-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(build): publish to OSSRH Snapshots and MavenCentral from GHA
- Loading branch information
1 parent
2302287
commit 74f3afe
Showing
2 changed files
with
77 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| name: "Import GPG Key" | ||
| description: "Imports a GPG key given in the input" | ||
| inputs: | ||
| gpg-private-key: | ||
| required: true | ||
| description: "The GPG Private Key in plain text. Can be a sub-key." | ||
| runs: | ||
| using: "composite" | ||
| steps: | ||
| # this is necessary because it creates gpg.conf, etc. | ||
| - name: List Keys | ||
| shell: bash | ||
| run: | | ||
| gpg -K --keyid-format=long | ||
| - name: Import GPG Private Key | ||
| shell: bash | ||
| run: | | ||
| echo "use-agent" >> ~/.gnupg/gpg.conf | ||
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | ||
| echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch | ||
| for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); | ||
| do | ||
| echo -e "5\\ny\\n" | gpg --batch --command-fd 0 --expert --edit-key $fpr trust; | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,61 @@ | ||
| name: "Create Snapshot Build" | ||
| name: "Publish Snapshot Build" | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| workflow_call: | ||
| inputs: | ||
| github_repository: | ||
| required: true | ||
| type: string | ||
| secrets: | ||
| jenkins_user: | ||
| required: true | ||
| jenkins_token: | ||
| required: true | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| secrets-presence: | ||
| name: "Check for required credentials" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| HAS_OSSRH: ${{ steps.secret-presence.outputs.HAS_OSSRH }} | ||
| steps: | ||
| - name: Check whether secrets exist | ||
| id: secret-presence | ||
| run: | | ||
| [ ! -z "${{ secrets.ORG_GPG_PASSPHRASE }}" ] && | ||
| [ ! -z "${{ secrets.ORG_GPG_PRIVATE_KEY }}" ] && | ||
| [ ! -z "${{ secrets.ORG_OSSRH_USERNAME }}" ] && echo "HAS_OSSRH=true" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| Trigger-Snapshot: | ||
| name: "Publish artefacts to OSSRH Snapshots / MavenCentral" | ||
| runs-on: ubuntu-latest | ||
| # forks cannot trigger Jenkins | ||
| if: ${{ startsWith( inputs.github_repository, 'eclipse-edc') }} | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| needs: [ secrets-presence ] | ||
|
|
||
| if: | | ||
| needs.secrets-presence.outputs.HAS_OSSRH | ||
| steps: | ||
| # Trigger EF Jenkins. This job waits for Jenkins to complete the publishing, which may take a long time, because every | ||
| # module is signed individually, and parallelism is not available. Hence, the increased timeout of 3600 seconds. | ||
| # There is no way to cancel the process on Jenkins from withing GitHub. | ||
| - name: Call Jenkins API to trigger build | ||
| uses: toptal/jenkins-job-trigger-action@master | ||
| # Set-Up | ||
| - uses: actions/[email protected] | ||
|
|
||
| # Import GPG Key | ||
| - uses: ./.github/actions/import-gpg-key | ||
| name: "Import GPG Key" | ||
| with: | ||
| jenkins_url: "https://ci.eclipse.org/edc/" | ||
| jenkins_user: ${{ secrets.jenkins_user }} | ||
| jenkins_token: ${{ secrets.jenkins_token }} | ||
| # empty params are needed, otherwise the job will fail. | ||
| job_params: | | ||
| { | ||
| "REPO": join('https://github.com/', ${{ inputs.github_repository }}) | ||
| } | ||
| job_name: "Publish-Component" | ||
| job_timeout: "3600" # Default 30 sec. (optional) | ||
| gpg-private-key: ${{ secrets.ORG_GPG_PRIVATE_KEY }} | ||
|
|
||
| - uses: ./.github/actions/setup-build | ||
| - name: "Publish snapshot version" | ||
| env: | ||
| OSSRH_PASSWORD: ${{ secrets.ORG_OSSRH_PASSWORD }} | ||
| OSSRH_USER: ${{ secrets.ORG_OSSRH_USERNAME }} | ||
| run: |- | ||
| VERSION=$(./gradlew properties -q | grep "version:" | awk '{print $2}') | ||
| cmd="" | ||
| if [[ $VERSION != *-SNAPSHOT ]] | ||
| then | ||
| cmd="closeAndReleaseSonatypeStagingRepository"; | ||
| echo "::warning file=gradle.properties::$VERSION is not a snapshot version - will not publish!" | ||
| exit 1 | ||
| fi | ||
| echo "Publishing Version $VERSION to Sonatype" | ||
| ./gradlew publishToSonatype ${cmd} --no-parallel -Pversion=$VERSION -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase="${{ secrets.ORG_GPG_PASSPHRASE }}" |