Skip to content

Fix release signing gate; bump next version shape; refresh Maven badge#1781

Merged
tfenne merged 5 commits into
masterfrom
tf_fix_signing_and_release_hygiene
May 1, 2026
Merged

Fix release signing gate; bump next version shape; refresh Maven badge#1781
tfenne merged 5 commits into
masterfrom
tf_fix_signing_and_release_hygiene

Conversation

@tfenne
Copy link
Copy Markdown
Member

@tfenne tfenne commented May 1, 2026

Summary

  • Fix release signing gate. Sign task onlyIf (and signing.required) gated on gradle.taskGraph.hasTask(\"publishAllPublicationsToCentralPortal\"). TaskExecutionGraph.hasTask(String) matches on task.getPath(), which for a root-project task is :publishAllPublicationsToCentralPortal (with leading colon). The name-only string never matched, so signing was silently disabled for every release task — the 5.0.0 dry-run produced no .asc files, and the upload would have shipped unsigned artifacts had we not worked around it with an init script. Drop the redundant task-graph check; -Drelease=true already gates the entire release flow via the pre-flight checks (HEAD on a clean semver tag), so gating purely on isRelease is the right intent.
  • Bump nextVersionBump to \"x.x.x\" so snapshot builds compute 5.0.1 as the next planned release, in line with an expected 5.0.x point release.
  • Refresh Maven Central badge. Replaces the dead maven-badges.herokuapp.com URL (Heroku free tier shut down late 2022) with an img.shields.io equivalent, and the defunct search.maven.org hash-fragment click-through with the current central.sonatype.com artifact page.

Test plan

  • `./gradlew -q printVersion` prints `5.0.1--SNAPSHOT` on this branch
  • Earlier in the 5.0.0 release we proved (via init-script `setOnlyIf { true }` override) that the `Sign` tasks produce a valid GPG signature from the published key; this PR removes the override-need by making the predicate evaluate correctly. Mechanically equivalent — re-running on `5.0.0` itself would require re-tagging since a temp commit fails the `commitDistance == 0` pre-flight.
  • Confirm the rendered Maven Central badge displays the current published version (5.0.0) and the click-through opens the Sonatype Central artifact page.
  • Next release dry run: `./gradlew clean publishHtsjdkPublicationToMavenLocal -Drelease=true` from the next semver-tagged commit should produce `.asc` files for the jar, javadoc jar, sources jar, pom, and module — without any `-I` init-script workaround.

tfenne added 5 commits May 1, 2026 14:24
@tfenne
Fix release signing gate; bump next version shape; refresh Maven badge.
d5e90ad 
The Sign task `onlyIf` and `signing.required` predicates referenced
`gradle.taskGraph.hasTask("publishAllPublicationsToCentralPortal")`, but
hasTask compares against `task.getPath()` which for a root-project task
is `:publishAllPublicationsToCentralPortal` (with leading colon). The
name-only string never matched, so signing was permanently disabled
for every release task. Drop the redundant task-graph check entirely;
`-Drelease=true` already gates the release flow via the pre-flight
checks above (HEAD on a clean semver tag), so gating signing purely on
`isRelease` is the right intent.

Set `nextVersionBump = "x.x.x"` so snapshot builds compute 5.0.1 as the
next planned release, ahead of an expected 5.0.x point release.

Replace the dead `maven-badges.herokuapp.com` Maven Central badge
(Heroku free tier shut down in late 2022) with an `img.shields.io`
equivalent, and point the click-through at the current Sonatype Central
artifact page instead of the defunct `search.maven.org` hash-fragment
URL.
@tfenne
CI: drop runner-wide apt upgrade, cache samtools build, modernize act…
a2565fa 
…ions.

The "Install Samtools" step was running `apt-get upgrade` with no package
list, which upgrades every package on the runner — including the firefox
transitional `.deb` that bootstraps the Firefox snap. When the snap store
is unreachable (an intermittent failure mode), the upgrade blocks for ~50
minutes and then fails the job, even though htsjdk needs nothing from
firefox. Drop the upgrade entirely; the only packages this script needs
are the three -dev libs already installed explicitly.

Bump samtools to 1.23.1 and cache the built binary keyed on version + OS,
so subsequent runs skip the ~3-5 min compile. Move the install prefix to
/usr/local since /usr is reserved for the distro package manager and is
the conventional location for locally-built software.

Bump actions/checkout and actions/setup-java to v4 (v3 ran on Node 16,
which is end-of-life on the Actions runtime), and switch the JDK
distribution from `adopt` to its current name `temurin`.
@tfenne
CI: use gradle/actions/setup-gradle to cache the wrapper distribution.
a5b7d15 
The previous setup relied on actions/setup-java's `cache: gradle`
option, which caches `~/.gradle/caches` (resolved dependencies) but
NOT `~/.gradle/wrapper/dists/`. Every CI run was therefore
re-downloading the ~150 MB Gradle distribution zip on top of its own
cold dependency resolution.

Gradle publishes an official action that handles both: the wrapper
distribution and the dependency cache, with smarter cache-key
heuristics than setup-java's basic option. Drop `cache: gradle` from
setup-java and add `gradle/actions/setup-gradle@v4` after it in each
job.
@tfenne
Bump test JVM heap to 14G; pin gradle daemon footprint.
2d86486 
We've been seeing intermittent `OutOfMemoryError: Java heap space` in CI
test runs. With TestNG `parallel = "classes"` running availableProcessors()
threads in a single JVM, peak heap demand scales with concurrency, and 12G
was right at the edge on the 16G GitHub runner.

Bump test JVM `maxHeapSize` to 14G. To make that safe, pin the gradle
daemon's own footprint via gradle.properties (-Xmx512m + Metaspace cap)
so it doesn't compete for the same physical RAM. Combined budget on a
16G runner: ~14G test heap + ~1G test non-heap + ~1G daemon + OS
headroom.
@tfenne
Make samtools version test a "at least" check.
5575ba1 
The previous test asserted a substring match against a hardcoded version
string, which broke any time CI bumped samtools (just happened: 1.21 →
1.23.1). htsjdk only cares that the local samtools is at least the
version the tests were written against, not that it's exactly that
version, so do a numeric semver comparison instead.

Adds two small package-private helpers to SamtoolsTestUtils:
- parseSamtoolsVersion(String) extracts the version from `samtools
  --version` output via a single regex.
- compareVersions(a, b) compares two dotted-numeric version strings
  component-by-component, treating missing trailing components as zero.

The version test now parses the running samtools version and asserts
it is >= minimumSamtoolsVersion (renamed from expectedSamtoolsVersion
to reflect the new semantics, bumped to 1.23.1 to match the version
CI installs).

Adds small unit tests for the parser and comparator covering typical
output, two-component versions, missing version line, equality with
implicit trailing zero, ordering across major/minor/patch, and the
1.10 vs 1.9 numeric-not-lexical case.
@tfenne tfenne merged commit 730f03f into master May 1, 2026
4 checks passed
@tfenne tfenne deleted the tf_fix_signing_and_release_hygiene branch May 1, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tfenne