|
| 1 | +# Release Candidate Action |
| 2 | + |
| 3 | +This is a GitHub Action that can be used to create release candidates. Note |
| 4 | +that it is somewhat opinionated on how release candidates are organized. This |
| 5 | +is not intended to be used by all projects. |
| 6 | + |
| 7 | +## Prerequisites |
| 8 | + |
| 9 | +* Apache Security Team has approved the project for |
| 10 | + [Automated Release Signing](https://infra.apache.org/release-signing.html#automated-release-signing) |
| 11 | + and INFRA has set secrets for the repository, including a GPG signing key, |
| 12 | + SVN username/password, and nexus username/password. |
| 13 | +* The `runs-on` workflow setting should be Linux based (e.g. `ubuntu-latest`) |
| 14 | +* The repository must be checked out using `actions/checkout` prior to |
| 15 | + triggering this action |
| 16 | +* The repository must have a `VERSION` file containing the current version of the |
| 17 | + project (e.g. `1.0.0`) |
| 18 | +* When triggered from a tag, the tag must follow the pattern `v<VERSION>-*` |
| 19 | + (e.g. `v1.0.0-rc1`) |
| 20 | +* When triggered from a tag, the tag must be signed and verified by a key |
| 21 | + listed in `https://downloads.apache.org/<tlp_dir>/KEYS`. |
| 22 | + |
| 23 | +## Setup Operations |
| 24 | + |
| 25 | +Below are the operations this action does to setup the environment for a |
| 26 | +release candidate workflow: |
| 27 | + |
| 28 | +* Checkout the project's `dist/dev/` SVN directory and create a directory for |
| 29 | + release artifacts in `https://dist.apache.org/repos/dist/dev/<tlp_dir>/<project_dir>/<version>-rcX`. |
| 30 | + The `artifact_dir` output is set to this directory. Note that `<project_dir>` |
| 31 | + is optional if the artifact directory should be in the root of the |
| 32 | + `<tlp_dir>` |
| 33 | +* Delete previous release candidates from `dist/dev/` for the same version |
| 34 | + Useful if an rc fails the VOTE and another is created |
| 35 | +* Create a zip source artifact using git archive. The artifact is written to |
| 36 | + `src/apache-<project_id>-<version>-src.zip` in the above artifact directory |
| 37 | +* Export `SOURCE_DATE_EPOCH` environment variable to match the timestamp of the |
| 38 | + current commit |
| 39 | +* Configure global SBT [Simple Build Tool](https://scala-sbt.org) settings to |
| 40 | + enabling publishing signed jars to the ASF nexus staging repository. Workflow |
| 41 | + steps can use `sbt pubilshSigned` without needing any other configuration. If |
| 42 | + publishing is disabled, SBT is configured to publish to a local maven repo on |
| 43 | + the CI system, so `sbt publishSigned` can still be used without actually |
| 44 | + publishing anything. |
| 45 | + |
| 46 | +## Post Operations |
| 47 | + |
| 48 | +If the workflow job does not succeed, none of the following actions are taken. |
| 49 | +Files added to `dist/dev/` will not be committed. If the workflow published |
| 50 | +files to the ASF staging nexus repository, those files must be manually |
| 51 | +dropped. |
| 52 | + |
| 53 | +If the workflow job successfully completes, the following actions are performed |
| 54 | +at the end of the workflow: |
| 55 | + |
| 56 | +* Create sha512 checksum files for all artifacts |
| 57 | +* Create detached ASCII armored GPG signatures for all artifacts |
| 58 | +* Sign all rpm artifacts with the GPG key with rpmsign |
| 59 | +* Commit all files added to `dist/dev/` to SVN |
| 60 | + |
| 61 | +Note that committing to SVN is is disabled if any of the following are true: |
| 62 | +* The `publish` input is not explicitly set to `true` |
| 63 | +* The `VERSION` file contains `-SNAPSHOT` |
| 64 | +* The workflow is not triggered from the push of a tag |
| 65 | +* The repository is not in the `apache` organization |
| 66 | + |
| 67 | +If any of the above are true and publishing is disabled, the artifact directory |
| 68 | +is uploaded as a GitHub workflow artifact. It will be retained for one day. |
| 69 | +This is useful for testing the workflow using workflow dispatch. |
| 70 | + |
| 71 | +## Inputs |
| 72 | + |
| 73 | +| Input | Required | Default | Description | |
| 74 | +|-----------------|----------|---------|-------------| |
| 75 | +| tlp_dir | yes | | Directory of the top level project in dist/dev/ | |
| 76 | +| project_name | yes | | Human readable name of the project | |
| 77 | +| project_id | yes | | ID of the project, used in source artifact file name | |
| 78 | +| project_dir | no | "" | Directory for the project in dev/dist/<tlp_dir>/. Omit if at the root | |
| 79 | +| gpg_signing_key | yes | | Key used to sign artifacts | |
| 80 | +| svn_username | yes | | Username for publishing release artifacts to SVN dev/dist | |
| 81 | +| svn_password | yes | | Password for publishing release artifacts to SVN dev/dist | |
| 82 | +| nexus_username | yes | | Username for publishing release artifacts to Nexus | |
| 83 | +| nexus_password | yes | | Password for publishing release artifacts to Nexus | |
| 84 | +| publish | no | false | Enable/disabling publish artifacts. Must be explicitly set to true to enable publishing. May be ignored depending on other factors. | |
| 85 | + |
| 86 | +## Outputs |
| 87 | + |
| 88 | +| Output | Description | |
| 89 | +|-----------------|-------------| |
| 90 | +| artifact_dir | Directory where additional release artifacts can be added by the workflow. They are automatically signed, checksumed, and published at the end of the workflow | |
| 91 | + |
| 92 | +## Example Workflow |
| 93 | + |
| 94 | +```yaml |
| 95 | +name: Release Candidate |
| 96 | + |
| 97 | +# triggered via release candidate tags or manually via workflow dispatch, note |
| 98 | +# that publishing is disabled if not triggered from a tag |
| 99 | +on: |
| 100 | + push: |
| 101 | + tags: |
| 102 | + - 'v*-rc*' |
| 103 | + workflow_dispatch: |
| 104 | + |
| 105 | +jobs: |
| 106 | + |
| 107 | + release-candidate: |
| 108 | + name: RC ${{ github.ref_name }} |
| 109 | + runs-on: ubuntu-latest |
| 110 | + |
| 111 | + steps: |
| 112 | + |
| 113 | + - name: Checkout Repository |
| 114 | + uses: actions/checkout@v4 |
| 115 | + |
| 116 | + - name: ASF Release Candidate |
| 117 | + id: rc |
| 118 | + uses: apache/daffodil-infrastructure/release-candidate@main |
| 119 | + with: |
| 120 | + tlp_dir: 'daffodil' |
| 121 | + project_name: 'Apache Daffodil' |
| 122 | + project_id: 'daffodil' |
| 123 | + gpg_signing_key: ${{ secrets.GPG_PRIVATE_KEY }} |
| 124 | + svn_username: ${{ secrets.SVN_USERNAME }} |
| 125 | + svn_password: ${{ secrets.SVN_PASSWORD }} |
| 126 | + nexus_username: ${{ secrets.NEXUS_USERNAME }} |
| 127 | + nexus_password: ${{ secrets.NEXUS_PASSWORD }} |
| 128 | + publish: true |
| 129 | + |
| 130 | + - name: Install Dependencies |
| 131 | + run: | |
| 132 | + sudo apt-get -y install ... |
| 133 | + ... |
| 134 | +
|
| 135 | + - name: Create Binary Artifacts |
| 136 | + run: | |
| 137 | + sbt compile publishSigned ... |
| 138 | + |
| 139 | + ARTIFACT_DIR=${{ steps.rc.outputs.artifact_dir }} |
| 140 | + ARTIFACT_BIN_DIR=$ARTIFACT_DIR/bin |
| 141 | +
|
| 142 | + # copy helper binaries to the artifact bin directory, these will be |
| 143 | + # automatically signed, checksumed, and comitted to dist/dev/ |
| 144 | + mkdir -p $ARTIFACT_BIN_DIR |
| 145 | + cp ... $ARTIFACT_BIN_DIR/ |
| 146 | +``` |
| 147 | +
|
| 148 | +# Development |
| 149 | +
|
| 150 | +GitHub actions require that any changes made to the files in the `src/` |
| 151 | +directory are compiled into index.js files in `dist/` subdirectories. To do |
| 152 | +this, run the commands: |
| 153 | + |
| 154 | +```bash |
| 155 | +npm install |
| 156 | +npm run build |
| 157 | +``` |
| 158 | + |
| 159 | +The changes this makes to `dist/` must be committed along with the changes to |
| 160 | +`src/`. |
0 commit comments