Skip to content

[maven-release-plugin] prepare release 1.3.0 #2

[maven-release-plugin] prepare release 1.3.0

[maven-release-plugin] prepare release 1.3.0 #2

name: Release to Maven Central
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
permissions:
contents: read
id-token: write
concurrency:
group: maven-central-release
cancel-in-progress: false
jobs:
release:
runs-on: ubuntu-latest
environment: maven-release
timeout-minutes: 30
env:
MAVEN_RELEASE_AWS_REGION: ${{ vars.MAVEN_RELEASE_AWS_REGION }}
MAVEN_RELEASE_AWS_ROLE_ARN: ${{ secrets.MAVEN_RELEASE_AWS_ROLE_ARN }}
MAVEN_RELEASE_AWS_SECRET_ARN: ${{ secrets.MAVEN_RELEASE_AWS_SECRET_ARN }}
steps:
- name: Validate workflow configuration
run: |
required_vars=(
MAVEN_RELEASE_AWS_REGION
)
for var_name in "${required_vars[@]}"; do
if [[ -z "${!var_name:-}" ]]; then
echo "::error::Repository variable ${var_name} is required."
exit 1
fi
done
required_secrets=(
MAVEN_RELEASE_AWS_ROLE_ARN
MAVEN_RELEASE_AWS_SECRET_ARN
)
for secret_name in "${required_secrets[@]}"; do
if [[ -z "${!secret_name:-}" ]]; then
echo "::error::GitHub secret ${secret_name} is required."
exit 1
fi
done
- name: Check out tag
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
ref: ${{ github.ref }}
- name: Set up Java 11
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: "11"
cache: maven
- name: Verify tag matches POM version
run: |
POM_VERSION=$(mvn -B -q -N -DforceStdout help:evaluate -Dexpression=project.version)
if [[ "${POM_VERSION}" == *-SNAPSHOT ]]; then
echo "::error::Refusing to release SNAPSHOT version ${POM_VERSION}."
exit 1
fi
if [[ "${GITHUB_REF_NAME}" != "${POM_VERSION}" ]]; then
echo "::error::Tag ${GITHUB_REF_NAME} does not match POM version ${POM_VERSION}."
exit 1
fi
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
with:
aws-region: ${{ env.MAVEN_RELEASE_AWS_REGION }}
role-to-assume: ${{ env.MAVEN_RELEASE_AWS_ROLE_ARN }}
role-session-name: java-questdb-client-release
- name: Fetch release credentials
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 # v2.0.10
with:
secret-ids: |
,${{ env.MAVEN_RELEASE_AWS_SECRET_ARN }}
parse-json-secrets: true
- name: Validate release credentials
run: |
required_vars=(
MAVEN_GPG_PRIVATE_KEY
MAVEN_CENTRAL_USERNAME
MAVEN_CENTRAL_PASSWORD
)
for var_name in "${required_vars[@]}"; do
if [[ -z "${!var_name:-}" ]]; then
echo "::error::AWS secret ${MAVEN_RELEASE_AWS_SECRET_ARN} must define ${var_name}."
exit 1
fi
done
- name: Configure Maven settings.xml
run: |
if [[ -z "${MAVEN_GPG_PASSPHRASE+x}" ]]; then
echo "MAVEN_GPG_PASSPHRASE=" >> "$GITHUB_ENV"
fi
mkdir -p "$HOME/.m2"
cat > "$HOME/.m2/settings.xml" <<'EOF'
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>central</id>
<username>${env.MAVEN_CENTRAL_USERNAME}</username>
<password>${env.MAVEN_CENTRAL_PASSWORD}</password>
</server>
<server>
<id>gpg.passphrase</id>
<passphrase>${env.MAVEN_GPG_PASSPHRASE}</passphrase>
</server>
</servers>
</settings>
EOF
- name: Import release signing key
run: |
export GNUPGHOME="$(mktemp -d)"
chmod 700 "$GNUPGHOME"
printf '%s\n' "$MAVEN_GPG_PRIVATE_KEY" | gpg --batch --import
echo "GNUPGHOME=$GNUPGHOME" >> "$GITHUB_ENV"
- name: Publish release to Maven Central
run: |
mvn -B -ntp deploy -P maven-central-release -DskipTests
- name: Remove imported signing key
if: always()
run: |
if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then
rm -rf "$GNUPGHOME"
fi