-
Notifications
You must be signed in to change notification settings - Fork 0
84 lines (75 loc) · 2.94 KB
/
Copy pathrelease.yml
File metadata and controls
84 lines (75 loc) · 2.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Release to Maven Central
on:
push:
tags: ['v*'] # created by maven-release-plugin (tagNameFormat v@{project.version})
permissions:
contents: read
concurrency:
group: release-deploy
cancel-in-progress: false
env:
MAVEN_COMMAND: ./mvnw
MAVEN_CLI_COMMON: "-e -B"
jobs:
release:
runs-on: ubuntu-latest
timeout-minutes: 120
environment: release
outputs:
version: ${{ steps.resolve.outputs.version }}
steps:
- uses: actions/checkout@v7
with:
persist-credentials: false
- uses: ./.github/actions/jdk-setup
with:
server-id: central-publish
server-username: CENTRAL_USERNAME
server-password: CENTRAL_TOKEN
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
# Guard against a mistyped tag releasing the wrong version: the POM is the
# source of truth for what gets deployed, so the tag must encode exactly that
# version. The resolved version also titles the GitHub Release below.
- name: Verify tag matches project version
id: resolve
env:
TAG: ${{ github.ref_name }}
run: |
version="$(${{ env.MAVEN_COMMAND }} help:evaluate -Dexpression=project.version -q -DforceStdout)"
expected="v${version}"
if [ "$TAG" != "$expected" ]; then
echo "::error::Tag '$TAG' does not match project version (expected '$expected'). Refusing to release."
exit 1
fi
echo "version=${version}" >> "$GITHUB_OUTPUT"
# Tests already ran during release:prepare; skip surefire and the archetype
# integration tests (archetype.test.skip — -DskipTests does not cover them).
- name: Deploy release to Maven Central
env:
CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: ${{ env.MAVEN_COMMAND }} ${{ env.MAVEN_CLI_COMMON }} deploy -Prelease -DskipTests -Darchetype.test.skip=true
# Publish a GitHub Release for the tag once the Central deploy succeeds. Notes are
# auto-generated by the GitHub Release Notes API from merged PRs/commits since the
# previous tag. Isolated from the deploy job so contents:write is not granted while
# GPG keys and Central credentials are in scope.
github-release:
needs: release
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write # required to create the GitHub Release
steps:
- name: Create GitHub Release
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.ref_name }} # via env to avoid script injection
VERSION: ${{ needs.release.outputs.version }}
run: |
gh release create "$TAG" \
--repo "${{ github.repository }}" \
--title "$VERSION" \
--generate-notes \
--verify-tag