action.yml

name: Release Camunda Community Project on Maven Central
description: Encapsulates the release process of Camunda community extensions
inputs:
  artifacts-pattern:
    description: Which artifacts to store. Set to empty string to disable
    required: false
    default: ./target/nexus-staging/**/*.jar
  run-tests:
    default: ""
    required: false
    description: Wether to explicitly run maven tests prior to releasing
  maven-additional-options:
    description: Any extra Maven options
    required: false
    default: ""
  maven-release-options:
    description: Any extra Maven options for the release process (-DskipTests is already implied).
    required: false
    default: ""
  release-version:
    description: Release Version (usually tag name). If empty, a SNAPSHOT (with the currently configured version) will be deployed.
    required: false
    default: "latest"
  release-profile:
    description: Maven profile to be selected for the building release artifacts; typically "community-action-maven-release".
    required: false
    default: "community-action-maven-release"
  central-release-profile:
    description: Maven profile to be selected for configuring Maven Central release; typically "oss-maven-central".
    required: false
    default: "oss-maven-central"
  camunda-release-profile:
    description: Maven profile to be selected for configuring Camunda Artifactory release; typically "camunda-repository".
    required: false
    default: "camunda-repository"
  nexus-usr:
    description: Camunda Nexus username
    required: true
  nexus-psw:
    description: Camunda Nexus password
    required: true
  maven-usr:
    description: Maven Central username
    required: true
  maven-psw:
    description: Maven Central password
    required: true
  maven-gpg-passphrase:
    description: GPG passphrase used to unlock the signing key
    required: true
  maven-auto-release-after-close:
    description: Flag indicating triggering of automatic release in OSS Maven Central if the repository closure was successful.
    required: true
    default: "false"
  github-token:
    description: GitHub token
    required: true
  maven-build-options:
    description: Any extra Maven options for the initial build process
    required: false
    default: ""
  vulnerability-scan:
    description: Vulnerability scanning using Aqua Security Trivy
    required: false
    default: "false"
  maven-url:
    description: URL of Maven Central/Sonatype, e.g. newer domains are hosted under s01.oss.sonatype.org
    required: false
    default: "oss.sonatype.org"
  branch:
    description: Branch on which the new version numbers will be committed
    required: false
    default: ${{ github.event.repository.default_branch }}
outputs:
  artifacts_archive_path:
    description: Filename of zipfile containing all files matched by artifacts-pattern.
    value: ${{ steps.create-archive.outputs.filename }}
runs:
  using: composite
  steps:
    - name: Initialize
      id: initialize
      run: |-
        echo Repo: ${GITHUB_REPOSITORY}
        git config --global user.name "Release Bot"
        git config --global user.email actions@github.com
        test -n "${{inputs.release-profile}}" && echo 'RELEASE_PROFILE=-P${{inputs.release-profile}}' >> $GITHUB_ENV
        test -n "${{inputs.central-release-profile}}" && echo 'CENTRAL_RELEASE_PROFILE=-P${{inputs.central-release-profile}}' >> $GITHUB_ENV
        test -n "${{inputs.camunda-release-profile}}" && echo 'CAMUNDA_RELEASE_PROFILE=-P${{inputs.camunda-release-profile}}' >> $GITHUB_ENV
        cp -v ${{ github.action_path }}/resources/settings.xml $HOME/.m2/
      shell: bash
    - name: Run maven
      id: run-maven
      run: |-
        test -z "${{ inputs.run-tests }}" && SKIP_TESTS="-DskipTests"
        mvn -B ${{ inputs.maven-additional-options }} ${{ inputs.maven-build-options }} package ${SKIP_TESTS}
      shell: bash

    - name: Archive Test Results on Failure
      id: upload-test-results-on-fail
      uses: actions/upload-artifact@v3
      if: ${{ inputs.run-tests && failure() }}
      with:
        name: test-results
        path: target/surefire-reports/
        retention-days: 7

    - name: Publish Unit Test Results on Failure
      id: publish-test-results-on-fail
      uses: EnricoMi/publish-unit-test-result-action@v2.3.0
      if: ${{ inputs.run-tests && failure() }}
      with:
        junit_files: target/surefire-reports/*.xml

      ###########################################
      # Download and install Trivy and template #
      ###########################################
    - name: Download and Install Trivy
      id: run-trivy
      shell: bash
      run: |-
        if [[ "${{ inputs.vulnerability-scan }}" == "true" ]];
        then
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl
          ./trivy --version
          ./trivy fs -t @sarif.tpl -f template -o trivy-results.sarif .

          if [[ $(cat trivy-results.sarif | grep -E 'Severity: (HIGH|CRITICAL)' | wc -l) > 0 ]];
          then
            ./trivy fs .
            exit 1
          else
            exit 0
          fi
        fi
    - name: Upload SARIF file
      id: upload-trivy-report
      shell: bash
      run: |-
        if [[ "${{ inputs.vulnerability-scan }}" == "true" ]];
        then
          COMPRESSED_SARIF=$(gzip -c trivy-results.sarif | base64 -w0)
          curl \
            -X POST \
            -H "Accept: application/vnd.github.v3+json" \
            -H "authorization: Bearer ${{ inputs.github-token }}" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/code-scanning/sarifs \
            -d '{"commit_sha":"${GITHUB_SHA}","ref":"${GITHUB_REF}","sarif": "${COMPRESSED_SARIF}"}' || true
        fi
    - name: Actions tagger
      id: tag
      uses: Actions-R-Us/actions-tagger@latest
      with:
        publish_latest_tag: true

    - name: Publish SNAPSHOT
      id: publish-snapshot
      run: |-
        echo "::group::Publish SNAPSHOT"
        test -n "${{ inputs.release-version }}" && echo "::debug::Not publishing SNAPSHOT because release-version is set" && exit 0

        echo "Publish SNAPSHOT to Camunda Artifactory using profiles ${{inputs.release-profile}}, ${{inputs.camunda-release-profile}}"
        mvn -B --no-transfer-progress ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} \
          ${RELEASE_PROFILE} ${CAMUNDA_RELEASE_PROFILE} deploy

        echo "Publish SNAPSHOT to OSS Nexus / Maven Central using profiles ${{inputs.release-profile}}, ${{inputs.central-release-profile}}"
        echo "Using Repository URL: https://${{ inputs.maven-url }}/"
        mvn -B --no-transfer-progress ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} \
          -DnexusUrl=https://${{inputs.maven-url}}/ \
          ${RELEASE_PROFILE} ${CENTRAL_RELEASE_PROFILE} deploy
      shell: bash
      env:
        NEXUS_USR: ${{ inputs.nexus-usr}}
        NEXUS_PSW: ${{ inputs.nexus-psw }}
        MAVEN_USR: ${{ inputs.maven-usr }}
        MAVEN_PSW: ${{ inputs.maven-psw }}
        MAVEN_GPG_PASSPHRASE: ${{ inputs.maven-gpg-passphrase }}

    - name: Publish Maven Release
      id: publish-release
      run: |-
        echo "::group::Publish RELEASE"
        test -z "${{ inputs.release-version }}" && echo "::debug::Skipping Release because release-version is unset" && exit 0

        echo "Set version to ${{ inputs.release-version }}"
        mvn -B ${{ inputs.maven-additional-options }} versions:set org.codehaus.mojo:versions-maven-plugin:2.8.1:update-child-modules \
         -DnewVersion=${{ inputs.release-version }}

        echo "Deploy release to Camunda Repository using profiles ${{inputs.release-profile}}, ${{inputs.camunda-release-profile}}"
        mvn -B --no-transfer-progress ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} \
          ${RELEASE_PROFILE} ${CAMUNDA_RELEASE_PROFILE} deploy

        echo "Deploy release to OSS Nexus / Maven Central using profiles ${{inputs.release-profile}}, ${{inputs.central-release-profile}}"
        mvn -B --no-transfer-progress ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} \
          -DautoReleaseAfterClose=${{ inputs.maven-auto-release-after-close }} \
          -DnexusUrl=https://${{inputs.maven-url}}/ \
          ${RELEASE_PROFILE} ${CENTRAL_RELEASE_PROFILE} deploy
      shell: bash
      env:
        NEXUS_USR: ${{ inputs.nexus-usr}}
        NEXUS_PSW: ${{ inputs.nexus-psw }}
        MAVEN_USR: ${{ inputs.maven-usr }}
        MAVEN_PSW: ${{ inputs.maven-psw }}
        MAVEN_GPG_PASSPHRASE: ${{ inputs.maven-gpg-passphrase }}

    - name: Prepare next development version
      id: prepare-next-dev-version
      run: ${{ github.action_path }}/resources/prepare-next-development-version.sh "${{ inputs.branch }}" "${{ inputs.release-version }}" "${{ inputs.maven-additional-options }}"
      shell: bash

    - name: Archive artifacts
      id: create-archive
      run: |-
        test -z "${{ inputs.artifacts-pattern }}" && echo "::debug::Skipping archiving because artifacts-pattern is unset" && exit 0
        # Filename: [repo without org]-[version].zip
        ZIPFILE=${GITHUB_REPOSITORY#*/}-${{ inputs.release-version }}.zip
        zip $ZIPFILE $(find . -path ${{ inputs.artifacts-pattern }})
        echo "filename=${ZIPFILE}" >> $GITHUB_OUTPUT
      shell: bash