Skip to content

[#270] Audit issue C: Properly check read() #125

[#270] Audit issue C: Properly check read()

[#270] Audit issue C: Properly check read() #125

# Expected secrets
# MAVEN_CENTRAL_USERNAME - Username for Maven Central
# MAVEN_CENTRAL_PASSWORD - Password for Maven Central
# Note that snapshot releases do not require GPG signing
name: Deploy Snapshot
on:
workflow_dispatch:
push:
branches:
- main
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- '.github/PULL_REQUEST_TEMPLATE.md'
- 'LICENSE'
- 'README.md'
- 'docs/**'
concurrency: deploy_snapshot
jobs:
validate_gradle_wrapper:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
# Gradle Wrapper validation can be flaky
# https://github.com/gradle/wrapper-validation-action/issues/40
- name: Gradle Wrapper Validation
timeout-minutes: 1
uses: gradle/wrapper-validation-action@b5418f5a58f5fd2eb486dd7efb368fe7be7eae45
check_secrets:
environment: deployment
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
has-secrets: ${{ steps.check_secrets.outputs.defined }}
steps:
- id: check_secrets
env:
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
if: "${{ env.MAVEN_CENTRAL_USERNAME != '' && env.MAVEN_CENTRAL_PASSWORD != '' }}"
run: echo "::set-output name=defined::true"
deploy_snapshot:
if: needs.check_secrets.outputs.has-secrets == 'true'
needs: [validate_gradle_wrapper, check_secrets]
environment: deployment
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
- name: Set up Java
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9
timeout-minutes: 1
with:
distribution: 'temurin'
java-version: 17
- name: Set up Gradle
uses: gradle/gradle-build-action@bdf99f9dada2506e990bac6de8ec5e3de34a04f1
timeout-minutes: 10
with:
gradle-home-cache-cleanup: true
# While not strictly necessary, this sanity checks the build before attempting to upload.
# This adds minimal additional build time, since most of the work is cached and re-used
# in the next step.
- name: Deploy to Maven Local
timeout-minutes: 25
env:
ORG_GRADLE_PROJECT_IS_SNAPSHOT: true
run: |
./gradlew publishAllPublicationsToMavenLocalRepository --no-parallel
- name: Deploy to Maven Central
timeout-minutes: 5
env:
ORG_GRADLE_PROJECT_ZCASH_MAVEN_PUBLISH_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
ORG_GRADLE_PROJECT_ZCASH_MAVEN_PUBLISH_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
ORG_GRADLE_PROJECT_IS_SNAPSHOT: true
run: |
./gradlew publishAllPublicationsToMavenCentralRepository --no-parallel
- name: Collect Artifacts
timeout-minutes: 1
if: ${{ always() }}
run: |
export ARTIFACTS_DIR_PATH=~/artifacts
export BINARIES_ZIP_PATH=${ARTIFACTS_DIR_PATH}/snapshot_binaries.zip
mkdir ${ARTIFACTS_DIR_PATH}
zip -r ${BINARIES_ZIP_PATH} . -i *build/libs/*
- name: Upload Artifacts
if: ${{ always() }}
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
timeout-minutes: 1
with:
name: Snapshot binaries
path: ~/artifacts