Update RELEASING.md with information about configuring other variables for the release pipeline (#102)

im-konge · PaulRMellor · katheris · web-flow · commit f37398b070ec · 2025-10-16T16:27:56.000+01:00
Signed-off-by: Lukas Kral &lt;lukywill16@gmail.com&gt;
Signed-off-by: Lukáš Král &lt;53821852+im-konge@users.noreply.github.com&gt;
Co-authored-by: PaulRMellor &lt;47596553+PaulRMellor@users.noreply.github.com&gt;
Co-authored-by: Kate Stanley &lt;11195226+katheris@users.noreply.github.com&gt;
diff --git a/development-docs/RELEASING.md b/development-docs/RELEASING.md
@@ -57,6 +57,37 @@ When starting the new run, it will ask for several parameters which you need to
 * Source pipeline ID (currently, only the build pipeline with ID `51` can be used).
 * Source build ID (the ID of the build from the release branch - use the long build ID from the URL and not the shorter build number).
 
+In addition, you can configure other variables used in the release pipeline.
+Each of these has a default value that can be used for regular releases.
+If you need to customize them, click the `Variables` section below the required parameters mentioned previously.
+You can configure:
+
+- `CENTRAL_USERNAME`: The username or token name of your user token. You can generate the user token at https://central.sonatype.com/usertoken (after logging in).
+- `CENTRAL_PASSWORD`: The actual token generated at https://central.sonatype.com/usertoken (after logging in).
+- `GPG_SIGNING_KEY`: The GPG key used to sign the artifacts.
+- `GPG_PASSPHRASE`:  The passphrase for the GPG key configured under `GPG_SIGNING_KEY`.
+
+---
+#### Generating GPG key for signing the artifacts
+
+When the artifacts are published, they are also signed using a GPG key.
+The pipeline uses default GPG keys generated by a maintainer. To use your own key, complete the following steps:
+
+1. Generate a GPG key (`gpg --full-generate-key`), or use the key that you already use for signing commits in GitHub, for example.
+2. The command prompts you for a password. This password is important because you will use it for the `GPG_PASSPHRASE` variable.
+3. Use `gpg --list-keys` to find your key ID, and store it for the next step.
+4. After you generate the key and obtain its ID, publish it to the public `keyserver`:
+   ```shell
+   gpg --keyserver keyserver.ubuntu.com --send-keys <YOUR_KEY_ID>
+   ```
+   This step is IMPORTANT. Without it, the release pipeline will fail on signing the artifacts.
+5. Export the key and encode it using Base64. Then copy the encoded key and use it for the `GPG_SIGNING_KEY` variable:
+   ```shell
+   gpg --export-secret-keys <YOUR_KEY_ID> | base64 > private.key
+   ```
+   The contents of `private.key` need to be copied and pasted into the `GPG_SIGNING_KEY`.
+---
+
 The release pipeline will push the images to the registry.
 It will also prepare in artifacts the ZIP and TAR.GZ archives with the installation files and the Helm Chart.
 You will need these later to attach them to the GitHub release.
