-
Notifications
You must be signed in to change notification settings - Fork 147
231 lines (207 loc) · 7.5 KB
/
prepare-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
name: Prepare release
defaults:
run:
shell: bash -euo pipefail -O nullglob {0}
on:
workflow_dispatch:
inputs:
tag:
type: string
description: "Release version tag (e.g. v1.2.3)"
required: true
ref:
type: string
description: "Git ref from which to release"
required: true
default: "master"
do_build_native_images:
type: boolean
description: "Native Test Server"
required: true
default: "true"
do_publish_jars:
type: boolean
description: "Publish Java Artifacts"
required: true
default: "true"
env:
INPUT_REF: ${{ github.event.inputs.ref }}
INPUT_TAG: ${{ github.event.inputs.tag }}
jobs:
create_draft_release:
name: Create Github draft release
runs-on: ubuntu-latest
steps:
- name: Audit gh version
run: gh --version
- name: Check for existing release
id: check_release
run: |
echo "::echo::on"
gh release view --repo "$GITHUB_REPOSITORY" "$INPUT_TAG" \
&& echo "::set-output name=already_exists::true" \
|| echo "::set-output name=already_exists::false"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout repo
if: steps.check_release.outputs.already_exists == 'false'
uses: actions/checkout@v4
with:
ref: ${{ env.INPUT_REF }}
- name: Create release
if: steps.check_release.outputs.already_exists == 'false'
run: >
gh release create
"$INPUT_REF"
--draft
--repo "$GITHUB_REPOSITORY"
--title "$INPUT_TAG"
--target "$INPUT_REF"
--notes-file releases/"$INPUT_TAG"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_java_artifacts:
name: Publish Java Artifacts
if: github.event.inputs.do_publish_jars == 'true'
runs-on: ubuntu-latest
needs: create_draft_release
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: ${{ env.INPUT_REF }}
# Our custom gradle version sniffing builds the maven release artifact
# names out of the git tag ... but the repo isn't tagged (yet) so add a
# tag to the _local_ clone just to get the right jar names. This tag
# does not get pushed back to the origin. Once the artifacts have been
# inspected and verified, the manual act of publishing the draft GH
# release creates the tag.
- name: Temporary tag
run: git tag "$INPUT_TAG"
- name: Set up Java
uses: actions/setup-java@v4
with:
java-version: "11"
distribution: "temurin"
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v3
- name: Set up signing key
run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg"
env:
KEY: ${{ secrets.JAR_SIGNING_KEY }}
# Prefer env variables here rather than inline ${{ secrets.FOO }} to
# decrease the likelihood that secrets end up printed to stdout.
- name: Set up secret gradle properties
run: |
mkdir -p "$HOME/.gradle"
envsubst >"$HOME/.gradle/gradle.properties" <<EOF
signing.keyId = $KEY_ID
signing.password = $KEY_PASSWORD
signing.secretKeyRingFile = $HOME/.gnupg/secring.gpg
ossrhUsername = $RH_USER
ossrhPassword = $RH_PASSWORD
EOF
env:
KEY_PASSWORD: ${{ secrets.JAR_SIGNING_KEY_PASSWORD }}
KEY_ID: ${{ secrets.JAR_SIGNING_KEY_ID }}
RH_USER: ${{ secrets.RH_USER }}
RH_PASSWORD: ${{ secrets.RH_PASSWORD }}
- name: Publish
run: ./gradlew publishToSonatype
build_native_images:
name: Build native test server
needs: create_draft_release
if: github.event.inputs.do_build_native_images == 'true'
strategy:
fail-fast: false
matrix:
include:
- runner: buildjet-2vcpu-ubuntu-1804
os_family: linux
arch: amd64
- runner: macos-13
os_family: macOS
arch: amd64
- runner: windows-2019
os_family: windows
arch: amd64
runs-on: ${{ matrix.runner }}
env:
# This is required to allow continuing usage of Node 16 for actions,
# as Node 20 won't run on the builder we use for linux builds
# (Node 20 require glibc 2.28+, but ubuntu-1804 has glibc 2.27).
# https://github.blog/changelog/2024-05-17-updated-dates-for-actions-runner-using-node20-instead-of-node16-by-default/
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
steps:
- name: Checkout repo
# FIXME: v4+ requires Node 20
uses: actions/checkout@v3
with:
ref: ${{ env.INPUT_REF }}
# See comment on temporary tag above. tldr: this is a local tag; never
# gets pushed
- name: Temporary tag
run: git tag "$INPUT_TAG"
- name: Set up Java
# FIXME: v4+ requires Node 20
uses: actions/setup-java@v3
with:
java-version: "11"
distribution: "temurin"
- name: Set up Gradle
# FIXME: v3+ requires Node 20
uses: gradle/gradle-build-action@v2
- name: Build native test server
run: ./gradlew :temporal-test-server:build
# path ends in a wildcard because on windows the file ends in '.exe'
# path excludes *.txt because native-image also writes a build manifest txt file
- name: Upload executable to workflow
# FIXME: v4+ requires Node 20
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.os_family }}_${{ matrix.arch }}
path: |
temporal-test-server/build/graal/temporal-test-server*
!temporal-test-server/build/graal/*.txt
if-no-files-found: error
retention-days: 1
attach_to_release:
name: Attach native executables to release
needs: build_native_images
runs-on: ubuntu-latest
steps:
- name: Audit gh version
run: gh --version
# when no artifact is specified, all artifacts are downloaded and expanded into CWD
- name: Fetch executables
# Need v3 here to stay compatible with the build_native_images job.
uses: actions/download-artifact@v3-node20
# example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64
# the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and
# the root directory of the contents of the archive.
- name: Rename dirs
run: |
version="$(sed 's/^v//'<<<"$INPUT_TAG")"
for dir in *; do mv "$dir" "temporal-test-server_${version}_${dir}"; done
- name: Tar (linux, macOS)
run: for dir in *{linux,macOS}*; do tar cvzf "${dir}.tar.gz" "$dir"; done
- name: Zip (windows)
run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done
- name: Upload release archives
uses: actions/upload-artifact@v4
with:
name: release-archives
path: |
*.zip
*.tar.gz
if-no-files-found: error
retention-days: 1
- name: Upload
run: |
until gh release upload --clobber --repo $GITHUB_REPOSITORY "$INPUT_TAG" *.zip *.tar.gz; do
echo "Failed to upload release artifacts. Will retry in 20s"
sleep 20
done
timeout-minutes: 10
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}