zookeeper/.github/workflows/release.yaml at develop/4.3.0/3.9.5.1 · arenadata/zookeeper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

name: Release

on:
  push:
    tags: ['v*']

permissions:
  contents: write
  packages: write

jobs:
  release:
    name: Build and Release
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0

    - name: Verify tag is on release branch
      run: |
        BRANCHES=$(git branch -r --contains ${{ github.sha }} | grep 'origin/release/' || true)
        if [ -z "$BRANCHES" ]; then
          echo "Tag must be on a release/** branch. Found on:"
          git branch -r --contains ${{ github.sha }}
          exit 1
        fi
        echo "Tag is on: $BRANCHES"

    - name: Verify CI passed
      run: |
        CONCLUSION=$(gh run list --commit ${{ github.sha }} --workflow CI --json conclusion -q '.[0].conclusion')
        if [ -z "$CONCLUSION" ]; then
          echo "No CI run found for this commit. Push to release/** branch first."
          exit 1
        fi
        if [ "$CONCLUSION" != "success" ]; then
          echo "CI has not passed for this commit (status: $CONCLUSION)"
          exit 1
        fi
        echo "CI passed"
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - uses: actions/setup-java@v4
      with:
        java-version: 21
        distribution: temurin
        cache: maven
        server-id: github

    - name: Install C Dependencies
      run: |
        sudo apt update
        sudo apt install -y libcppunit-dev libsasl2-dev

    - name: Build and Deploy to GitHub Packages
      run: mvn -B -V -ntp -Pfull-build deploy -DskipTests
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Generate checksums
      run: |
        cd zookeeper-assembly/target
        for f in apache-zookeeper-*.tar.gz; do
          sha512sum "$f" > "${f}.sha512"
        done

    - name: Vulnerability scan (grype)
      uses: anchore/scan-action@v6
      with:
        sbom: zookeeper-assembly/target/bom.json
        fail-build: false
        output-format: json
        output-file: vulnerability-report.json

    - name: Create GitHub Release
      uses: softprops/action-gh-release@v2
      with:
        generate_release_notes: true
        files: |
          zookeeper-assembly/target/apache-zookeeper-*-bin.tar.gz
          zookeeper-assembly/target/apache-zookeeper-*-bin.tar.gz.sha512
          zookeeper-assembly/target/apache-zookeeper-*-lib.tar.gz
          zookeeper-assembly/target/apache-zookeeper-*-lib.tar.gz.sha512
          zookeeper-assembly/target/bom.json
          vulnerability-report.json