` and `fineract_tenants` databases exist. Detailed steps for database preparation are left as an exercise for the reader. You can find ideas on how to prepare your database in the `build-mariadb.yml`, `build-mysql.yml`, and `build-postgresql.yml` files in source control.
 
-[source,bash]
+Finally, start your Fineract server:
+
+[source,bash,subs="attributes+"]
+----
+tar -xvzf apache-fineract-bin-{revnumber}.tar.gz
+cd apache-fineract-bin-{revnumber}
+export FINERACT_SERVER_SSL_ENABLED=false
+export FINERACT_SERVER_PORT=8080
+export BACKEND_PROTOCOL=http
+export BACKEND_PORT=$FINERACT_SERVER_PORT
+# assumes reachable, healthy mariadb with default username, password, and port
+java -jar fineract-provider-{revnumber}.jar
+----
+
+Alternatively, you can run it in Tomcat:
+
+[source,bash,subs="attributes+"]
 ----
-tar -xzf $bin
-cd apache-fineract-bin-$version
 cat << 'EndOfRcenv' >> rcenv
 FINERACT_SERVER_SSL_ENABLED=false
 FINERACT_SERVER_PORT=8080
 BACKEND_PROTOCOL=http
 BACKEND_PORT=$FINERACT_SERVER_PORT
 EndOfRcenv
+# assumes reachable, healthy mariadb with default username, password, and port
 docker run --rm -it -v "$(pwd):/usr/local/tomcat/webapps" \
   --net=host --env-file=rcenv tomcat:jre21
 ----