diff --git a/.github/actions/get-version/action.yaml b/.github/actions/get-version/action.yaml new file mode 100644 index 000000000..c8e5720a8 --- /dev/null +++ b/.github/actions/get-version/action.yaml @@ -0,0 +1,54 @@ +name: Get version +description: Detects if build is a snapshot and gets the release or snapshot version + +runs: + using: composite + steps: + # Checking if this particular build is a snapshot build + - name: Detect if snapshot + id: get-is-snapshot + shell: bash + run: | + # Getting previous commit + COMMIT_REF="HEAD~1" + + # Checking if previous commit contains pom.xml. This should always return true + if ! git show "${COMMIT_REF}:pom.xml" &>/dev/null; then + echo "Error: pom.xml not found in commit ${COMMIT_REF}" + exit 1 + fi + + # Getting previous version + OLD_VERSIONS=$(git show "${COMMIT_REF}:pom.xml" | + sed -n '// { s/.*\([^<]*\)<\/revision>.*/\1/p; q }') + + # Getting current version + NEW_VERSIONS=$(sed -n 's/.*\([^<]*\)<\/revision>.*/\1/p' pom.xml) + + echo "old versions: ${OLD_VERSIONS}, new versions: ${NEW_VERSIONS}" + # Compare the extracted versions. CI will not commit snapshot version. + if [[ "${OLD_VERSIONS}" != "${NEW_VERSIONS}" ]]; then + echo "is-snapshot='false'" >> $GITHUB_OUTPUT + else + echo "is-snapshot='true'" >> $GITHUB_OUTPUT + fi + + - name: Get release or snapshot-version + id: get-release-version + shell: bash + run: | + IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }} + if [ $IS_SNAPSHOT == 'true' ];then + echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-SNAPSHOT_$GITHUB_SHA" >> $GITHUB_OUTPUT + else + echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT + fi + +outputs: + is-snapshot: + description: Whether this is a snapshot build + value: ${{ steps.get-is-snapshot.outputs.is-snapshot }} + release-version: + description: The release or snapshot version + value: ${{ steps.get-release-version.outputs.release-version }} + diff --git a/.github/workflows/push-to-stage.yaml b/.github/workflows/push-to-stage.yaml index 86d098180..0d74c77c7 100644 --- a/.github/workflows/push-to-stage.yaml +++ b/.github/workflows/push-to-stage.yaml @@ -3,7 +3,7 @@ name: clients-java-push-to-dev on: push: branches: - - dev-* + - dev-* # Used for dev branches - stage - stage-jdk8 workflow_dispatch: diff --git a/.github/workflows/release-stage.yaml b/.github/workflows/release-stage.yaml index 7ade9cef4..6090b8135 100644 --- a/.github/workflows/release-stage.yaml +++ b/.github/workflows/release-stage.yaml @@ -22,8 +22,8 @@ jobs: runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }} outputs: java-version: ${{ steps.get-java-version.outputs.java-version }} - is-snapshot: ${{ steps.get-is-snapshot.outputs.is-snapshot }} - release-version: ${{ steps.get-release-version.outputs.release-version }} + is-snapshot: ${{ steps.get-version.outputs.is-snapshot }} + release-version: ${{ steps.get-version.outputs.release-version }} steps: - name: Checkout client uses: actions/checkout@v4 @@ -41,45 +41,9 @@ jobs: run: | echo ${{ steps.get-java-version.outputs.java-version }} - # Checking if this particular build is a snapshot build - - name: Detect if snapshot - id: get-is-snapshot - shell: bash - run: | - # Getting previous commit - COMMIT_REF="HEAD~1" - - # Checking if previous commit contains pom.xml. This should always return true - if ! git show "${COMMIT_REF}:pom.xml" &>/dev/null; then - echo "Error: pom.xml not found in commit ${COMMIT_REF}" - exit 1 - fi - - # Getting previous version - OLD_VERSIONS=$(git show "${COMMIT_REF}:pom.xml" | - sed -n '// { s/.*\([^<]*\)<\/revision>.*/\1/p; q }') - - # Getting current version - NEW_VERSIONS=$(sed -n 's/.*\([^<]*\)<\/revision>.*/\1/p' pom.xml) - - echo "old versions: ${OLD_VERSIONS}, new versions: ${NEW_VERSIONS}" - # Compare the extracted versions. CI will not commit snapshot version. - if [[ "${OLD_VERSIONS}" != "${NEW_VERSIONS}" ]]; then - echo "is-snapshot='false'" >> $GITHUB_OUTPUT - else - echo "is-snapshot='true'" >> $GITHUB_OUTPUT - fi - - - name: Get release or snapshot-version - id: get-release-version - shell: bash - run: | - IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }} - if [ $IS_SNAPSHOT == 'true' ];then - echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-SNAPSHOT_$GITHUB_SHA" >> $GITHUB_OUTPUT - else - echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT - fi + - name: Get version + id: get-version + uses: ./.github/actions/get-version build: uses: ./.github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 324af7a5c..e02cd7f49 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,35 +1,57 @@ permissions: # This is required for requesting the OIDC token id-token: write + contents: read on: workflow_call: inputs: ref: + description: Branch to release from type: string required: true java-version: + description: Java version to release type: string required: true crypto-type: + description: Crypto type to release type: string required: true is-snapshot: + description: Is snapshot build type: string required: true + gh-retention-days: + description: GitHub artifact retention days + type: number + required: false + default: 1 secrets: - GPG_JAVA_CLIENT_PRIVATE_KEY: - required: true - GPG_JAVA_CLIENT_PASS: - required: true JFROG_OIDC_PROVIDER: + description: JFrog OIDC provider required: true JFROG_OIDC_AUDIENCE: + description: JFrog OIDC audience + required: true + GPG_SECRET_KEY: + description: GPG secret key + required: true + GPG_PUBLIC_KEY: + description: GPG public key + required: true + GPG_PASS: + description: GPG pass required: true jobs: build: runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }} + outputs: + gh-artifact-name: ${{ steps.build-info.outputs.gh-artifact-name }} + artifact-id: ${{ steps.get-artifact-id.outputs.artifact-id }} + artifact-version: ${{ steps.get-artifact-version.outputs.artifact-version }} + group-id: ${{ steps.get-group-id.outputs.group-id }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -37,20 +59,13 @@ jobs: fetch-depth: 0 ref: ${{ inputs.ref }} - - name: Gpg debug step - shell: bash - run: | - gpg --version - # Java plugin will setup gpg but we are not using maven to deploy do JFrog. # - jf mvn clean install on publish does not publish POM we would like to publish - name: Setup Java uses: actions/setup-java@v4 with: - distribution: "semeru" + distribution: ${{ vars.JAVA_PROVIDER }} java-version: ${{ inputs.java-version }} - gpg-private-key: ${{ secrets.GPG_JAVA_CLIENT_PRIVATE_KEY }} - gpg-passphrase: GPG_PASS - name: Get release or snapshot-version id: get-release-version @@ -98,6 +113,12 @@ jobs: run: | echo artifact-version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) >> $GITHUB_OUTPUT + - name: Get group ID + id: get-group-id + working-directory: client + run: | + echo group-id=$(mvn help:evaluate -Dexpression=project.groupId -q -DforceStdout) >> $GITHUB_OUTPUT + # Running deploy/install from using custom pom. This is needed since we need to stage/assemble a public facing release. The public facing release will NOT # have the same pom as the pom that is used for builds and tests. # If/when modifying the mvn deploy command be careful with types and classifiers. The order of the types and classifiers should match. @@ -107,7 +128,7 @@ jobs: ls -la target mkdir ${{ github.workspace }}/local_repo - mvn gpg:sign-and-deploy-file \ + mvn deploy:deploy-file \ -DpomFile=deploy-resources/${{ inputs.crypto-type }}_pom.xml \ -DrepositoryId=local \ -Durl=file://${{ github.workspace }}/local_repo \ @@ -118,18 +139,64 @@ jobs: -Dfiles=target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-jar-with-dependencies.jar,target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-sources.jar,target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-javadoc.jar \ -Dclassifiers=jar-with-dependencies,sources,javadoc \ -Dtypes=jar,jar,jar \ - -P gpg -P ${{ inputs.crypto-type }} + -P ${{ inputs.crypto-type }} ls -laR ${{ github.workspace }}/local_repo - env: - GPG_PASS: ${{ secrets.GPG_JAVA_CLIENT_PASS }} - # Publishing release to JFrog + - name: Upload Artifacts + uses: actions/upload-artifact@v5 + with: + name: ${{ steps.get-artifact-id.outputs.artifact-id }} + path: ${{ github.workspace }}/local_repo + retention-days: ${{ inputs.gh-retention-days }} + + - name: Set Build Info Outputs + id: build-info + run: | + echo "gh-artifact-name=${{ steps.get-artifact-id.outputs.artifact-id }}" >> $GITHUB_OUTPUT + + sign-artifacts: + needs: build + uses: aerospike/shared-workflows/.github/workflows/reusable_sign-artifacts.yaml@37581d0437fe0b76315dafc402882c875789b1af + with: + gh-retention-days: 1 + gh-artifact-name: signed_${{ needs.build.outputs.gh-artifact-name }} + gh-unsigned-artifacts: ${{ needs.build.outputs.gh-artifact-name }} + # gh-workflows-ref: v2.0.2 # Use specific shared-workflows version + secrets: + gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} + gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }} + gpg-key-pass: ${{ secrets.GPG_PASS }} + + publish-to-jfrog: + needs: [build, sign-artifacts] + runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ inputs.ref }} + + - name: Download signed artifacts + uses: actions/download-artifact@v4 + with: + name: ${{ needs.sign-artifacts.outputs.gh-artifact-name }} + path: ${{ github.workspace }}/local_repo + merge-multiple: true + + - name: Debug list downloaded content + shell: bash + working-directory: ${{ github.workspace }}/local_repo + run: | + pwd + ls -laR + - name: Publish to JFrog uses: ./.github/actions/publish-to-jfrog with: oidc-provider: ${{ secrets.JFROG_OIDC_PROVIDER }} oidc-audience: ${{ secrets.JFROG_OIDC_AUDIENCE }} - artifact-id: ${{ steps.get-artifact-id.outputs.artifact-id }} - artifact-version: ${{ steps.get-artifact-version.outputs.artifact-version }} - package-install-location: ${{ github.workspace }}/local_repo + artifact-id: ${{ needs.build.outputs.artifact-id }} + artifact-version: ${{ needs.build.outputs.artifact-version }} + package-install-location: ${{ github.workspace }}/local_repo/unsigned-artifacts \ No newline at end of file