-
Notifications
You must be signed in to change notification settings - Fork 2
181 lines (165 loc) · 6.66 KB
/
zxc-release-maven-central.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
##
# Copyright (C) 2022-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: "ZXC: Release Maven Central"
# The purpose of this reusable workflow is to release a new version to Maven Central.
# This reusable component is called by the following workflows:
# - .github/workflows/flow-release-maven-central.yaml
on:
workflow_call:
inputs:
new-version:
description: "New Release Version (ie. 0.30.0):"
type: string
required: true
dry-run-enabled:
description: "Perform Dry Run"
type: boolean
required: false
default: false
java-distribution:
description: "Java JDK Distribution:"
type: string
required: false
default: "temurin"
java-version:
description: "Java JDK Version:"
type: string
required: false
default: "17.0.3"
gradle-version:
description: "Gradle Version:"
type: string
required: false
default: "wrapper"
custom-job-label:
description: "Custom Job Label:"
type: string
required: false
default: "Release"
outputs:
release-notes:
description: "Release notes for the new release"
value: ${{ jobs.release.outputs.notes }}
secrets:
gradle-cache-username:
description: "The username used to authenticate with the Gradle Build Cache Node."
required: true
gradle-cache-password:
description: "The password used to authenticate with the Gradle Build Cache Node."
required: true
gpg-key-contents:
required: false
gpg-key-passphrase:
required: false
git-user-name:
required: false
git-user-email:
required: false
ossrh-user-name:
required: true
ossrh-user-password:
required: true
defaults:
run:
shell: bash
permissions:
id-token: write
contents: write
env:
GRADLE_CACHE_USERNAME: ${{ secrets.gradle-cache-username }}
GRADLE_CACHE_PASSWORD: ${{ secrets.gradle-cache-password }}
jobs:
release:
name: ${{ inputs.custom-job-label || 'Release' }}
runs-on: solo-linux-medium
outputs:
notes: ${{ steps.create-release-notes.outputs.RELEASE_NOTES }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
# This step is required for some self-hosted runners because the default gpg does not include the gpg2 command.
- name: Install GnuPG Tools
run: |
if ! command -v gpg2 >/dev/null 2>&1; then
echo "::group::Updating APT Repository Indices"
sudo apt update
echo "::endgroup::"
echo "::group::Installing GnuPG Tools"
sudo apt install -y gnupg2
echo "::endgroup::"
fi
- name: Import GPG key
id: gpg_key
uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0
if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }}
with:
gpg_private_key: ${{ secrets.gpg-key-contents }}
passphrase: ${{ secrets.gpg-key-passphrase }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
- name: Setup Java
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
with:
distribution: ${{ inputs.java-distribution }}
java-version: ${{ inputs.java-version }}
- name: Setup Gradle
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: ${{ inputs.gradle-version }}
# This step is used to update the version number in the build.properties file.
- name: Apply Version Number Update (Explicit)
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: ${{ inputs.gradle-version }}
arguments: versionAsSpecified --scan -PnewVersion=${{ inputs.new-version }}
# Technically, this step is not required but is executed to provide the end users with a summary of the version
# numbers assigned to each published artifact.
- name: Version Report
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: ${{ inputs.gradle-version }}
arguments: githubVersionSummary --scan
# Technically, this step is not required because the release steps will build what is required; however,
# if one or more components fails to build then it could result in a partial publish to Maven Central.
# The inclusion of this step ensures the job fails cleanly without publishing to Maven Central if any of the
# components fail to build.
- name: Gradle Assemble
id: gradle-build
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }}
with:
gradle-version: ${{ inputs.gradle-version }}
arguments: assemble --scan
# Publishes the artifacts to the Maven Central Nexus staging repository. A manual step is required to release
# the artifacts from the staging repository to Maven Central.
- name: Gradle Publish to Maven Central
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }}
env:
OSSRH_USERNAME: ${{ secrets.ossrh-user-name }}
OSSRH_PASSWORD: ${{ secrets.ossrh-user-password }}
with:
gradle-version: ${{ inputs.gradle-version }}
# always run with --no-parallel to avoid sonatype maven publish issues which result in invalid publications
arguments: releaseMavenCentral --scan -PpublishSigningEnabled=true --no-parallel