diff --git a/.github/actions/import-gpg-key/action.yml b/.github/actions/import-gpg-key/action.yml new file mode 100644 index 0000000..11d1887 --- /dev/null +++ b/.github/actions/import-gpg-key/action.yml @@ -0,0 +1,25 @@ +name: "Import GPG Key" +description: "Imports a GPG key given in the input" +inputs: + gpg-private-key: + required: true + description: "The GPG Private Key in plain text. Can be a sub-key." +runs: + using: "composite" + steps: + # this is necessary because it creates gpg.conf, etc. + - name: List Keys + shell: bash + run: | + gpg -K --keyid-format=long + + - name: Import GPG Private Key + shell: bash + run: | + echo "use-agent" >> ~/.gnupg/gpg.conf + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf + echo -e "${{ inputs.gpg-private-key }}" | gpg --import --batch + for fpr in $(gpg --list-keys --with-colons | awk -F: '/fpr:/ {print $10}' | sort -u); + do + echo -e "5\\ny\\n" | gpg --batch --command-fd 0 --expert --edit-key $fpr trust; + done \ No newline at end of file diff --git a/.github/workflows/trigger-snapshot.yml b/.github/workflows/trigger-snapshot.yml index 25cf0b5..5f5e5a4 100644 --- a/.github/workflows/trigger-snapshot.yml +++ b/.github/workflows/trigger-snapshot.yml @@ -1,36 +1,60 @@ -name: "Create Snapshot Build" +name: "Publish Snapshot Build" on: + workflow_dispatch: workflow_call: - inputs: - github_repository: - required: true - type: string - secrets: - jenkins_user: - required: true - jenkins_token: - required: true + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: + secrets-presence: + name: "Check for required credentials" + runs-on: ubuntu-latest + outputs: + HAS_OSSRH: ${{ steps.secret-presence.outputs.HAS_OSSRH }} + steps: + - name: Check whether secrets exist + id: secret-presence + run: | + [ ! -z "${{ secrets.ORG_GPG_PASSPHRASE }}" ] && + [ ! -z "${{ secrets.ORG_GPG_PRIVATE_KEY }}" ] && + [ ! -z "${{ secrets.ORG_OSSRH_USERNAME }}" ] && echo "HAS_OSSRH=true" >> $GITHUB_OUTPUT + exit 0 + Trigger-Snapshot: + name: "Publish artefacts to OSSRH Snapshots / MavenCentral" runs-on: ubuntu-latest - # forks cannot trigger Jenkins - if: ${{ startsWith( inputs.github_repository, 'eclipse-edc') }} + permissions: + contents: read + packages: write + needs: [ secrets-presence ] + + if: | + needs.secrets-presence.outputs.HAS_OSSRH steps: - # Trigger EF Jenkins. This job waits for Jenkins to complete the publishing, which may take a long time, because every - # module is signed individually, and parallelism is not available. Hence, the increased timeout of 3600 seconds. - # There is no way to cancel the process on Jenkins from withing GitHub. - - name: Call Jenkins API to trigger build - uses: toptal/jenkins-job-trigger-action@master + # Set-Up + - uses: actions/checkout@v3.5.2 + + # Import GPG Key + - uses: ./.github/actions/import-gpg-key + name: "Import GPG Key" with: - jenkins_url: "https://ci.eclipse.org/edc/" - jenkins_user: ${{ secrets.jenkins_user }} - jenkins_token: ${{ secrets.jenkins_token }} - # empty params are needed, otherwise the job will fail. - job_params: | - { - "REPO": join('https://github.com/', ${{ inputs.github_repository }}) - } - job_name: "Publish-Component" - job_timeout: "3600" # Default 30 sec. (optional) + gpg-private-key: ${{ secrets.ORG_GPG_PRIVATE_KEY }} + + - uses: ./.github/actions/setup-build + - name: "Publish snapshot version" + env: + OSSRH_PASSWORD: ${{ secrets.ORG_OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.ORG_OSSRH_USERNAME }} + run: |- + VERSION=$(./gradlew properties -q | grep "version:" | awk '{print $2}') + cmd="" + if [[ $VERSION != *-SNAPSHOT ]] + then + echo "::warning file=gradle.properties::$VERSION is not a snapshot version - will not publish!" + exit 0 + fi + echo "Publishing Version $VERSION to Sonatype" + ./gradlew publishToSonatype ${cmd} --no-parallel -Pversion=$VERSION -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase="${{ secrets.ORG_GPG_PASSPHRASE }}" \ No newline at end of file