cryptofs/.github/workflows/build.yml at develop · cryptomator/cryptofs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: Build
on:
  push:
  pull_request_target:
    types: [labeled]

env:
  JAVA_VERSION: 25

jobs:
  build:
    name: Build and Test
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # OIDC token for the attestations step
      attestations: write # Required for the attestations step
      artifact-metadata: write # Required for the attestations step
    outputs:
      sha256: ${{ steps.checksums.outputs.sha256 }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # deep fetch for better sonarcloud analysis
          show-progress: false
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin'
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'
      - name: Cache SonarCloud packages
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Ensure to use tagged version
        if: startsWith(github.ref, 'refs/tags/')
        run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
      - name: Build and Test
        run: >
          ./mvnw -B verify --no-transfer-progress
          jacoco:report
          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
          -Pcoverage
          -Dsonar.projectKey=cryptomator_cryptofs
          -Dsonar.organization=cryptomator
          -Dsonar.host.url=https://sonarcloud.io
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      - name: Calculate Checksums
        id: checksums
        run: |
          {
            echo 'sha256<<EOF'
            shasum -a256 target/*.jar
            echo EOF
          } >> $GITHUB_OUTPUT
      - name: Attest
        if: startsWith(github.ref, 'refs/tags/')
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-path: |
            target/*.jar
            target/*.pom
      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: artifacts
          path: |
            target/*.jar


  deploy-central:
    name: Deploy to Maven Central
    runs-on: ubuntu-latest
    permissions:
      id-token: write # OIDC token for sigstore signing
      contents: read # Required for sigstore signing
    needs: [build]
    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin'
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'
          server-id: central
          server-username: MAVEN_CENTRAL_USERNAME
          server-password: MAVEN_CENTRAL_PASSWORD
      - name: Enforce to use tagged version
        if: startsWith(github.ref, 'refs/tags/')
        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
      - name: Verify project version is -SNAPSHOT
        if: startsWith(github.ref, 'refs/tags/') == false
        run: |
          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
      - name: Deploy to Maven Central
        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
        env:
          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}

  deploy-github:
    name: Deploy to GitHub Packages
    runs-on: ubuntu-latest
    permissions:
      packages: write # Required for the deploy to GitHub Packages step
      id-token: write # OIDC token for sigstore signing
      contents: read # Required for sigstore signing
    needs: [build]
    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          java-version: ${{ env.JAVA_VERSION }}
          distribution: 'temurin'
          cache: 'maven'
      - name: Enforce to use tagged version
        if: startsWith(github.ref, 'refs/tags/')
        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
      - name: Verify project version is -SNAPSHOT
        if: startsWith(github.ref, 'refs/tags/') == false
        run: |
          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
      - name: Deploy to GitHub Packages
        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}

  release:
    name: Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # Required for the release step
    needs: [build, deploy-central, deploy-github]
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Create Release
        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          prerelease: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          generate_release_notes: true
          body: |-
            ### Changelog
            For a list of all notable changes, read the [changelog](/CHANGELOG.md).

            ### Maven Coordinates
            ```xml
              <dependency>
                <groupId>org.cryptomator</groupId>
                <artifactId>cryptofs</artifactId>
                <version>${{ github.ref_name }}</version>
              </dependency>
            ```

            ### Artifact Checksums
            ```txt
            ${{ needs.build.outputs.sha256 }}
            ```