chore: prepare ci 3.9.5.1

Author: Asmoday

.github/Dockerfile.ci

@@ -0,0 +1,18 @@
+FROM eclipse-temurin:21-jdk-jammy
+
+ARG MAVEN_VERSION=3.9.9
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libcppunit-dev \
+    libsasl2-dev \
+    build-essential \
+    autoconf \
+    automake \
+    libtool \
+    pkg-config \
+    git \
+    curl \
+    && curl -fsSL https://archive.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+       | tar -xz -C /opt \
+    && ln -s /opt/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/local/bin/mvn \
+    && rm -rf /var/lib/apt/lists/*

.github/workflows/ci.yaml

@@ -15,74 +15,136 @@
 # specific language governing permissions and limitations
 # under the License.
 
-# This workflow will build a Java project with Maven
-# See also:
-#   https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
-
 name: CI
 
 on:
   push:
-    branches: [ '*' ]
+    branches: ['develop/**', 'release/**', 'master']
   pull_request:
-    branches: [ '*' ]
+    branches: ['develop/**', 'release/**', 'master']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  packages: write
+
+env:
+  IMAGE: ghcr.io/${{ github.repository }}/ci
 
 jobs:
-  mvn:
-    strategy:
-      matrix:
-        profile:
-          - name: 'full-build-jdk8'
-            jdk: 8
-            args: '-Pfull-build apache-rat:check verify -DskipTests spotbugs:check checkstyle:check'
-          - name: 'full-build-jdk11'
-            jdk: 11
-            args: '-Pfull-build apache-rat:check verify -DskipTests spotbugs:check checkstyle:check'
-          - name: 'full-build-java-tests'
-            jdk: 11
-            args: '-Pfull-build verify -Dsurefire-forkcount=1 -DskipCppUnit -Dsurefire.rerunFailingTestsCount=5'
-          - name: 'full-build-cppunit-tests'
-            jdk: 11
-            args: '-Pfull-build verify -Dtest=_ -DfailIfNoTests=false'
-      fail-fast: false
-    timeout-minutes: 360
+  ci-image:
+    name: CI Image
     runs-on: ubuntu-latest
+    outputs:
+      image: ${{ steps.result.outputs.image }}
     steps:
     - uses: actions/checkout@v4
-    - name: Set up JDK ${{ matrix.profile.jdk }}
-      uses: actions/setup-java@v4
+
+    - id: tag
+      name: Compute image tag
+      run: |
+        TAG=$(sha256sum .github/Dockerfile.ci | cut -c1-12)
+        echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+        echo "image=${{ env.IMAGE }}:$TAG" >> "$GITHUB_OUTPUT"
+
+    - uses: docker/login-action@v3
       with:
-        java-version: ${{ matrix.profile.jdk }}
-        distribution: temurin
-        cache: 'maven'
-    - name: Show the first log message
-      run: git log -n1
-    - name: Install C Dependencies
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check if image exists
+      id: check
       run: |
-        sudo apt update
-        sudo apt install -y libcppunit-dev libsasl2-dev
-    - name: Build with Maven (${{ matrix.profile.name }})
-      run: mvn -B -V -e -ntp "-Dstyle.color=always" ${{ matrix.profile.args }}
-      env:
-        MAVEN_OPTS: -Djansi.force=true
+        if docker manifest inspect ${{ steps.tag.outputs.image }} > /dev/null 2>&1; then
+          echo "exists=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "exists=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - if: steps.check.outputs.exists == 'false'
+      uses: docker/build-push-action@v6
+      with:
+        context: .github
+        file: .github/Dockerfile.ci
+        push: true
+        tags: |
+          ${{ steps.tag.outputs.image }}
+          ${{ env.IMAGE }}:latest
+
+    - id: result
+      run: echo "image=${{ steps.tag.outputs.image }}" >> "$GITHUB_OUTPUT"
+
+  compile:
+    name: Compile + Checkstyle
+    runs-on: ubuntu-latest
+    needs: ci-image
+    container: ${{ needs.ci-image.outputs.image }}
+    timeout-minutes: 30
+    steps:
+    - uses: actions/checkout@v4
+    - name: Cache Maven repository
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: maven-
+    - name: Compile and check style
+      run: mvn -B -V -e -ntp -Pfull-build verify -DskipTests checkstyle:check
+
+  java-tests:
+    name: Java Tests
+    runs-on: ubuntu-latest
+    needs: [ci-image, compile]
+    container: ${{ needs.ci-image.outputs.image }}
+    timeout-minutes: 120
+    steps:
+    - uses: actions/checkout@v4
+    - name: Cache Maven repository
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: maven-
+    - name: Run Java tests
+      run: mvn -B -V -e -ntp -Pfull-build verify -Dsurefire-forkcount=1 -DskipCppUnit
     - name: Upload unit test results
       if: ${{ failure() }}
       uses: actions/upload-artifact@v4
       with:
-        name: surefire-reports-${{ matrix.profile.name }}
+        name: surefire-reports
         path: ./**/target/surefire-reports/
         if-no-files-found: ignore
     - name: Upload integration test results
       if: ${{ failure() }}
       uses: actions/upload-artifact@v4
       with:
-        name: failsafe-reports-${{ matrix.profile.name }}
+        name: failsafe-reports
         path: ./**/target/failsafe-reports/
         if-no-files-found: ignore
+
+  c-tests:
+    name: C Tests
+    runs-on: ubuntu-latest
+    needs: [ci-image, compile]
+    container: ${{ needs.ci-image.outputs.image }}
+    timeout-minutes: 30
+    steps:
+    - uses: actions/checkout@v4
+    - name: Cache Maven repository
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: maven-
+    - name: Run C tests
+      run: mvn -B -V -e -ntp -Pfull-build verify -Dtest=_ -Dsurefire.failIfNoSpecifiedTests=false
     - name: Upload cppunit test logs
       if: ${{ failure() }}
       uses: actions/upload-artifact@v4
       with:
-        name: cppunit-logs-${{ matrix.profile.name }}
+        name: cppunit-logs
         path: ./zookeeper-client/zookeeper-client-c/target/c/TEST-*.txt
         if-no-files-found: ignore

.github/workflows/release.yaml

@@ -0,0 +1,104 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Release
+
+on:
+  push:
+    tags: ['v*']
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Build and Release
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Verify tag is on release branch
+      run: |
+        BRANCHES=$(git branch -r --contains ${{ github.sha }} | grep 'origin/release/' || true)
+        if [ -z "$BRANCHES" ]; then
+          echo "Tag must be on a release/** branch. Found on:"
+          git branch -r --contains ${{ github.sha }}
+          exit 1
+        fi
+        echo "Tag is on: $BRANCHES"
+
+    - name: Verify CI passed
+      run: |
+        CONCLUSION=$(gh run list --commit ${{ github.sha }} --workflow CI --json conclusion -q '.[0].conclusion')
+        if [ -z "$CONCLUSION" ]; then
+          echo "No CI run found for this commit. Push to release/** branch first."
+          exit 1
+        fi
+        if [ "$CONCLUSION" != "success" ]; then
+          echo "CI has not passed for this commit (status: $CONCLUSION)"
+          exit 1
+        fi
+        echo "CI passed"
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - uses: actions/setup-java@v4
+      with:
+        java-version: 21
+        distribution: temurin
+        cache: maven
+
+    - name: Install C Dependencies
+      run: |
+        sudo apt update
+        sudo apt install -y libcppunit-dev libsasl2-dev
+
+    - name: Build and Deploy to GitHub Packages
+      run: mvn -B -V -ntp -Pfull-build deploy -DskipTests
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Generate checksums
+      run: |
+        cd zookeeper-assembly/target
+        for f in apache-zookeeper-*.tar.gz; do
+          sha512sum "$f" > "${f}.sha512"
+        done
+
+    - name: Vulnerability scan (grype)
+      uses: anchore/scan-action@v6
+      with:
+        sbom: zookeeper-assembly/target/bom.json
+        fail-build: false
+        output-format: json
+        output-file: vulnerability-report.json
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v2
+      with:
+        generate_release_notes: true
+        files: |
+          zookeeper-assembly/target/apache-zookeeper-*-bin.tar.gz
+          zookeeper-assembly/target/apache-zookeeper-*-bin.tar.gz.sha512
+          zookeeper-assembly/target/apache-zookeeper-*-lib.tar.gz
+          zookeeper-assembly/target/apache-zookeeper-*-lib.tar.gz.sha512
+          zookeeper-assembly/target/bom.json
+          vulnerability-report.json