[maven-release-plugin] prepare release jackson-core-2.17.3 #31
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow publishes a new release to Maven central. | |
# | |
# The release MUST be initiated by running the release.sh script. That script will run | |
# ./mvnw release:prepare and make the necessary changes for this workflow to then take | |
# over and perform the actual release. | |
name: Publish new release | |
on: | |
push: | |
tags: | |
- "*" | |
- "!*.pr*" | |
- "!*b" | |
permissions: | |
contents: read | |
jobs: | |
release: | |
runs-on: "ubuntu-20.04" | |
env: | |
JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" | |
TAG: ${{ github.ref_name }} | |
outputs: | |
hash: ${{ steps.hash.outputs.hash }} | |
artifact_name: ${{ steps.hash.outputs.artifact_name }} | |
steps: | |
- name: Validate version name | |
run: | | |
[[ "$TAG" =~ jackson-core-[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)? ]] || exit 1 | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set up JDK | |
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 | |
with: | |
distribution: "temurin" | |
java-version: "8" | |
cache: "maven" | |
server-id: sonatype-nexus-staging | |
server-username: CI_DEPLOY_USERNAME | |
server-password: CI_DEPLOY_PASSWORD | |
# See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven | |
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import | |
gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase | |
- name: Perform release | |
env: | |
CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }} | |
CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }} | |
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} | |
# The following command will only succeed if the preparation was done via the | |
# release.sh script. | |
run: ./mvnw -B -q -ff -ntp release:perform -DlocalCheckout=true | |
- name: Generate hash | |
id: hash | |
run: | | |
ARTIFACT_NAME="$( \ | |
./mvnw help:evaluate \ | |
-Dexpression=project.artifactId -q -DforceStdout)-$( \ | |
./mvnw help:evaluate \ | |
-Dexpression=project.version -q -DforceStdout)" | |
echo "artifact_name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT" | |
cd ./checkout/target | |
echo "hash=$( \ | |
sha256sum $ARTIFACT_NAME*.jar | \ | |
base64 -w0 \ | |
)" >> "$GITHUB_OUTPUT" | |
echo "DEBUG: After SLSA hash generation we have:" | |
echo "DEBUG: ARTIFACT_NAME = $ARTIFACT_NAME" | |
ls ./checkout | |
ls ./checkout/target | |
provenance: | |
needs: [release] | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.release.outputs.hash }}" | |
provenance-name: "${{ needs.release.outputs.artifact_name }}.jar.intoto.jsonl" | |
upload-assets: true # Optional: Upload to a new release |