WIP release candidate staging workflow

.github/workflows/stage-release-candidate.yml

@@ -0,0 +1,78 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Stage release candidate
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  # Automating the step at https://github.com/apache/pekko-site/wiki/Pekko-Release-Process#build-the-source-release-candidate
+  # Partly based on https://github.com/apache/daffodil/blob/main/.github/workflows/release-candidate.yml
+  stage-release-candidate-to-svn:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check version parameter
+        run: |-
+          if [[ "$REF" != "refs/tags/"* ]]; then 
+            echo "Trigger this workflow on a tag"
+            exit 1
+          fi
+          if [[ "$REF" != *"-RC"* ]]; then 
+            echo "Trigger this workflow on an RC tag"
+            exit 1
+          fi
+          export VERSION=$(echo $REF | sed -e "s/refs\/tags\/\(.*\)-.*/\\1/")
+          echo "Version: $VERSION"
+        env:
+          REF: ${{ github.event.ref }}
+
+      #- name: Checkout
+      #  uses: actions/checkout@v5
+      #  with:
+      #    fetch-depth: 0
+      #    fetch-tags: true
+      #    persist-credentials: false
+
+      #- name: Setup Java 17
+      #  uses: actions/setup-java@v5
+      #  with:
+      #    distribution: temurin
+      #    java-version: 17
+
+      #- name: Install sbt
+      #  uses: sbt/setup-sbt@17575ea4e18dd928fe5968dbe32294b97923d65b # v1.1.13
+
+      # We intentionally do not use the Coursier cache for release candidates,
+      # to reduce attack surface
+
+      # We intentionally postpone the signing to a separate step, to reduce
+      # attack surface
+      #- name: Generate source dist
+      #  run: |-
+      #    sbt "clean; set ThisBuild / version := \"$VERSION\"; sourceDistGenerate"
+
+      - name: Sign source dist
+        run: |-
+          echo $PEKKO_GPG_SECRET_KEY 
+          echo $PEKKO_GPG_SECRET_KEY | gpg --batch --import --import-options import-show
+          gpg -ab target/dist/*
+        env:
+          PEKKO_GPG_SECRET_KEY: ${{ secrets.PEKKO_GPG_SECRET_KEY }}