diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..b5143011ef --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,71 @@ +# This workflow publishes a new release to Maven central. +# +# The release MUST be initiated by running the release.sh script. That script will run +# ./mvnw release:prepare and make the necessary changes for this workflow to then take +# over and perform the actual release. + +name: Publish new release +on: + push: + tags: + - "*" + - "!*.pr*" + - "!*b" + +jobs: + release: + runs-on: "ubuntu-20.04" + env: + JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" + TAG: ${{ github.ref_name }} + outputs: + hash: ${{ steps.hash.outputs.hash }} + artifact_name: ${{ steps.hash.outputs.artifact_name }} + steps: + - name: Validate version name + run: | + [[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1 + - uses: actions/checkout@v3 + - name: Set up JDK + uses: actions/setup-java@v3 + with: + distribution: "temurin" + java-version: "8" + cache: "maven" + server-id: sonatype-nexus-staging + server-username: CI_DEPLOY_USERNAME + server-password: CI_DEPLOY_PASSWORD + # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven + # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import + # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase + - name: Perform release + # The following command will only succeed if the preparation was done via the + # release.sh script. + run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true + - name: Generate hash + id: hash + run: | + ARTIFACT_NAME="$( \ + ./mvnw help:evaluate \ + -Dexpression=project.artifactId -q -DforceStdout)-$( \ + ./mvnw help:evaluate \ + -Dexpression=project.version -q -DforceStdout)" + echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT" + + cd ./target + echo "hash=$( \ + sha256sum $ARTIFACT_NAME*.jar | \ + base64 -w0 \ + )" >> "$GITHUB_OUTPUT" + + provenance: + needs: [release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.release.outputs.hash }}" + provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl" + upload-assets: true # Optional: Upload to a new release diff --git a/release.sh b/release.sh new file mode 100755 index 0000000000..a67eee5e79 --- /dev/null +++ b/release.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# This script simulates the Maven Release Plugin, but only performs +# release:clean and release:prepare. The release:perform step is handled by the +# CI when the tag is pushed. +# +# However, release:perform on Git requires the release.properties file. We must +# therefore modify the first commit created by release:prepare to include this +# file, and then delete the file in the second commit. +# +# This will ensure that release.properties is available to release:perform in +# the CI, while keeping with the expectation that this file does not get +# commited (long-term) to the repository. + +set -euo pipefail + +# Prepare but don't push, we'll need to modify the commits +./mvnw release:clean release:prepare -DpushChanges=false + +# Step back to the first commit (from SNAPSHOT to release) +git reset HEAD~1 + +# delete tag created by release:prepare +tag_name="$(git tag --points-at)" +git tag -d "$tag_name" + +# Add release.properties to that commit +git add release.properties +git commit --amend --no-edit + +# recreate tag +git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name" + +# Recreate second commit (from release to SNAPSHOT), removing +# release.properties from the repository +git rm release.properties +git add pom.xml +git commit -m "[maven-release-plugin] prepare for next development iteration" + +# push everything +git push +git push origin "$tag_name" + +# clean up +rm pom.xml.releaseBackup