diff --git a/.ci/jenkins/Jenkinsfile.daily-dev-publish b/.ci/jenkins/Jenkinsfile.daily-dev-publish index 6dbef667d0d..01cd29217a2 100644 --- a/.ci/jenkins/Jenkinsfile.daily-dev-publish +++ b/.ci/jenkins/Jenkinsfile.daily-dev-publish @@ -575,7 +575,7 @@ pipeline { steps { dir('kie-tools') { script { - withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployRepositoryCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { + withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeploySnapshotsCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { configFileProvider([configFile(fileId: "${pipelineVars.mavenSettingsConfigFileId}", variable: 'MAVEN_SETTINGS_FILE')]) { sh """#!/bin/bash -el export KIE_TOOLS_BUILD__mavenDeploySkip=false diff --git a/.ci/jenkins/Jenkinsfile.weekly-publish b/.ci/jenkins/Jenkinsfile.weekly-publish index d417dceb0d1..757543800ed 100644 --- a/.ci/jenkins/Jenkinsfile.weekly-publish +++ b/.ci/jenkins/Jenkinsfile.weekly-publish @@ -115,7 +115,7 @@ pipeline { steps { dir('kie-tools') { script { - withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployRepositoryCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { + withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeploySnapshotsCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { configFileProvider([configFile(fileId: "${pipelineVars.mavenSettingsConfigFileId}", variable: 'MAVEN_SETTINGS_FILE')]) { timestampedSnapshotVersion = getTimestampedSnapshotVersion() sh """#!/bin/bash -el diff --git a/.ci/jenkins/release-jobs/Jenkinsfile.jbpm-quarkus-devui b/.ci/jenkins/release-jobs/Jenkinsfile.jbpm-quarkus-devui index 8b0950571c3..714002a2178 100644 --- a/.ci/jenkins/release-jobs/Jenkinsfile.jbpm-quarkus-devui +++ b/.ci/jenkins/release-jobs/Jenkinsfile.jbpm-quarkus-devui @@ -119,7 +119,7 @@ pipeline { if (params.DRY_RUN) { env.KIE_TOOLS_BUILD__mavenDeploySkip = 'true' } - withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployRepositoryCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { + withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployStagingCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { configFileProvider([configFile(fileId: "${pipelineVars.mavenSettingsConfigFileId}", variable: 'MAVEN_SETTINGS_FILE')]) { sh """#!/bin/bash -el pnpm ${env.PNPM_FILTER_STRING} exec 'bash' '-c' 'echo -e "\n--settings=${MAVEN_SETTINGS_FILE}" >> .mvn/maven.config' diff --git a/.ci/jenkins/release-jobs/Jenkinsfile.sonataflow-quarkus-devui b/.ci/jenkins/release-jobs/Jenkinsfile.sonataflow-quarkus-devui index 612a0b3a8bc..c5658e71685 100644 --- a/.ci/jenkins/release-jobs/Jenkinsfile.sonataflow-quarkus-devui +++ b/.ci/jenkins/release-jobs/Jenkinsfile.sonataflow-quarkus-devui @@ -119,7 +119,7 @@ pipeline { if (params.DRY_RUN) { env.KIE_TOOLS_BUILD__mavenDeploySkip = 'true' } - withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployRepositoryCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { + withCredentials([usernamePassword(credentialsId: "${pipelineVars.mavenDeployStagingCredentialsId}", usernameVariable: 'REPOSITORY_USER', passwordVariable: 'REPOSITORY_TOKEN')]) { configFileProvider([configFile(fileId: "${pipelineVars.mavenSettingsConfigFileId}", variable: 'MAVEN_SETTINGS_FILE')]) { sh """#!/bin/bash -el pnpm ${env.PNPM_FILTER_STRING} exec 'bash' '-c' 'echo -e "\n--settings=${MAVEN_SETTINGS_FILE}" >> .mvn/maven.config' diff --git a/.ci/jenkins/shared-scripts/pipelineVars.groovy b/.ci/jenkins/shared-scripts/pipelineVars.groovy index 84d0878e40f..6f87c9f0256 100644 --- a/.ci/jenkins/shared-scripts/pipelineVars.groovy +++ b/.ci/jenkins/shared-scripts/pipelineVars.groovy @@ -36,11 +36,12 @@ class PipelineVars implements Serializable { String asfGithubPushCredentialsId = '84811880-2025-45b6-a44c-2f33bef30ad2' String asfGithubTokenPushCredentialsId = '41128c14-bb63-4708-9074-d20a318ee630' String mavenSettingsConfigFileId = 'kie-release-settings' - String mavenDeployRepositoryCredentialsId = 'apache-nexus-kie-deploy-credentials' + String mavenDeploySnapshotsCredentialsId = 'apache-nexus-kie-deploy-credentials' + String mavenDeployStagingCredentialsId = 'jenkins-deploy-to-nexus-staging' String defaultArtifactsTempDir = 'artifacts-tmp' String asfReleaseStagingRepository = 'https://dist.apache.org/repos/dist/dev/incubator/kie' - String asfReleaseGPGKeyCredentialsId = 'GPG_KEY' - String asfReleaseSVNStagingCredentialsId = 'kie-dist-acct' + String asfReleaseGPGKeyCredentialsId = 'GPG_KEY_FILE' + String asfReleaseSVNStagingCredentialsId = 'kie-svn-credentials' String kieToolsCiBuildImageRegistry = 'docker.io' String kieToolsCiBuildImageAccount = 'apache' String kieToolsCiBuildImageName = 'incubator-kie-tools-ci-build' diff --git a/.ci/jenkins/shared-scripts/releaseUtils.groovy b/.ci/jenkins/shared-scripts/releaseUtils.groovy index 6e07f82338a..998dad3c0ba 100644 --- a/.ci/jenkins/shared-scripts/releaseUtils.groovy +++ b/.ci/jenkins/shared-scripts/releaseUtils.groovy @@ -21,10 +21,8 @@ def setupSigningKey(String gpgKeyCredentialsId) { withCredentials([string(credentialsId: gpgKeyCredentialsId, variable: 'SIGNING_KEY')]) { sh """#!/bin/bash -el - echo "${SIGNING_KEY}" > ${WORKSPACE}/signkey.gpg gpg --list-keys - gpg --batch --pinentry-mode loopback --import ${WORKSPACE}/signkey.gpg - rm ${WORKSPACE}/signkey.gpg + gpg --batch --pinentry-mode=loopback --import $SIGNING_KEY """.trim() } } @@ -45,10 +43,10 @@ def signArtifact(String artifactFileName) { def publishArtifacts(String artifactsDir, String releaseRepository, String releaseVersion, String credentialsId) { withCredentials([usernamePassword(credentialsId: credentialsId, usernameVariable: 'ASF_USERNAME', passwordVariable: 'ASF_PASSWORD')]) { sh """#!/bin/bash -el - svn co --depth=empty ${releaseRepository} svn-kie - cp ${artifactsDir}/* svn-kie/${releaseVersion}/ - svn add "svn-kie/${releaseVersion}" + svn co --depth=empty ${releaseRepository}/${releaseVersion} svn-kie + cp ${artifactsDir}/* svn-kie cd svn-kie + svn add . --force svn ci --non-interactive --no-auth-cache --username ${ASF_USERNAME} --password '${ASF_PASSWORD}' -m "Apache KIE ${releaseVersion} artifacts" rm -rf svn-kie """.trim() diff --git a/.github/workflows/release_build_extended_services.yml b/.github/workflows/release_build_extended_services.yml index af00465d12d..77689599b10 100644 --- a/.github/workflows/release_build_extended_services.yml +++ b/.github/workflows/release_build_extended_services.yml @@ -91,6 +91,12 @@ jobs: run: | pnpm ${{ steps.bootstrap.outputs.pnpm_filter_string }} build:prod + - name: Import GPG key + if: github.event_name != 'pull_request' + uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 + with: + gpg_private_key: ${{ secrets.GPG_KEY }} + - name: "Upload Extended Services for macOS" if: ${{ runner.os == 'macOS' && !inputs.dry_run && !inputs.release_candidate }} uses: actions/upload-release-asset@v1.0.2 @@ -129,14 +135,8 @@ jobs: if: ${{ runner.os == 'macOS' && !inputs.dry_run && inputs.release_candidate }} shell: bash env: - GPG_KEY: ${{ secrets.GPG_KEY }} ARTIFACT_ZIP_FILE: ${{ steps.macos_setup_artifact.outputs.ARTIFACT_ZIP_FILE }} run: | - rm ${WORKSPACE}/signkey.gpg - echo $GPG_KEY > ${WORKSPACE}/signkey.gpg - gpg --list-keys - gpg --batch --pinentry-mode loopback --import ${WORKSPACE}/signkey.gpg - rm ${WORKSPACE}/signkey.gpg gpg --no-tty --batch --sign --pinentry-mode loopback --output $ARTIFACT_ZIP_FILE.asc --detach-sig $ARTIFACT_ZIP_FILE shasum -a 512 $ARTIFACT_ZIP_FILE > $ARTIFACT_ZIP_FILE.sha512 @@ -149,10 +149,10 @@ jobs: PROJECT_VERSION: ${{ inputs.release_candidate_version }} ARTIFACT_ZIP_FILE: ${{ steps.macos_setup_artifact.outputs.ARTIFACT_ZIP_FILE }} run: | - svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/kie svn-kie - cp ./extended-services-release-artifacts/* svn-kie/$PROJECT_VERSION/ - svn add "svn-kie/$PROJECT_VERSION" + svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/kie/$PROJECT_VERSION/ svn-kie + cp ./extended-services-release-artifacts/* svn-kie cd svn-kie + svn add . --force svn ci --non-interactive --no-auth-cache --username "$SVN_USERNAME" --password "$SVN_PASSWORD" -m "Apache KIE $PROJECT_VERSION Extended Services for macOS artifact" rm -rf svn-kie @@ -172,14 +172,8 @@ jobs: if: ${{ runner.os == 'Windows' && !inputs.dry_run && inputs.release_candidate }} shell: pwsh env: - GPG_KEY: ${{ secrets.GPG_KEY }} ARTIFACT_ZIP_FILE: ${{ steps.windows_setup_artifact.outputs.ARTIFACT_ZIP_FILE }} run: | - rm ${WORKSPACE}/signkey.gpg - echo $GPG_KEY > ${WORKSPACE}/signkey.gpg - gpg --list-keys - gpg --batch --pinentry-mode loopback --import ${WORKSPACE}/signkey.gpg - rm ${WORKSPACE}/signkey.gpg gpg --no-tty --batch --sign --pinentry-mode loopback --output $ARTIFACT_ZIP_FILE.asc --detach-sig $ARTIFACT_ZIP_FILE shasum -a 512 $ARTIFACT_ZIP_FILE > $ARTIFACT_ZIP_FILE.sha512 @@ -192,9 +186,9 @@ jobs: PROJECT_VERSION: ${{ inputs.release_candidate_version }} ARTIFACT_ZIP_FILE: ${{ steps.windows_setup_artifact.outputs.ARTIFACT_ZIP_FILE }} run: | - svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/kie svn-kie - cp ./extended-services-release-artifacts/* svn-kie/$PROJECT_VERSION/ - svn add "svn-kie/$PROJECT_VERSION" + svn co --depth=empty https://dist.apache.org/repos/dist/dev/incubator/kie/$PROJECT_VERSION/ svn-kie + cp ./extended-services-release-artifacts/* svn-kie cd svn-kie + svn add . --force svn ci --non-interactive --no-auth-cache --username "$SVN_USERNAME" --password "$SVN_PASSWORD" -m "Apache KIE $PROJECT_VERSION Extended Services for Windows artifact" rm -rf svn-kie