Child pages
  • Building Struts 2 - Fast track release
Skip to end of metadata
Go to start of metadata

This version is outdated! Work-in-progress!


Building Steps (Struts)

Getting ready

  1. Prepare new Security Bulletin - use just brief description about the security vulnerability, no examples, no proof-of-concept, anything that could be used against users, secure the page to allow access only member of struts-committers group in Confluence
  2. Create a new Version Notes page in Confluence, link from Migration Guide, and link to prior release page and JIRA DONE filters of the version to release, secure the page to allow access only member of struts-committers group in Confluence
  3. When a serious security issue arises, we should try to create a STRUTS_#_#_#_X branch from the last GA release (from tag - check it out and use mvn release:branch as below).

    svn co
    cd STRUTS_#_#_#
    mvn release:branch -DbranchName=STRUTS_#_#_#_X -DupdateBranchVersions=true -DupdateWorkingCopyVersions=false -DautoVersionSubmodules=true

    Read the maven release:branch docs for further details or alternatively

  4. Apply to that branch only the security patch
  5. Commit the fix. No reference should be make to the commit being related to a security vulnerability.
  6. If the patch first applies to some other dependency, implore the other group to do the same, to avoid side-effects from other changes.
  7. Release the upcoming version in JIRA (under Administration/Manage Releases) and tag the release date
  8. Create DONE and TODO filters for the new version, share with all, and remove obsolete TODO filter

Changing version in poms

If needed, you can use Versions Maven Plugin to set -SNAPSHOT version in all poms, like below:

mvn versions:set -DnewVersion= -DgenerateBackupPoms=false

Update version of archetypes

Edit src/site/resources/archetype-catalog.xml and change version of archetypes to current $VERSION, save and commit.

Apply security patch

Apply and commit security patch.

Prepare release

Tag the release by using the {{release:prepare}} goal of Maven:

mvn release:prepare -DautoVersionSubmodules=true

For a dry run, add '-DdryRun=true'. If you do a dry run, use 'mvn release:clean' to clean up after you have looked at the output.

When prompted for the SCM tag name, follow this pattern: STRUTS_2_3_[PATCH_VERSION]

If you get the error message above, try to re-run mvn release:prepare -DautoVersionSubmodules=true command again, -Dresume flag is set to true by default and the plugin will resume the release process from where it failed before.

This step will (more information):

  • Check that there are no uncommitted changes in the sources
  • Check that there are no SNAPSHOT dependencies
  • Change the version in the poms from x-SNAPSHOT to a new version (you will be prompted for the versions to use)
  • Transform the SCM information in the POM to include the final destination of the tag
  • Run the project tests against the modified POMs to confirm everything is in working order
  • Commit the modified POMs
  • Tag the code in the SCM with a version name (this will be prompted for)
  • Bump the version in the POMs to a new value y-SNAPSHOT (these values will also be prompted for)
  • Commit the modified POMs

Perform the release

mvn release:perform -Dusername=yourSvnUsername

This step will (more information):

  • Checkout from an SCM URL with optional tag
  • Run the predefined Maven goals to release the project (by default, deploy site-deploy)

N.B.: this step takes a long time (about 2 hours with a broadband connection)

After this step the artifacts will be hosted by Nexus

If you need to run perform again, (or in a different box), do:

git clone
git checkout $VERSION
mvn deploy --no-plugin-updates -DperformRelease=true 

Next, log in to Nexus and close staging repository.

Move the assemblies to the /www/$VERSION dir

After closing repository in Nexus, check if the version is available from staging repository as below:$VERSION/

In order to move the assemblies login to and execute the following code:

# create the destination directory
mkdir $VERSION

# get the distro
wget -erobots=off -nv  -l 1 --accept=zip,md5,sha1,asc -r --no-check-certificate -nd -nH$VERSION

# rename files
for f in *2-assembly*.zip*
 mv $f `echo $f | sed s/2-assembly//g`

# remove unneeded files
for f in struts2-assembly-*.pom*
 rm $f

# remove unneeded hashes
rm *.asc.md5
rm *.asc.sha1

After that move the assemblies directory to the builds destination with

mv $VERSION /www/

Jira stuff

  • Update JIRA roadmap with tag/release date - release the version in JIRA
  • Add next milestone to the JIRA roadmap
  • Create DONE and TODO filters, share with all, and remove obsolete TODO filter
  • Create new release page, link from Migration Guide, and link to prior release page and JIRA filters

Vote on it

Post a release/quality vote to the dev list (and only the dev list). The example mail is on Sample announcements page. Include the term "fast-track" in the subject, as: [VOTE] Struts quality (fast track).

Copy files

After the vote, if the distribution is being mirrored (there was a favourable release vote) copy the Sources and Binaries:

cd /www/$VERSION
cp struts-$VERSION-src.*  /www/
cp struts-$VERSION-docs.*  /www/
cp struts-$VERSION-lib.* /www/
cp struts-$VERSION-apps.* /www/
cp struts-$VERSION-all.* /www/   

If a new DTD was defined, copy it to /www/ and change permission to struts group (chown :struts *.dtd) and write rights (chmod g+w *.dtd).

The default setup on will leave the files and directories only changeable by the user who creates them. The last two steps will allow future releases to go smoothly.

Promote release

Log in again to Nexus and release the repository, it will be automatically replicated across Maven Repositories
See Releasing a Maven-based project for further details.

Clean up old releases

Remove the old files from under /www/ to synchronize only the latest version with peers. All the files from /www/ are always mirrored to

Wait for rsync

Wait 24 hours before proceeding.

(Optional) - Update Security Bulletins

If the release will fix a - hopefully yet undisclosed - security issue, it's now time to update the Security Bulletins page and add a new announcement. For a template, just check former announcements

Update site (Struts top level site)

  • Check out site src code

    svn co struts-site
  • Update xml files
    • struts-site/src/site/xdoc/announce.xml (if applicable, refer also to corresponding security bulletin)
    • struts-site/src/site/xdoc/downloads.xml (remove previous version)
    • struts-site/src/site/xdoc/download.xml (remove previous version)
    • struts-site/src/site/xdoc/index.xml
    • struts-site/src/site/site.xml
    • struts-site/src/site/resources/archetype-catalog.xml
  • Commit the changes
  • Got to Struts Staging and review the changes
  • If everything is ok, push changes to Production via Apache CMS web interface

Update site (Struts 2 site)

Use below script to perform update

# script used to update struts2-subsite after release


svn co struts-site
svn co$TAG/ $TAG

wget -erobots=off$VERSION/struts-$

unzip struts-$ -d docs
rm -r struts-site/release/$BRANCH/docs
rm -r struts-site/release/$BRANCH/struts2-core
rm -r struts-site/release/$BRANCH/struts2-plugins
rm -r struts-site/release/$BRANCH/xwork-core

mv -f docs/struts-$VERSION/docs/* struts-site/release/$BRANCH

cd $TAG
mvn site:site site:stage -DstagingDirectory=../struts-site/release/$BRANCH

cd ../struts-site

svn add --force ./
# Delete removed files
svn st | grep '^!' | awk '{print $2}' | xargs svn delete --force
svn commit -m "Updates Struts2 subsite after release process"

cd ..
rm -r struts-site
rm -r $TAG
rm -r docs
rm struts-$

Post announcements

We leave this as the last step, once the artifacts have had time to sync up on the mirrors.
Announce the release and the vulnerability. Typically this will be sent to the reporter, the project's users list (user@struts.a.o), the project's dev list (dev@struts.a.o), the project's announce list (announcements@struts.a.o),, and
Samples are available at Sample announcements page.

  • No labels