From 3a92ad95a027c68480a5b8363f4b0f7e6da41986 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Tue, 3 Jan 2023 15:31:07 +0000 Subject: [PATCH 1/8] Set pom url to my fork --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 1b0fc72171..7ae1b1578f 100644 --- a/pom.xml +++ b/pom.xml @@ -25,11 +25,11 @@ 2008 - https://github.com/FasterXML/jackson-core + https://github.com/pnacht/jackson-core - scm:git:git@github.com:FasterXML/jackson-core.git - scm:git:git@github.com:FasterXML/jackson-core.git - https://github.com/FasterXML/jackson-core + scm:git:git@github.com:pnacht/jackson-core.git + scm:git:git@github.com:pnacht/jackson-core.git + https://github.com/pnacht/jackson-core HEAD From 5077716ab5477bda203682f7c883a78ab92ddfc6 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 9 Jan 2023 20:56:34 +0000 Subject: [PATCH 2/8] Add release.sh and release.yml --- .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++ jackson-release.sh | 43 +++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 .github/workflows/release.yml create mode 100755 jackson-release.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..9ed6a42a5f --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,36 @@ +# This workflow publishes a new release to Maven central. +# +# The release MUST be initiated by running the release.sh script. That script will run +# ./mvnw release:prepare and make the necessary changes for this workflow to then take +# over and perform the actual release. + +name: Publish new release +on: + push: + tags: + - "*" + - "!*-rc*" + - "!*.pr*" + - "!*b" + +jobs: + build: + runs-on: "ubuntu-20.04" + env: + JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" + steps: + - uses: actions/checkout@v3 + - name: Set up JDK + uses: actions/setup-java@v3 + with: + distribution: "temurin" + java-version: "8" + cache: "maven" + server-id: sonatype-nexus-snapshots + server-username: CI_DEPLOY_USERNAME + server-password: CI_DEPLOY_PASSWORD + # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven + # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import + # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase + - name: Perform release + run: ./mvnw -B -q -ff -ntp release:perform diff --git a/jackson-release.sh b/jackson-release.sh new file mode 100755 index 0000000000..26a027a47e --- /dev/null +++ b/jackson-release.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# This script simulates the Maven Release Plugin, but only performs release:clean and +# release:prepare. The release:perform step is handled by the CI when the tag is +# pushed. +# +# However, release:perform on Git requires the release.properties file. We must +# therefore modify the first commit created by release:prepare to include this file, and +# then delete the file in the second commit. +# +# This will ensure that release.properties is available to release:perform in the CI, +# while keeping with the expectation that this file does not get commited (long-term) to +# the repository. + +set -euo pipefail + +# Prepare but don't push, we'll need to modify the commits +./mvnw release:clean release:prepare -DpushChanges=false + +# Step back to the first commit (from SNAPSHOT to release) +git reset HEAD~1 + +# delete tag created by release:prepare +tag_name=$(git tag --points-at) +git tag -d "$tag_name" + +# Add release.properties to that commit +git add release.properties +git commit --amend --no-edit + +# recreate tag +git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name" + +# Recreate second commit, removing release.properties from the repository +git rm release.properties +git add pom.xml +git commit -m "[maven-release-plugin] prepare for next development iteration" + +# push everything +git push +git push origin "$tag_name" + +rm pom.xml.releaseBackup \ No newline at end of file From 46dce9ceab3a7636287b0dfb418988a96bf2a790 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Fri, 13 Jan 2023 15:33:01 +0000 Subject: [PATCH 3/8] Add localCheckout to release:perform --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9ed6a42a5f..e8eef2cc16 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,4 +33,4 @@ jobs: # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - name: Perform release - run: ./mvnw -B -q -ff -ntp release:perform + run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true From a75a5bd125913a74aa5fc24c0c63db2d28d99231 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Fri, 13 Jan 2023 18:22:43 +0000 Subject: [PATCH 4/8] Rename jackson-release.sh to release.sh, document release.yml --- .github/workflows/release.yml | 4 +++- jackson-release.sh => release.sh | 0 2 files changed, 3 insertions(+), 1 deletion(-) rename jackson-release.sh => release.sh (100%) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8eef2cc16..2076435078 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ on: - "!*b" jobs: - build: + release: runs-on: "ubuntu-20.04" env: JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" @@ -33,4 +33,6 @@ jobs: # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - name: Perform release + # The following command will only succeed if the preparation was done via the + # release.sh script. run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true diff --git a/jackson-release.sh b/release.sh similarity index 100% rename from jackson-release.sh rename to release.sh From dc4f2cad78d31524dca15e1761f4d8e29069ed4c Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Fri, 13 Jan 2023 18:24:33 +0000 Subject: [PATCH 5/8] Add provenance --- .github/workflows/release.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2076435078..96c3d7178a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,6 +18,10 @@ jobs: runs-on: "ubuntu-20.04" env: JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" + outputs: + hash: ${{ steps.hash.outputs.hash }} + artifact_name: ${{ steps.hash.outputs.artifact_name }} + project_version: ${{ steps.projectVersion.outputs.version }} steps: - uses: actions/checkout@v3 - name: Set up JDK @@ -36,3 +40,30 @@ jobs: # The following command will only succeed if the preparation was done via the # release.sh script. run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true + - name: Generate hash + id: hash + run: | + ARTIFACT_NAME="$( \ + ./mvnw help:evaluate \ + -Dexpression=project.artifactId -q -DforceStdout)-$( \ + ./mvnw help:evaluate \ + -Dexpression=project.version -q -DforceStdout)" + echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT" + + cd ./target + echo "hash=$( \ + sha256sum $ARTIFACT_NAME*.jar | \ + base64 -w0 \ + )" >> "$GITHUB_OUTPUT" + + provenance: + needs: [release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.release.outputs.hash }}" + provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl" + upload-assets: true # Optional: Upload to a new release From 3549c72f49e76b26477e250bd98c5b21ed3163a7 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Fri, 20 Jan 2023 21:23:07 +0000 Subject: [PATCH 6/8] Revert "Set pom url to my fork" This reverts commit 3a92ad95a027c68480a5b8363f4b0f7e6da41986. --- pom.xml | 8 ++++---- release.sh | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index 7ae1b1578f..1b0fc72171 100644 --- a/pom.xml +++ b/pom.xml @@ -25,11 +25,11 @@ 2008 - https://github.com/pnacht/jackson-core + https://github.com/FasterXML/jackson-core - scm:git:git@github.com:pnacht/jackson-core.git - scm:git:git@github.com:pnacht/jackson-core.git - https://github.com/pnacht/jackson-core + scm:git:git@github.com:FasterXML/jackson-core.git + scm:git:git@github.com:FasterXML/jackson-core.git + https://github.com/FasterXML/jackson-core HEAD diff --git a/release.sh b/release.sh index 26a027a47e..a88c3fc550 100755 --- a/release.sh +++ b/release.sh @@ -40,4 +40,4 @@ git commit -m "[maven-release-plugin] prepare for next development iteration" git push git push origin "$tag_name" -rm pom.xml.releaseBackup \ No newline at end of file +rm pom.xml.releaseBackup From 07b35e1596dda2ad2c3ccf25006888ea7397b2e0 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 23 Jan 2023 20:40:27 +0000 Subject: [PATCH 7/8] Remove unnecessary output Signed-off-by: Pedro Kaj Kjellerup Nacht --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 96c3d7178a..2bdd1e1ac7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,6 @@ jobs: outputs: hash: ${{ steps.hash.outputs.hash }} artifact_name: ${{ steps.hash.outputs.artifact_name }} - project_version: ${{ steps.projectVersion.outputs.version }} steps: - uses: actions/checkout@v3 - name: Set up JDK From d08eddb4119a2ee3714339852c548d0a5255e326 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Wed, 8 Feb 2023 19:45:33 +0000 Subject: [PATCH 8/8] Fix server-id, validate version --- .github/workflows/release.yml | 7 +++++-- release.sh | 22 ++++++++++++---------- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2bdd1e1ac7..b5143011ef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,6 @@ on: push: tags: - "*" - - "!*-rc*" - "!*.pr*" - "!*b" @@ -18,10 +17,14 @@ jobs: runs-on: "ubuntu-20.04" env: JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" + TAG: ${{ github.ref_name }} outputs: hash: ${{ steps.hash.outputs.hash }} artifact_name: ${{ steps.hash.outputs.artifact_name }} steps: + - name: Validate version name + run: | + [[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1 - uses: actions/checkout@v3 - name: Set up JDK uses: actions/setup-java@v3 @@ -29,7 +32,7 @@ jobs: distribution: "temurin" java-version: "8" cache: "maven" - server-id: sonatype-nexus-snapshots + server-id: sonatype-nexus-staging server-username: CI_DEPLOY_USERNAME server-password: CI_DEPLOY_PASSWORD # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven diff --git a/release.sh b/release.sh index a88c3fc550..a67eee5e79 100755 --- a/release.sh +++ b/release.sh @@ -1,16 +1,16 @@ #!/bin/bash -# This script simulates the Maven Release Plugin, but only performs release:clean and -# release:prepare. The release:perform step is handled by the CI when the tag is -# pushed. +# This script simulates the Maven Release Plugin, but only performs +# release:clean and release:prepare. The release:perform step is handled by the +# CI when the tag is pushed. # # However, release:perform on Git requires the release.properties file. We must -# therefore modify the first commit created by release:prepare to include this file, and -# then delete the file in the second commit. +# therefore modify the first commit created by release:prepare to include this +# file, and then delete the file in the second commit. # -# This will ensure that release.properties is available to release:perform in the CI, -# while keeping with the expectation that this file does not get commited (long-term) to -# the repository. +# This will ensure that release.properties is available to release:perform in +# the CI, while keeping with the expectation that this file does not get +# commited (long-term) to the repository. set -euo pipefail @@ -21,7 +21,7 @@ set -euo pipefail git reset HEAD~1 # delete tag created by release:prepare -tag_name=$(git tag --points-at) +tag_name="$(git tag --points-at)" git tag -d "$tag_name" # Add release.properties to that commit @@ -31,7 +31,8 @@ git commit --amend --no-edit # recreate tag git tag "$tag_name" -m "[maven-release-plugin] copy for tag $tag_name" -# Recreate second commit, removing release.properties from the repository +# Recreate second commit (from release to SNAPSHOT), removing +# release.properties from the repository git rm release.properties git add pom.xml git commit -m "[maven-release-plugin] prepare for next development iteration" @@ -40,4 +41,5 @@ git commit -m "[maven-release-plugin] prepare for next development iteration" git push git push origin "$tag_name" +# clean up rm pom.xml.releaseBackup