From 3f8c0953a5ba61e01957537f54ea2a59b7d831ae Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:47:04 +0200 Subject: [PATCH] feat(build): publish to OSSRH Snapshots and MavenCentral from GHA (#72) * feat(build): publish to OSSRH Snapshots and MavenCentral from GHA * renamed file and job --- .github/actions/import-gpg-key/action.yml | 25 +++++++++++ .github/workflows/_trigger-snapshot.yml | 2 +- .github/workflows/publish-snapshot.yml | 55 +++++++++++++++++++++++ .github/workflows/trigger-snapshot.yml | 36 --------------- 4 files changed, 81 insertions(+), 37 deletions(-) create mode 100644 .github/actions/import-gpg-key/action.yml create mode 100644 .github/workflows/publish-snapshot.yml delete mode 100644 .github/workflows/trigger-snapshot.yml diff --git a/.github/actions/import-gpg-key/action.yml b/.github/actions/import-gpg-key/action.yml new file mode 100644 index 0000000..11d1887 --- /dev/null +++ b/.github/actions/import-gpg-key/action.yml @@ -0,0 +1,25 @@ +name: "Import GPG Key" +description: "Imports a GPG key given in the input" +inputs: + gpg-private-key: + required: true + description: "The GPG Private Key in plain text. Can be a sub-key." +runs: + using: "composite" + steps: + # this is necessary because it creates gpg.conf, etc. + - name: List Keys + shell: bash + run: | + gpg -K --keyid-format=long + + - name: Import GPG Private Key + shell: bash + run: | + echo "use-agent" >> ~/.gnupg/gpg.conf + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf + echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch + for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); + do + echo -e "5\\ny\\n" | gpg --batch --command-fd 0 --expert --edit-key $fpr trust; + done \ No newline at end of file diff --git a/.github/workflows/_trigger-snapshot.yml b/.github/workflows/_trigger-snapshot.yml index 2f7f1bd..f76318e 100644 --- a/.github/workflows/_trigger-snapshot.yml +++ b/.github/workflows/_trigger-snapshot.yml @@ -7,7 +7,7 @@ on: jobs: trigger-workflow: - uses: eclipse-edc/.github/.github/workflows/trigger-snapshot.yml@main + uses: eclipse-edc/.github/.github/workflows/publish-snapshot.yml@main with: github_repository: ${{ github.repository }} secrets: diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml new file mode 100644 index 0000000..506788a --- /dev/null +++ b/.github/workflows/publish-snapshot.yml @@ -0,0 +1,55 @@ +name: "Publish Snapshot Build" + +on: + workflow_dispatch: + workflow_call: + +jobs: + secrets-presence: + name: "Check for required credentials" + runs-on: ubuntu-latest + outputs: + HAS_OSSRH: ${{ steps.secret-presence.outputs.HAS_OSSRH }} + steps: + - name: Check whether secrets exist + id: secret-presence + run: | + [ ! -z "${{ secrets.ORG_GPG_PASSPHRASE }}" ] && + [ ! -z "${{ secrets.ORG_GPG_PRIVATE_KEY }}" ] && + [ ! -z "${{ secrets.ORG_OSSRH_USERNAME }}" ] && echo "HAS_OSSRH=true" >> $GITHUB_OUTPUT + exit 0 + + Publish-Snapshot: + name: "Publish artefacts to OSSRH Snapshots / MavenCentral" + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: [ secrets-presence ] + + if: | + needs.secrets-presence.outputs.HAS_OSSRH + steps: + # Set-Up + - uses: actions/checkout@v3.5.2 + + # Import GPG Key + - uses: ./.github/actions/import-gpg-key + name: "Import GPG Key" + with: + gpg-private-key: ${{ secrets.ORG_GPG_PRIVATE_KEY }} + + - uses: ./.github/actions/setup-build + - name: "Publish snapshot version" + env: + OSSRH_PASSWORD: ${{ secrets.ORG_OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.ORG_OSSRH_USERNAME }} + run: |- + VERSION=$(./gradlew properties -q | grep "version:" | awk '{print $2}') + if [[ $VERSION != *-SNAPSHOT ]] + then + echo "::warning file=gradle.properties::$VERSION is not a snapshot version - will not publish!" + exit 0 + fi + echo "Publishing Version $VERSION to Sonatype" + ./gradlew publishToSonatype --no-parallel -Pversion=$VERSION -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase="${{ secrets.ORG_GPG_PASSPHRASE }}" \ No newline at end of file diff --git a/.github/workflows/trigger-snapshot.yml b/.github/workflows/trigger-snapshot.yml deleted file mode 100644 index 25cf0b5..0000000 --- a/.github/workflows/trigger-snapshot.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: "Create Snapshot Build" - -on: - workflow_call: - inputs: - github_repository: - required: true - type: string - secrets: - jenkins_user: - required: true - jenkins_token: - required: true - -jobs: - Trigger-Snapshot: - runs-on: ubuntu-latest - # forks cannot trigger Jenkins - if: ${{ startsWith( inputs.github_repository, 'eclipse-edc') }} - steps: - # Trigger EF Jenkins. This job waits for Jenkins to complete the publishing, which may take a long time, because every - # module is signed individually, and parallelism is not available. Hence, the increased timeout of 3600 seconds. - # There is no way to cancel the process on Jenkins from withing GitHub. - - name: Call Jenkins API to trigger build - uses: toptal/jenkins-job-trigger-action@master - with: - jenkins_url: "https://ci.eclipse.org/edc/" - jenkins_user: ${{ secrets.jenkins_user }} - jenkins_token: ${{ secrets.jenkins_token }} - # empty params are needed, otherwise the job will fail. - job_params: | - { - "REPO": join('https://github.com/', ${{ inputs.github_repository }}) - } - job_name: "Publish-Component" - job_timeout: "3600" # Default 30 sec. (optional)