v3.4.0 #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WARNING: Do not edit this file directly. Instead, go to: | |
# | |
# https://github.com/micronaut-projects/micronaut-project-template/tree/master/.github/workflows | |
# | |
# and edit them there. Note that it will be sync'ed to all the Micronaut repos | |
name: Release | |
on: | |
release: | |
types: [published] | |
jobs: | |
release: | |
outputs: | |
artifacts-sha256: ${{ steps.hash.outputs.artifacts-sha256 }} # Computed hashes for build artifacts. | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.GH_TOKEN }} | |
- uses: gradle/wrapper-validation-action@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '17' | |
- name: Set the current release version | |
id: release_version | |
run: echo "release_version=${GITHUB_REF:11}" >> $GITHUB_OUTPUT | |
- name: Run pre-release | |
uses: micronaut-projects/github-actions/pre-release@master | |
env: | |
MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }} | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish to Sonatype OSSRH | |
id: publish | |
env: | |
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} | |
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} | |
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} | |
GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} | |
GPG_FILE: ${{ secrets.GPG_FILE }} | |
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} | |
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} | |
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} | |
run: | | |
echo $GPG_FILE | base64 -d > secring.gpg | |
# Publish both locally and to Sonatype. | |
# The artifacts stored locally will be used to generate the SLSA provenance. | |
./gradlew publishAllPublicationsToBuildRepository publishToSonatype closeAndReleaseSonatypeStagingRepository | |
# Read the current version from gradle.properties. | |
VERSION=$(./gradlew properties | grep 'version:' | awk '{print $2}') | |
# Read the project group from gradle.properties. | |
GROUP_PATH=$(./gradlew properties| grep "projectGroup" | awk '{print $2}' | sed 's/\./\//g') | |
echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
echo "group=$GROUP_PATH" >> "$GITHUB_OUTPUT" | |
- name: Generate subject | |
id: hash | |
run: | | |
# Find the artifact JAR and POM files in the local repository. | |
ARTIFACTS=$(find build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/* \ | |
-type f \( \( -iname "*.jar" -not -iname "*-javadoc.jar" -not -iname "*-sources.jar" \) -or -iname "*.pom" \)) | |
# Compute the hashes for the artifacts. | |
# Set the hash as job output for debugging. | |
echo "artifacts-sha256=$(sha256sum $ARTIFACTS | base64 -w0)" >> "$GITHUB_OUTPUT" | |
# Store the hash in a file, which is uploaded as a workflow artifact. | |
sha256sum $ARTIFACTS | base64 -w0 > artifacts-sha256 | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: gradle-build-outputs | |
path: build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/* | |
retention-days: 5 | |
- name: Upload artifacts-sha256 | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: artifacts-sha256 | |
path: artifacts-sha256 | |
retention-days: 5 | |
- name: Generate docs | |
run: ./gradlew docs | |
env: | |
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} | |
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} | |
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} | |
GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} | |
GH_USERNAME: ${{ secrets.GH_USERNAME }} | |
- name: Export Gradle Properties | |
uses: micronaut-projects/github-actions/export-gradle-properties@master | |
- name: Publish to Github Pages | |
if: success() | |
uses: micronaut-projects/github-pages-deploy-action@master | |
env: | |
BETA: ${{ !(github.event.release.target_commitish == github.event.repository.default_branch) || contains(steps.release_version.outputs.release_version, 'M') || contains(steps.release_version.outputs.release_version, 'RC') }} | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
BRANCH: gh-pages | |
FOLDER: build/docs | |
VERSION: ${{ steps.release_version.outputs.release_version }} | |
TARGET_REPOSITORY: ${{ github.repository == 'micronaut-projects/micronaut-core' && env.docsRepository || github.repository }} | |
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} | |
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} | |
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} | |
- name: Run post-release | |
if: success() | |
uses: micronaut-projects/github-actions/post-release@master | |
env: | |
MICRONAUT_BUILD_EMAIL: ${{ secrets.MICRONAUT_BUILD_EMAIL }} | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
provenance-subject: | |
needs: [release] | |
runs-on: ubuntu-latest | |
outputs: | |
artifacts-sha256: ${{ steps.set-hash.outputs.artifacts-sha256 }} | |
steps: | |
- name: Download artifacts-sha256 | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: artifacts-sha256 | |
# The SLSA provenance generator expects the hash digest of artifacts to be passed as a job | |
# output. So we need to download the artifacts-sha256 and set it as job output. The hash of | |
# the artifacts should be set as output directly in the release job. But due to a known bug | |
# in GitHub Actions we have to use a workaround. | |
# See https://github.com/community/community/discussions/37942. | |
- name: Set artifacts-sha256 as output | |
id: set-hash | |
shell: bash | |
run: echo "artifacts-sha256=$(cat artifacts-sha256)" >> "$GITHUB_OUTPUT" | |
provenance: | |
needs: [release, provenance-subject] | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.provenance-subject.outputs.artifacts-sha256 }}" | |
upload-assets: true # Upload to a new release. | |
compile-generator: true # Build the generator from source. | |
github_release: | |
needs: [release, provenance] | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Download artifacts | |
# Important: update actions/download-artifact to v4 only when generator_generic_slsa3.yml is also compatible. | |
# See https://github.com/slsa-framework/slsa-github-generator/issues/3068 | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: gradle-build-outputs | |
path: build/repo | |
- name: Create artifacts archive | |
shell: bash | |
run: | | |
find build/repo -type f \( \( -iname "*.jar" -not -iname "*-javadoc.jar" -not \ | |
-iname "*-sources.jar" \) -or -iname "*.pom" \) | xargs zip artifacts.zip | |
- name: Upload assets | |
# Upload the artifacts to the existing release. Note that the SLSA provenance will | |
# attest to each artifact file and not the aggregated ZIP file. | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
files: artifacts.zip |