generated from zeebe-io/maven-template
-
Notifications
You must be signed in to change notification settings - Fork 4
101 lines (91 loc) · 4.09 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
---
name: release
on:
workflow_dispatch:
inputs:
releaseVersion:
description: 'releaseVersion: e.g. 0.X.0'
type: string
required: true
nextDevelopmentVersion:
description: 'nextDevelopmentVersion: e.g. 0.Y.0-SNAPSHOT'
type: string
required: true
defaults:
run:
# use bash shell by default to ensure pipefail behavior is the default
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
env:
RELEASE_VERSION: ${{ inputs.releaseVersion }}
DEVELOPMENT_VERSION: ${{ inputs.nextDevelopmentVersion }}
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Import Secrets
id: secrets # important to refer to it in later steps
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false # we rely on step outputs, no need for environment variables
secrets: |
secret/data/github.com/organizations/camunda MAVEN_CENTRAL_GPG_SIGNING_KEY_PASSPHRASE;
secret/data/github.com/organizations/camunda MAVEN_CENTRAL_GPG_SIGNING_KEY_SEC;
secret/data/github.com/organizations/camunda MAVEN_CENTRAL_GPG_SIGNING_KEY_PUB;
secret/data/github.com/organizations/camunda MAVEN_CENTRAL_DEPLOYMENT_USR;
secret/data/github.com/organizations/camunda MAVEN_CENTRAL_DEPLOYMENT_PSW;
secret/data/products/zeebe/ci/zeebe ARTIFACTS_USR;
secret/data/products/zeebe/ci/zeebe ARTIFACTS_PSW;
- name: Git User Setup
run: |
git config --global user.email "github-actions[release]"
git config --global user.name "github-actions[release]@users.noreply.github.com"
- name: Install Maven Central GPG Key
# setup-maven supports this as well but needs the key in the armor ascii format,
# while we only have it plain bas64 encoded
# see https://github.com/actions/setup-java/issues/100#issuecomment-742679976
run: |
echo -n "${{ steps.secrets.outputs.MAVEN_CENTRAL_GPG_SIGNING_KEY_SEC }}" \
| base64 --decode \
| gpg -q --allow-secret-key-import --import --no-tty --batch --yes
echo -n "${{ steps.secrets.outputs.MAVEN_CENTRAL_GPG_SIGNING_KEY_PUB }}" \
| base64 --decode \
| gpg -q --import --no-tty --batch --yes
- name: Setup Maven
uses: s4u/[email protected]
with:
java-version: '21'
distribution: 'temurin'
# Use CI Nexus as co-located pull-through cache for Maven artifacts via ~/.m2/settings.xml
- name: Create Maven Settings
uses: s4u/[email protected]
with:
githubServer: false
servers: |
[{
"id": "camunda-nexus",
"username": "${{ steps.secrets.outputs.ARTIFACTS_USR }}",
"password": "${{ steps.secrets.outputs.ARTIFACTS_PSW }}"
},
{
"id": "central",
"username": "${{ steps.secrets.outputs.MAVEN_CENTRAL_DEPLOYMENT_USR }}",
"password": "${{ steps.secrets.outputs.MAVEN_CENTRAL_DEPLOYMENT_PSW }}"
}]
mirrors: '[{"url": "https://repository.nexus.camunda.cloud/content/groups/internal/", "id": "camunda-nexus", "mirrorOf": "zeebe,zeebe-snapshots", "name": "camunda Nexus"}]'
- name: Deploy Release Artifacts
run: |
mvn -B -DskipTests source:jar javadoc:jar release:prepare release:perform -Prelease \
-DcheckModificationExcludeList=core/chaos-workers/deployment/chaosWorker-dev.yaml,core/chaos-workers/deployment/chaosWorker-prod.yaml \
-DignoreSnapshots=true
env:
MAVEN_USERNAME: ${{ steps.secrets.outputs.ARTIFACTS_USR }}
MAVEN_PASSWORD: ${{ steps.secrets.outputs.ARTIFACTS_PSW }}
GPG_PASS: ${{ steps.secrets.outputs.MAVEN_CENTRAL_GPG_SIGNING_KEY_PASSPHRASE }}
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ github.token }}