aerospike · BrianNichols · Nov 17, 2025 · Nov 17, 2025
diff --git a/.github/actions/get-version/action.yaml b/.github/actions/get-version/action.yaml
@@ -0,0 +1,54 @@
+name: Get version
+description: Detects if build is a snapshot and gets the release or snapshot version
+
+runs:
+  using: composite
+  steps:
+    # Checking if this particular build is a snapshot build
+    - name: Detect if snapshot
+      id: get-is-snapshot
+      shell: bash
+      run: |
+        # Getting previous commit
+        COMMIT_REF="HEAD~1"
+
+        # Checking if previous commit contains pom.xml. This should always return true
+        if ! git show "${COMMIT_REF}:pom.xml" &>/dev/null; then
+          echo "Error: pom.xml not found in commit ${COMMIT_REF}"
+          exit 1
+        fi
+
+        # Getting previous version
+        OLD_VERSIONS=$(git show "${COMMIT_REF}:pom.xml" |
+          sed -n '/<revision>/ { s/.*<revision>\([^<]*\)<\/revision>.*/\1/p; q }')
+
+        # Getting current version
+        NEW_VERSIONS=$(sed -n 's/.*<revision>\([^<]*\)<\/revision>.*/\1/p' pom.xml)
+
+        echo "old versions: ${OLD_VERSIONS}, new versions: ${NEW_VERSIONS}"
+        # Compare the extracted versions. CI will not commit snapshot version.
+        if [[ "${OLD_VERSIONS}" != "${NEW_VERSIONS}" ]]; then
+          echo "is-snapshot='false'" >> $GITHUB_OUTPUT
+        else
+          echo "is-snapshot='true'" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Get release or snapshot-version
+      id: get-release-version
+      shell: bash
+      run: |
+        IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }}
+        if [ $IS_SNAPSHOT == 'true' ];then
+          echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-SNAPSHOT_$GITHUB_SHA" >> $GITHUB_OUTPUT
+        else
+          echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
+        fi
+
+outputs:
+  is-snapshot:
+    description: Whether this is a snapshot build
+    value: ${{ steps.get-is-snapshot.outputs.is-snapshot }}
+  release-version:
+    description: The release or snapshot version
+    value: ${{ steps.get-release-version.outputs.release-version }}
+
diff --git a/.github/workflows/push-to-stage.yaml b/.github/workflows/push-to-stage.yaml
@@ -3,7 +3,7 @@ name: clients-java-push-to-dev
 on:
   push:
     branches:
-      - dev-*
+      - dev-* # Used for dev branches
       - stage
       - stage-jdk8
   workflow_dispatch:

diff --git a/.github/workflows/release-stage.yaml b/.github/workflows/release-stage.yaml
@@ -22,8 +22,8 @@ jobs:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     outputs:
       java-version: ${{ steps.get-java-version.outputs.java-version }}
-      is-snapshot: ${{ steps.get-is-snapshot.outputs.is-snapshot }}
-      release-version: ${{ steps.get-release-version.outputs.release-version }}
+      is-snapshot: ${{ steps.get-version.outputs.is-snapshot }}
+      release-version: ${{ steps.get-version.outputs.release-version }}
     steps:
       - name: Checkout client
         uses: actions/checkout@v4
@@ -41,45 +41,9 @@ jobs:
         run: |
           echo ${{ steps.get-java-version.outputs.java-version }}
 
-      # Checking if this particular build is a snapshot build
-      - name: Detect if snapshot
-        id: get-is-snapshot
-        shell: bash
-        run: |
-          # Getting previous commit
-          COMMIT_REF="HEAD~1"
-
-          # Checking if previous commit contains pom.xml. This should always return true
-          if ! git show "${COMMIT_REF}:pom.xml" &>/dev/null; then
-            echo "Error: pom.xml not found in commit ${COMMIT_REF}"
-            exit 1
-          fi
-
-          # Getting previous version
-          OLD_VERSIONS=$(git show "${COMMIT_REF}:pom.xml" |
-            sed -n '/<revision>/ { s/.*<revision>\([^<]*\)<\/revision>.*/\1/p; q }')
-
-          # Getting current version
-          NEW_VERSIONS=$(sed -n 's/.*<revision>\([^<]*\)<\/revision>.*/\1/p' pom.xml)
-
-          echo "old versions: ${OLD_VERSIONS}, new versions: ${NEW_VERSIONS}"
-          # Compare the extracted versions. CI will not commit snapshot version.
-          if [[ "${OLD_VERSIONS}" != "${NEW_VERSIONS}" ]]; then
-            echo "is-snapshot='false'" >> $GITHUB_OUTPUT
-          else
-            echo "is-snapshot='true'" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Get release or snapshot-version
-        id: get-release-version
-        shell: bash
-        run: |
-          IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }}
-          if [ $IS_SNAPSHOT == 'true' ];then
-            echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-SNAPSHOT_$GITHUB_SHA" >> $GITHUB_OUTPUT
-          else
-            echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
-          fi
+      - name: Get version
+        id: get-version
+        uses: ./.github/actions/get-version
 
   build:
     uses: ./.github/workflows/release.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,56 +1,71 @@
 permissions:
   # This is required for requesting the OIDC token
   id-token: write
+  contents: read
 
 on:
   workflow_call:
     inputs:
       ref:
+        description: Branch to release from
         type: string
         required: true
       java-version:
+        description: Java version to release
         type: string
         required: true
       crypto-type:
+        description: Crypto type to release
         type: string
         required: true
       is-snapshot:
+        description: Is snapshot build
         type: string
         required: true
+      gh-retention-days:
+        description: GitHub artifact retention days
+        type: number
+        required: false
+        default: 1
     secrets:
-      GPG_JAVA_CLIENT_PRIVATE_KEY:
-        required: true
-      GPG_JAVA_CLIENT_PASS:
-        required: true
       JFROG_OIDC_PROVIDER:
+        description: JFrog OIDC provider
         required: true
       JFROG_OIDC_AUDIENCE:
+        description: JFrog OIDC audience
+        required: true
+      GPG_SECRET_KEY:
+        description: GPG secret key
+        required: true
+      GPG_PUBLIC_KEY:
+        description: GPG public key
+        required: true
+      GPG_PASS:
+        description: GPG pass
         required: true
 
 jobs:
   build:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
+    outputs:
+      gh-artifact-name: ${{ steps.build-info.outputs.gh-artifact-name }}
+      artifact-id: ${{ steps.get-artifact-id.outputs.artifact-id }}
+      artifact-version: ${{ steps.get-artifact-version.outputs.artifact-version }}
+      group-id: ${{ steps.get-group-id.outputs.group-id }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}
 
-      - name: Gpg debug step
-        shell: bash
-        run: |
-          gpg --version
-
       # Java plugin will setup gpg but we are not using maven to deploy do JFrog.
       # - jf mvn clean install on publish does not publish POM we would like to publish
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "semeru"
+          distribution: ${{ vars.JAVA_PROVIDER }}
           java-version: ${{ inputs.java-version }}
-          gpg-private-key: ${{ secrets.GPG_JAVA_CLIENT_PRIVATE_KEY }}
-          gpg-passphrase: GPG_PASS
 
       - name: Get release or snapshot-version
         id: get-release-version
@@ -98,6 +113,12 @@ jobs:
         run: |
           echo artifact-version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) >> $GITHUB_OUTPUT
 
+      - name: Get group ID
+        id: get-group-id
+        working-directory: client
+        run: |
+          echo group-id=$(mvn help:evaluate -Dexpression=project.groupId -q -DforceStdout) >> $GITHUB_OUTPUT
+
       # Running deploy/install from using custom pom. This is needed since we need to stage/assemble a public facing release. The public facing release will NOT
       # have the same pom as the pom that is used for builds and tests.
       # If/when modifying the mvn deploy command be careful with types and classifiers. The order of the types and classifiers should match.
@@ -107,7 +128,7 @@ jobs:
           ls -la target
           mkdir ${{ github.workspace }}/local_repo
 
-          mvn gpg:sign-and-deploy-file \
+          mvn deploy:deploy-file \
             -DpomFile=deploy-resources/${{ inputs.crypto-type }}_pom.xml \
             -DrepositoryId=local \
             -Durl=file://${{ github.workspace }}/local_repo \
@@ -118,18 +139,64 @@ jobs:
             -Dfiles=target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-jar-with-dependencies.jar,target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-sources.jar,target/aerospike-client${{ inputs.crypto-type == 'bouncycastle' && '-bc' || '' }}-jdk${{ inputs.java-version == '1.8' && '8' || inputs.java-version }}-${{ steps.get-artifact-version.outputs.artifact-version }}-javadoc.jar \
             -Dclassifiers=jar-with-dependencies,sources,javadoc \
             -Dtypes=jar,jar,jar \
-            -P gpg -P ${{ inputs.crypto-type }}
+            -P ${{ inputs.crypto-type }}
 
           ls -laR ${{ github.workspace }}/local_repo
-        env:
-          GPG_PASS: ${{ secrets.GPG_JAVA_CLIENT_PASS }}
 
-      # Publishing release to JFrog
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v5
+        with:
+          name: ${{ steps.get-artifact-id.outputs.artifact-id }}
+          path: ${{ github.workspace }}/local_repo
+          retention-days: ${{ inputs.gh-retention-days }}
+
+      - name: Set Build Info Outputs
+        id: build-info
+        run: |
+          echo "gh-artifact-name=${{ steps.get-artifact-id.outputs.artifact-id }}" >> $GITHUB_OUTPUT
+
+  sign-artifacts:
+    needs: build
+    uses: aerospike/shared-workflows/.github/workflows/reusable_sign-artifacts.yaml@37581d0437fe0b76315dafc402882c875789b1af
+    with:
+      gh-retention-days: 1
+      gh-artifact-name: signed_${{ needs.build.outputs.gh-artifact-name }}
+      gh-unsigned-artifacts: ${{ needs.build.outputs.gh-artifact-name }}
+      # gh-workflows-ref: v2.0.2 # Use specific shared-workflows version
+    secrets:
+      gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
+      gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
+      gpg-key-pass: ${{ secrets.GPG_PASS }}
+
+  publish-to-jfrog:
+    needs: [build, sign-artifacts]
+    runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref }}
+
+      - name: Download signed artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.sign-artifacts.outputs.gh-artifact-name }}
+          path: ${{ github.workspace }}/local_repo
+          merge-multiple: true
+
+      - name: Debug list downloaded content
+        shell: bash
+        working-directory: ${{ github.workspace }}/local_repo
+        run: |
+          pwd
+          ls -laR
+
       - name: Publish to JFrog
         uses: ./.github/actions/publish-to-jfrog
         with:
           oidc-provider: ${{ secrets.JFROG_OIDC_PROVIDER }}
           oidc-audience: ${{ secrets.JFROG_OIDC_AUDIENCE }}
-          artifact-id: ${{ steps.get-artifact-id.outputs.artifact-id }}
-          artifact-version: ${{ steps.get-artifact-version.outputs.artifact-version }}
-          package-install-location: ${{ github.workspace }}/local_repo
+          artifact-id: ${{ needs.build.outputs.artifact-id }}
+          artifact-version: ${{ needs.build.outputs.artifact-version }}
+          package-install-location: ${{ github.workspace }}/local_repo/unsigned-artifacts