Issue #217 - Convert and port Gradle to Maven build for web5-kt

* No security or license issues
* All modules build and tests pass
* Dependencies all correctly set via dependencyManagement which may be consumed by other projects (ie. tbDEX)
* Ported Dokka to use Dokka CLI in GitHub Actions and instructions to run locally
* Change: API Docs via Dokka now have no left sidebar because Gradle plugin enabled multimodule for us.
* Detekt ported through Maven plugin
* Ported Kover; we have coverage via CodeCov
* Switched to use TBD Artifactory for single repo declaration to get 3rdparty deps not in Maven Central
* Update README to reflect new build usage
* Publish to TBD Artifactory
* While we are at it, renames to GitHub Actions for clarity and correctness
* Set Surefire patterns to run Test Vectors
* Publish every build as a SNAPSHOT in format X.Y.Z-commit-$shortSHA-SNAPSHOT
* Validate that SNAPSHOT publishing has a version defined that ends in -SNAPSHOT

TODO:
* Releasing to Maven Central
* Do not publish to TBD Artifactory twice (the build/test/deploy workflow runs in 2 environments, Ubuntu and MacOS)
* Update the GU Actions workflows to run on main, not this branch, before we merge it

Issue #217: Add Kover

.github/workflows/build-test-deploy.yml

@@ -0,0 +1,123 @@
+name: Build, Test, and Deploy SNAPSHOT
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish. For example "1.0.0-SNAPSHOT". If not supplied, will default to version specified in the POM.'
+        required: false
+        default: '0.0.0-SNAPSHOT'
+  push:
+    branches:
+      - issue-217/maven-build
+  # Put this back and remove section above before merging to main
+  #pull_request:
+  #  branches:
+  #    - '*'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, macos-latest ]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      # https://cashapp.github.io/hermit/usage/ci/
+      - name: Init Hermit
+        uses: cashapp/activate-hermit@v1
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: hash test inputs
+        run: |
+          if ! which sha256sum; then brew install coreutils; fi
+          sha256sum $(find test-vectors -name '*.json') > test-vector-hashes.txt
+
+      - name: Build, Test, and Deploy SNAPSHOT
+        run: |
+          # Version resolution: use provided
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            resolvedVersion=${{ github.event.inputs.version }}
+          # Otherwise, construct a version for deployment in form X.Y.Z-commit-$shortSHA-SNAPSHOT
+          else
+            mvnVersion=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+            longSHA=$(git rev-parse --verify HEAD)
+            version=$(echo "$mvnVersion" | cut -d'-' -f1)
+            shortSHA=$(echo "${longSHA:0:7}")
+            resolvedVersion="$version-commit-$shortSHA-SNAPSHOT"
+            echo "Requesting deployment as version: $resolvedVersion"
+          fi
+          
+          # Postcondition check; only allow this to proceed if we have a version ending in "-SNAPSHOT"
+          if [[ ! "$resolvedVersion" =~ -SNAPSHOT$ ]]; then
+            echo "Error: The version does not end with \"-SNAPSHOT\": $resolvedVersion"
+            exit 1
+          fi
+          
+          # Set newly resolved version in POM config
+          mvn \
+            versions:set \
+            --batch-mode \
+            -DnewVersion=$resolvedVersion 
+        
+          # Maven deploy lifecycle will build, run tests, verify, and deploy
+          mvn \
+            deploy \
+              --batch-mode \
+              --settings .maven_settings.xml
+        env:
+          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
+          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Upload Web5 Vector test resultsß
+      - uses: actions/upload-artifact@v3
+        with:
+          name: test-results
+          path: |
+            **/target/surefire-reports/*Web5TestVectors*.xml
+            test-vector-hashes.txt
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true
+          flags: ${{ runner.os }}
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: tests-report-junit
+          path: |
+            **/target/surefire-reports/*.xml
+
+      - name: Generate an access token to trigger downstream repo
+        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        id: generate_token
+        if: github.ref == 'refs/heads/main'
+        with:
+          app-id: ${{ secrets.CICD_ROBOT_GITHUB_APP_ID }}
+          private-key: ${{ secrets.CICD_ROBOT_GITHUB_APP_PRIVATE_KEY }}
+          owner: TBD54566975
+          repositories: sdk-report-runner
+
+      - name: Trigger sdk-report-runner report build
+        if: github.ref == 'refs/heads/main'
+        run: |
+          curl -L \
+          -H "Authorization: Bearer ${APP_TOKEN}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          -H "Content-Type: application/json" \
+          --fail \
+          --data '{"ref": "main"}' \
+          https://api.github.com/repos/TBD54566975/sdk-report-runner/actions/workflows/build-report.yaml/dispatches
+        env:
+          APP_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-pages-deploy.yml

@@ -1,4 +1,4 @@
-name: Deploy examples to GitHub Pages
+name: Deploy API Docs to GitHub Pages
 
 on:
   push:
@@ -18,14 +18,21 @@ jobs:
       # https://cashapp.github.io/hermit/usage/ci/
       - name: Init Hermit
         uses: cashapp/activate-hermit@v1
-      - name: Build html
-        run: gradle dokkaHtmlMultiModule --no-daemon --stacktrace
+      - name: Set up Dokka CLI
+        run: |
+          wget https://repo1.maven.org/maven2/org/jetbrains/dokka/dokka-cli/1.9.20/dokka-cli-1.9.20.jar; \
+          wget https://repo1.maven.org/maven2/org/jetbrains/dokka/dokka-base/1.9.20/dokka-base-1.9.20.jar; \
+          wget https://repo1.maven.org/maven2/org/jetbrains/dokka/analysis-kotlin-descriptors/1.9.20/analysis-kotlin-descriptors-1.9.20.jar; \
+          wget https://repo1.maven.org/maven2/org/jetbrains/kotlinx/kotlinx-html-jvm/0.8.0/kotlinx-html-jvm-0.8.0.jar; \
+          wget https://repo1.maven.org/maven2/org/freemarker/freemarker/2.3.31/freemarker-2.3.31.jar
+      - name: Build HTML APIDocs with Dokka CLI
+        run: java -jar ./dokka-cli.jar dokka-configuration.json
         working-directory: .
       - name: Upload artifact
         uses: actions/upload-artifact@v2
         with:
           name: docs
-          path: build/dokka
+          path: target/apidocs
 
   deploy-examples:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -1,9 +1,13 @@
-name: Publish package to the Maven Central Repository
+name: Release and Publish to Maven Central
 on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Version to publish. For example "0.0.1"'
+        description: 'Version to publish. For example "1.0.0 or 1.0.0-SNAPSHOT"'
+        required: true
+        default: '0.0.0'
+      developmentVersion:
+        description: 'Next development version. For example "1.1.0". The system will append "-SNAPSHOT" to the end of this input to reflect the next development version.'
         required: true
         default: "0.0.0"
 jobs:
@@ -20,21 +24,34 @@ jobs:
 
       - uses: actions/cache@v3
         with:
-          path: ~/.gradle/caches
-          key: gradle-ubuntu-latest-${{ hashFiles('**/*.gradle.kts') }}-${{ hashFiles('**/gradle/wrapper/gradle-wrapper.properties') }}-${{ hashFiles('**/versions.properties') }}
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      # Adapted from: https://gist.github.com/sualeh/ae78dc16123899d7942bc38baba5203c
+      - name: Install gpg secret key
+        run: |
+          # Install gpg secret key
+          cat <(echo -e "${{ secrets.GPG_SECRET_KEY }}") | gpg --batch --import
+          # Verify gpg secret key
+          gpg --list-secret-keys --keyid-format LONG
 
-      - name: Sonatype Publish Close And Release
+      # This will set versions, git tag, and publish to TBD Artifactory. Does not release to Maven Central.
+      - name: Staging - Prepare and Publish Release to TBD Artifactory
         run: |
-          if [ -n "${{ github.event.inputs.version }}" ]; then
-            gradle -Pversion=${{ github.event.inputs.version }} publishToSonatype closeAndReleaseSonatypeStagingRepository
-          else
-            gradle -Pversion=$(echo "${{ github.ref_name }}" | cut -c2-) publishToSonatype closeAndReleaseSonatypeStagingRepository
-          fi
+            mvn \
+              release:prepare \
+              release:stage \
+              --batch-mode \
+              --settings .maven_settings.xml \
+              -DreleaseVersion=${{ github.event.inputs.version }} \
+              -DdevelopmentVersion=${{ github.event.inputs.developmentVersion }} \
+              -Dgpg.passphrase=${{ secrets.GPG_SECRET_PASSPHRASE }} \
+              -DstagingRepository=https://blockxyz.jfrog.io/artifactory/tbd-oss-releases-maven2
         env:
-          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGKEY }}
-          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGPASSWORD }}
-          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPEUSERNAME }}
-          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPEPASSWORD }}
+            ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
+            ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v1

.github/workflows/scorecard.yml

@@ -2,7 +2,7 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: Scorecard supply-chain security
+name: Open Source Security Foundation Scorecard
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection

.github/workflows/tests-publish.yml

@@ -2,7 +2,7 @@ name: Publish Tests Report
 
 on:
   workflow_run:
-    workflows: ["SDK Kotlin CI"]
+    workflows: ["Build, Test, and Deploy SNAPSHOT"]
     types:
       - completed
 
@@ -28,7 +28,7 @@ jobs:
 
           for project in "${projects[@]}"; do
             # Find Tests Reports in each project and store them in an array
-            files=($(find "${project}/build/test-results/test" -name '*.xml'))
+            files=($(find "${project}/target/surefire-reports" -name '*.xml'))
 
             # Check if files array is empty
             if [ ${#files[@]} -eq 0 ]; then

.gitignore

@@ -5,6 +5,9 @@ build/
 !**/src/test/**/build/
 **/cacheDir/
 
+### Maven
+**/target
+
 ### IntelliJ IDEA ###
 .idea
 .idea/modules.xml

.maven_settings.xml

@@ -0,0 +1,14 @@
+<settings>
+  <servers>
+    <server>
+      <id>tbd-oss-releases</id>
+      <username>${env.ARTIFACTORY_USERNAME}</username>
+      <password>${env.ARTIFACTORY_PASSWORD}</password>
+    </server>
+    <server>
+      <id>tbd-oss-snapshots</id>
+      <username>${env.ARTIFACTORY_USERNAME}</username>
+      <password>${env.ARTIFACTORY_PASSWORD}</password>
+    </server>
+  </servers>
+</settings>