[maven-release-plugin] prepare release 1.3.0 #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release to Maven Central | |
| on: | |
| push: | |
| tags: | |
| - '[0-9]+.[0-9]+.[0-9]+' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| concurrency: | |
| group: maven-central-release | |
| cancel-in-progress: false | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| environment: maven-release | |
| timeout-minutes: 30 | |
| env: | |
| MAVEN_RELEASE_AWS_REGION: ${{ vars.MAVEN_RELEASE_AWS_REGION }} | |
| MAVEN_RELEASE_AWS_ROLE_ARN: ${{ secrets.MAVEN_RELEASE_AWS_ROLE_ARN }} | |
| MAVEN_RELEASE_AWS_SECRET_ARN: ${{ secrets.MAVEN_RELEASE_AWS_SECRET_ARN }} | |
| steps: | |
| - name: Validate workflow configuration | |
| run: | | |
| required_vars=( | |
| MAVEN_RELEASE_AWS_REGION | |
| ) | |
| for var_name in "${required_vars[@]}"; do | |
| if [[ -z "${!var_name:-}" ]]; then | |
| echo "::error::Repository variable ${var_name} is required." | |
| exit 1 | |
| fi | |
| done | |
| required_secrets=( | |
| MAVEN_RELEASE_AWS_ROLE_ARN | |
| MAVEN_RELEASE_AWS_SECRET_ARN | |
| ) | |
| for secret_name in "${required_secrets[@]}"; do | |
| if [[ -z "${!secret_name:-}" ]]; then | |
| echo "::error::GitHub secret ${secret_name} is required." | |
| exit 1 | |
| fi | |
| done | |
| - name: Check out tag | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Set up Java 11 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: temurin | |
| java-version: "11" | |
| cache: maven | |
| - name: Verify tag matches POM version | |
| run: | | |
| POM_VERSION=$(mvn -B -q -N -DforceStdout help:evaluate -Dexpression=project.version) | |
| if [[ "${POM_VERSION}" == *-SNAPSHOT ]]; then | |
| echo "::error::Refusing to release SNAPSHOT version ${POM_VERSION}." | |
| exit 1 | |
| fi | |
| if [[ "${GITHUB_REF_NAME}" != "${POM_VERSION}" ]]; then | |
| echo "::error::Tag ${GITHUB_REF_NAME} does not match POM version ${POM_VERSION}." | |
| exit 1 | |
| fi | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 | |
| with: | |
| aws-region: ${{ env.MAVEN_RELEASE_AWS_REGION }} | |
| role-to-assume: ${{ env.MAVEN_RELEASE_AWS_ROLE_ARN }} | |
| role-session-name: java-questdb-client-release | |
| - name: Fetch release credentials | |
| uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10 | |
| with: | |
| secret-ids: | | |
| ,${{ env.MAVEN_RELEASE_AWS_SECRET_ARN }} | |
| parse-json-secrets: true | |
| - name: Validate release credentials | |
| run: | | |
| required_vars=( | |
| MAVEN_GPG_PRIVATE_KEY | |
| MAVEN_CENTRAL_USERNAME | |
| MAVEN_CENTRAL_PASSWORD | |
| ) | |
| for var_name in "${required_vars[@]}"; do | |
| if [[ -z "${!var_name:-}" ]]; then | |
| echo "::error::AWS secret ${MAVEN_RELEASE_AWS_SECRET_ARN} must define ${var_name}." | |
| exit 1 | |
| fi | |
| done | |
| - name: Configure Maven settings.xml | |
| run: | | |
| if [[ -z "${MAVEN_GPG_PASSPHRASE+x}" ]]; then | |
| echo "MAVEN_GPG_PASSPHRASE=" >> "$GITHUB_ENV" | |
| fi | |
| mkdir -p "$HOME/.m2" | |
| cat > "$HOME/.m2/settings.xml" <<'EOF' | |
| <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd"> | |
| <servers> | |
| <server> | |
| <id>central</id> | |
| <username>${env.MAVEN_CENTRAL_USERNAME}</username> | |
| <password>${env.MAVEN_CENTRAL_PASSWORD}</password> | |
| </server> | |
| <server> | |
| <id>gpg.passphrase</id> | |
| <passphrase>${env.MAVEN_GPG_PASSPHRASE}</passphrase> | |
| </server> | |
| </servers> | |
| </settings> | |
| EOF | |
| - name: Import release signing key | |
| run: | | |
| export GNUPGHOME="$(mktemp -d)" | |
| chmod 700 "$GNUPGHOME" | |
| printf '%s\n' "$MAVEN_GPG_PRIVATE_KEY" | gpg --batch --import | |
| echo "GNUPGHOME=$GNUPGHOME" >> "$GITHUB_ENV" | |
| - name: Publish release to Maven Central | |
| run: | | |
| mvn -B -ntp deploy -P maven-central-release -DskipTests | |
| - name: Remove imported signing key | |
| if: always() | |
| run: | | |
| if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then | |
| rm -rf "$GNUPGHOME" | |
| fi |