-
Notifications
You must be signed in to change notification settings - Fork 828
105 lines (93 loc) · 3.79 KB
/
Copy pathrelease.yml
File metadata and controls
105 lines (93 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
---
name: Deploy to Maven Central
on:
workflow_dispatch:
inputs:
tag:
description: "Release tag to deploy (e.g. v1.5.1)"
required: true
permissions: {}
jobs:
deploy:
if: ${{ github.repository == 'prometheus/client_java' }}
environment: release
runs-on: ubuntu-24.04
permissions:
actions: write # required to trigger bump-api-diff-baseline.yml via `gh workflow run`
steps:
- name: Verify release secrets
env:
MAVEN_USERNAME: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_USERNAME }}
MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_PASSWORD }}
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
run: |
fail() {
echo "::error::$1"
echo "::error::Fix: see '$2' in RELEASING.md"
exit 1
}
# Sonatype token
response=$(curl -s -u "${MAVEN_USERNAME}:${MAVEN_CENTRAL_TOKEN}" \
"https://central.sonatype.com/api/v1/publisher/status?id=test")
echo "Sonatype response: ${response}"
if echo "${response}" | grep -q "Invalid token"; then
fail "Sonatype Central token is invalid." \
"If the Sonatype Central Token is Invalid"
fi
# GPG key import
if ! echo "${GPG_SIGNING_KEY}" | gpg --batch --import 2>&1 | \
tee /tmp/gpg-import.log | grep -q "secret key imported\|secret keys read"; then
cat /tmp/gpg-import.log
fail "GPG_SIGNING_KEY did not import a secret key." \
"If the GPG Key Expired"
fi
# GPG passphrase
key_id=$(gpg --list-secret-keys --with-colons | \
awk -F: '/^sec:/ { print $5; exit }')
if [ -z "${key_id}" ]; then
fail "No secret key available after import." \
"If the GPG Key Expired"
fi
if ! echo "test" | gpg --batch --pinentry-mode loopback \
--passphrase "${GPG_SIGNING_PASSPHRASE}" \
-u "${key_id}" --clearsign >/dev/null 2>/tmp/gpg-sign.log; then
cat /tmp/gpg-sign.log
fail "GPG_SIGNING_PASSPHRASE does not match GPG_SIGNING_KEY." \
"If the GPG Key Expired"
fi
- name: Checkout Plugin Repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.tag }}
persist-credentials: false
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0
with:
version: v2026.6.12
sha256: ff0cf4917acc96b7ffdd0382261d17f405572e9240f95fafb980e44aaf60c514
cache: false
- name: Build release version
run: mise run build-release
- name: Set up Apache Maven Central
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5
with:
distribution: "temurin"
java-version: "21"
server-id: ossrh
server-username: MAVEN_USERNAME
server-password: MAVEN_CENTRAL_TOKEN
gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Publish to Apache Maven Central
run: mvn deploy -P 'release,!default' -Dmaven.test.skip=true
env:
MAVEN_USERNAME: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_USERNAME }}
MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
- name: Bump api-diff baseline
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ inputs.tag }}
run: >
gh workflow run bump-api-diff-baseline.yml
--repo "${GITHUB_REPOSITORY}" -f "tag=${TAG}"