Adopt GHA Scala Library Release Workflow

[davidfurey]

This replaces the old release process which had developers manually running sbt release on their own laptops - each developer had to obtain their own PGP key and Sonatype credentials, which was an elaborate & fiddly process.

Now there's a single set of release credentials, available through GitHub Organisation Secrets, like we already have with NPM.

The changes required to adopt the automated workflow:

• No need to set these sbt configuration keys, as they're now taken care of by the workflow:
  • scmInfo & pomExtra
  • homepage
  • developers
  • releasePublishArtifactsAction
  • publishTo
• Remove the publish, release & push steps of sbt-release's releaseProcess configuration, because the workflow does those now, and the workflow only wants sbt release to create the versioning commits, and tag them appropriately. The workflow does the rest itself.
• Remove sbt-pgp plugin because it's no longer used - the workflow does the signing using gpg directly.
• Grant this repo access to the GitHub Organisation Secrets containing the Maven Release credentials with guardian/github-secret-access#21

Additionally, we add automatic version numbering based on compatibility assessment performed by sbt-version-policy:

• Add the sbt-version-policy plugin, to allow it to do the compatibility assessment. This also sets the versionScheme for this library to early-semver, which is the recommended versioning for Scala libraries, and sbt-version-policy & correct sbt-eviction-issue-detection pretty much depend on the versionScheme being early-semver. Thus we also need to switch to using a new semver version number for our library version!
• Add the releaseVersion := fromAggregatedAssessedCompatibilityWithLatestRelease().value sbt setting, which will intelligently set the release version based on sbt-version-policy's compatibility assessment, thanks to Simplify integration with sbt-release scalacenter/sbt-version-policy#187 .

This change also drops support for Scala 2.11 since it does not seem to support the -release:11 scalac option which is required to ensure that the Java 17 workflow produces Java 11 compatible bytecode.

NB - PR description liberally copied from guardian/facia-scala-client#299

[rtyley]

NB - PR description liberally copied from guardian/facia-scala-client#299

😄

• Grant this repo access to the GitHub Organisation Secrets containing the Maven Release credentials with Grant facia-scala-client the Maven Release creds github-secret-access#21

You'll need to make your own PR in guardian/github-secret-access - I don't see tags-thrift-schema in there yet!

Apart from the points noted, this looks great, thank you for doing this!

As far as testing goes, the best way to test is just merge this PR, and then run the release process on the main branch - if the release run crashes out, it's not the end of the world, we can just fix the problems.

This repo should probably also be added to Scala Steward as well, but that can happen later.

[rtyley]

This is missing one permission - see the example release.yml referenced by the docs at configuration.md#github-workflow

(guardian/gha-scala-library-release-workflow#19 introduced an extra required permission)

[rtyley]

It's probably worth removing this resolver if you can get away with it, due to the security concerns recently christened MavenGate!

Suggested change

resolvers += Resolver.jcenterRepo

[rtyley]

This all looks good to me - once merged, test it out by performing a release!

[rtyley]

I can see you had a error: GH006: Protected branch update doing the release:

Full Main-Branch release, pushing 2 commits to the default branch
remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: Changes must be made through a pull request.        
To https://github.com/guardian/tags-thrift-schema
 ! [remote rejected] main -> main (protected branch hook declined)
error: failed to push some refs to 'https://github.com/guardian/tags-thrift-schema'

This is because guardian/gha-scala-library-release-workflow#5 is not yet resolved, but I'm working on it in guardian/gha-scala-library-release-workflow#26 - in the meantime, as mentioned in configuration.md#repo-settings, you should disable Branch Protection on the main branch - as mentioned in guardian/gha-scala-library-release-workflow#5 (comment), DevX are fine with this - edit, oh, I can see you already have!