-
Notifications
You must be signed in to change notification settings - Fork 0
124 lines (106 loc) · 4.43 KB
/
create-release.yml
File metadata and controls
124 lines (106 loc) · 4.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Create Release
on:
workflow_dispatch:
inputs:
versionTag:
description: 'Version Tag (semantic version)'
required: true
permissions:
id-token: write # This is required for requesting the JWT
contents: write # This is required for actions/checkout
attestations: write # required for provenance
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Set up JDK 21
uses: actions/setup-java@v5
with:
distribution: 'zulu'
java-version: '21'
settings-path: ${{ github.workspace }}
- name: Load local Maven repository cache
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Import GPG private key
run: |
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
gpg --list-secret-keys
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- name: Set version in Maven project
run: mvn versions:set -DnewVersion=${{ github.event.inputs.versionTag }} -DprocessAllModules
- name: Update CITATION.cff (version + date)
run: |
VERSION="${{ github.event.inputs.versionTag }}"
DATE="$(date -u +%Y-%m-%d)"
# top-level fields
sed -i "s/^version: .*/version: \"${VERSION}\"/" CITATION.cff
sed -i "s/^date-released: .*/date-released: \"${DATE}\"/" CITATION.cff
# preferred-citation fields (only if present)
sed -i "s/^\(\s*version:\) .*/\1 \"${VERSION}\"/" CITATION.cff
echo "Updated CITATION.cff to version=${VERSION}, date-released=${DATE}"
- name: Commit release metadata (pom.xml + CITATION.cff)
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add pom.xml */pom.xml CITATION.cff || true
if git diff --cached --quiet; then
echo "No changes to commit."
else
git commit -m "Release ${{ github.event.inputs.versionTag }}"
git push
fi
- name: Create and push git tag
run: |
TAG="${{ github.event.inputs.versionTag }}"
git tag -a "${TAG}" -m "Release ${TAG}"
git push origin "${TAG}"
- name: Build with Maven
run: mvn -B package -Prelease --file pom.xml
- name: Create Release Notes
if: ${{ !startsWith(github.ref, 'refs/tags/')
&& !( contains(github.event.inputs.versionTag, 'alpha')
|| contains(github.event.inputs.versionTag, 'beta')
|| contains(github.event.inputs.versionTag, 'rc')) }}
uses: actions/github-script@v7
with:
github-token: ${{secrets.JOHNNY_Q5_REPORTS_TOKEN}}
script: |
await github.request(`POST /repos/${{ github.repository }}/releases`, {
tag_name: "${{ github.event.inputs.versionTag }}",
generate_release_notes: true
});
- name: Create Pre-Release Notes
if: ${{ !startsWith(github.ref, 'refs/tags/')
&& ( contains(github.event.inputs.versionTag, 'alpha')
|| contains(github.event.inputs.versionTag, 'beta')
|| contains(github.event.inputs.versionTag, 'rc')) }}
uses: actions/github-script@v7
with:
github-token: ${{secrets.JOHNNY_Q5_REPORTS_TOKEN}}
script: |
await github.request(`POST /repos/${{ github.repository }}/releases`, {
tag_name: "${{ github.event.inputs.versionTag }}",
generate_release_notes: true,
prerelease: true
});
# Generate provenance (SLSA attestation) for all JARs
- name: Generate SLSA build provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: "**/target/*.jar"
- name: Publish artefact to Maven Central
run: mvn --quiet --settings $GITHUB_WORKSPACE/.github.settings.xml -Prelease -DskipTests deploy
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
SONATYPE_CENTRAL_USERNAME: ${{ secrets.SONATYPE_CENTRAL_USERNAME }}
SONATYPE_CENTRAL_PASSWORD: ${{ secrets.SONATYPE_CENTRAL_PASSWORD }}