From d7236fd41f9c04a47b1614cb409a102221ad0951 Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com>
Date: Wed, 13 Sep 2023 15:47:04 +0200
Subject: [PATCH] feat(build): publish to OSSRH Snapshots and MavenCentral from
 GHA (#72)

* feat(build): publish to OSSRH Snapshots and MavenCentral from GHA

* renamed file and job
---
 .github/actions/import-gpg-key/action.yml | 25 +++++++++++
 .github/workflows/_trigger-snapshot.yml   |  2 +-
 .github/workflows/publish-snapshot.yml    | 55 +++++++++++++++++++++++
 .github/workflows/trigger-snapshot.yml    | 36 ---------------
 4 files changed, 81 insertions(+), 37 deletions(-)
 create mode 100644 .github/actions/import-gpg-key/action.yml
 create mode 100644 .github/workflows/publish-snapshot.yml
 delete mode 100644 .github/workflows/trigger-snapshot.yml

diff --git a/.github/actions/import-gpg-key/action.yml b/.github/actions/import-gpg-key/action.yml
new file mode 100644
index 0000000..11d1887
--- /dev/null
+++ b/.github/actions/import-gpg-key/action.yml
@@ -0,0 +1,25 @@
+name: "Import GPG Key"
+description: "Imports a GPG key given in the input"
+inputs:
+  gpg-private-key:
+    required: true
+    description: "The GPG Private Key in plain text. Can be a sub-key."
+runs:
+  using: "composite"
+  steps:
+    # this is necessary because it creates gpg.conf, etc.
+    - name: List Keys
+      shell: bash
+      run: |
+        gpg -K --keyid-format=long
+
+    - name: Import GPG Private Key
+      shell: bash
+      run: |
+        echo "use-agent" >> ~/.gnupg/gpg.conf
+        echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
+        echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch
+        for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u);
+        do
+          echo -e "5\\ny\\n" |  gpg --batch --command-fd 0 --expert --edit-key $fpr trust;
+        done
\ No newline at end of file
diff --git a/.github/workflows/_trigger-snapshot.yml b/.github/workflows/_trigger-snapshot.yml
index 2f7f1bd..f76318e 100644
--- a/.github/workflows/_trigger-snapshot.yml
+++ b/.github/workflows/_trigger-snapshot.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   trigger-workflow:
-    uses: eclipse-edc/.github/.github/workflows/trigger-snapshot.yml@main
+    uses: eclipse-edc/.github/.github/workflows/publish-snapshot.yml@main
     with:
       github_repository: ${{ github.repository }}
     secrets:
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
new file mode 100644
index 0000000..506788a
--- /dev/null
+++ b/.github/workflows/publish-snapshot.yml
@@ -0,0 +1,55 @@
+name: "Publish Snapshot Build"
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  secrets-presence:
+    name: "Check for required credentials"
+    runs-on: ubuntu-latest
+    outputs:
+      HAS_OSSRH: ${{ steps.secret-presence.outputs.HAS_OSSRH }}
+    steps:
+      - name: Check whether secrets exist
+        id: secret-presence
+        run: |
+          [ ! -z "${{ secrets.ORG_GPG_PASSPHRASE }}" ] &&
+          [ ! -z "${{ secrets.ORG_GPG_PRIVATE_KEY }}" ] &&
+          [ ! -z "${{ secrets.ORG_OSSRH_USERNAME }}" ] && echo "HAS_OSSRH=true" >> $GITHUB_OUTPUT
+          exit 0
+
+  Publish-Snapshot:
+    name: "Publish artefacts to OSSRH Snapshots / MavenCentral"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    needs: [ secrets-presence ]
+
+    if: |
+      needs.secrets-presence.outputs.HAS_OSSRH
+    steps:
+      # Set-Up
+      - uses: actions/checkout@v3.5.2
+
+      # Import GPG Key
+      - uses: ./.github/actions/import-gpg-key
+        name: "Import GPG Key"
+        with:
+          gpg-private-key: ${{ secrets.ORG_GPG_PRIVATE_KEY }}
+
+      - uses: ./.github/actions/setup-build
+      - name: "Publish snapshot version"
+        env:
+          OSSRH_PASSWORD: ${{ secrets.ORG_OSSRH_PASSWORD }}
+          OSSRH_USER: ${{ secrets.ORG_OSSRH_USERNAME }}
+        run: |-
+          VERSION=$(./gradlew properties -q | grep "version:" | awk '{print $2}')
+          if [[ $VERSION != *-SNAPSHOT ]]
+          then
+            echo "::warning file=gradle.properties::$VERSION is not a snapshot version - will not publish!"
+            exit 0
+          fi
+          echo "Publishing Version $VERSION to Sonatype"
+          ./gradlew publishToSonatype --no-parallel -Pversion=$VERSION -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase="${{ secrets.ORG_GPG_PASSPHRASE }}"
\ No newline at end of file
diff --git a/.github/workflows/trigger-snapshot.yml b/.github/workflows/trigger-snapshot.yml
deleted file mode 100644
index 25cf0b5..0000000
--- a/.github/workflows/trigger-snapshot.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-name: "Create Snapshot Build"
-
-on:
-  workflow_call:
-    inputs:
-      github_repository:
-        required: true
-        type: string
-    secrets:
-      jenkins_user:
-        required: true
-      jenkins_token:
-        required: true
-
-jobs:
-  Trigger-Snapshot:
-    runs-on: ubuntu-latest
-    # forks cannot trigger Jenkins
-    if: ${{ startsWith( inputs.github_repository, 'eclipse-edc') }}
-    steps:
-      # Trigger EF Jenkins. This job waits for Jenkins to complete the publishing, which may take a long time, because every
-      # module is signed individually, and parallelism is not available. Hence, the increased timeout of 3600 seconds.
-      # There is no way to cancel the process on Jenkins from withing GitHub.
-      - name: Call Jenkins API to trigger build
-        uses: toptal/jenkins-job-trigger-action@master
-        with:
-          jenkins_url: "https://ci.eclipse.org/edc/"
-          jenkins_user: ${{ secrets.jenkins_user }}
-          jenkins_token: ${{ secrets.jenkins_token }}
-          # empty params are needed, otherwise the job will fail.
-          job_params: |
-            {
-              "REPO": join('https://github.com/', ${{ inputs.github_repository }})
-            }
-          job_name: "Publish-Component"
-          job_timeout: "3600" # Default 30 sec. (optional)