-
Notifications
You must be signed in to change notification settings - Fork 46
165 lines (162 loc) · 7.73 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# WARNING: Do not edit this file directly. Instead, go to:
#
# https://github.com/micronaut-projects/micronaut-project-template/tree/master/.github/workflows
#
# and edit them there. Note that it will be sync'ed to all the Micronaut repos
name: Release
on:
release:
types: [published]
jobs:
release:
outputs:
artifacts-sha256: ${{ steps.hash.outputs.artifacts-sha256 }} # Computed hashes for build artifacts.
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_TOKEN }}
- uses: gradle/wrapper-validation-action@v1
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
- name: Set the current release version
id: release_version
run: echo "release_version=${GITHUB_REF:11}" >> $GITHUB_OUTPUT
- name: Run pre-release
uses: micronaut-projects/github-actions/pre-release@master
env:
MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Publish to Sonatype OSSRH
id: publish
env:
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
GPG_FILE: ${{ secrets.GPG_FILE }}
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }}
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
run: |
echo $GPG_FILE | base64 -d > secring.gpg
# Publish both locally and to Sonatype.
# The artifacts stored locally will be used to generate the SLSA provenance.
./gradlew publishAllPublicationsToBuildRepository publishToSonatype closeAndReleaseSonatypeStagingRepository
# Read the current version from gradle.properties.
VERSION=$(./gradlew properties | grep 'version:' | awk '{print $2}')
# Read the project group from gradle.properties.
GROUP_PATH=$(./gradlew properties| grep "projectGroup" | awk '{print $2}' | sed 's/\./\//g')
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "group=$GROUP_PATH" >> "$GITHUB_OUTPUT"
- name: Generate subject
id: hash
run: |
# Find the artifact JAR and POM files in the local repository.
ARTIFACTS=$(find build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/* \
-type f \( \( -iname "*.jar" -not -iname "*-javadoc.jar" -not -iname "*-sources.jar" \) -or -iname "*.pom" \))
# Compute the hashes for the artifacts.
# Set the hash as job output for debugging.
echo "artifacts-sha256=$(sha256sum $ARTIFACTS | base64 -w0)" >> "$GITHUB_OUTPUT"
# Store the hash in a file, which is uploaded as a workflow artifact.
sha256sum $ARTIFACTS | base64 -w0 > artifacts-sha256
- name: Upload build artifacts
uses: actions/upload-artifact@v3
with:
name: gradle-build-outputs
path: build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/*
retention-days: 5
- name: Upload artifacts-sha256
uses: actions/upload-artifact@v3
with:
name: artifacts-sha256
path: artifacts-sha256
retention-days: 5
- name: Generate docs
run: ./gradlew docs
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }}
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }}
GH_USERNAME: ${{ secrets.GH_USERNAME }}
- name: Export Gradle Properties
uses: micronaut-projects/github-actions/export-gradle-properties@master
- name: Publish to Github Pages
if: success()
uses: micronaut-projects/github-pages-deploy-action@master
env:
BETA: ${{ !(github.event.release.target_commitish == github.event.repository.default_branch) || contains(steps.release_version.outputs.release_version, 'M') || contains(steps.release_version.outputs.release_version, 'RC') }}
GH_TOKEN: ${{ secrets.GH_TOKEN }}
BRANCH: gh-pages
FOLDER: build/docs
VERSION: ${{ steps.release_version.outputs.release_version }}
TARGET_REPOSITORY: ${{ github.repository == 'micronaut-projects/micronaut-core' && env.docsRepository || github.repository }}
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }}
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
- name: Run post-release
if: success()
uses: micronaut-projects/github-actions/post-release@master
env:
MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
provenance-subject:
needs: [release]
runs-on: ubuntu-latest
outputs:
artifacts-sha256: ${{ steps.set-hash.outputs.artifacts-sha256 }}
steps:
- name: Download artifacts-sha256
uses: actions/download-artifact@v3
with:
name: artifacts-sha256
# The SLSA provenance generator expects the hash digest of artifacts to be passed as a job
# output. So we need to download the artifacts-sha256 and set it as job output. The hash of
# the artifacts should be set as output directly in the release job. But due to a known bug
# in GitHub Actions we have to use a workaround.
# See https://github.com/community/community/discussions/37942.
- name: Set artifacts-sha256 as output
id: set-hash
shell: bash
run: echo "artifacts-sha256=$(cat artifacts-sha256)" >> "$GITHUB_OUTPUT"
provenance:
needs: [release, provenance-subject]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.provenance-subject.outputs.artifacts-sha256 }}"
upload-assets: true # Upload to a new release.
compile-generator: true # Build the generator from source.
github_release:
needs: [release, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: gradle-build-outputs
path: build/repo
- name: Create artifacts archive
shell: bash
run: |
find build/repo -type f \( \( -iname "*.jar" -not -iname "*-javadoc.jar" -not \
-iname "*-sources.jar" \) -or -iname "*.pom" \) | xargs zip artifacts.zip
- name: Upload assets
# Upload the artifacts to the existing release. Note that the SLSA provenance will
# attest to each artifact file and not the aggregated ZIP file.
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: artifacts.zip