feat: use jreleaser for assembling and publishing the release

.github/actions/increase-semver/action.yml

@@ -0,0 +1,29 @@
+name: 'Increase semantic version'
+description: 'Increases '
+inputs:
+  current-version:
+    description: 'The current semantic version string'
+    required: true
+  version-fragment:
+    description: 'The version fragment to increase'
+    required: false
+    default: 'minor'
+outputs:
+  next-version:
+    description: "The next semantic version string with the specific fragment being increased"
+    value: ${{ steps.increase-semver.outputs.next-version }}
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0
+      with:
+        python-version: '3.10'
+        cache: 'pip'
+    - shell: bash
+      run: pip install -r $GITHUB_ACTION_PATH/requirements.txt
+    - id: increase-semver
+      shell: bash
+      run: |
+        NEXT_VERSION=$(cd $GITHUB_ACTION_PATH && python increase_semver.py ${{ inputs.current-version }} ${{ inputs.version-fragment }})
+        echo "Next Version: $NEXT_VERSION"
+        echo "next-version=${NEXT_VERSION}" >> $GITHUB_OUTPUT

.github/actions/increase-semver/increase_semver.py

@@ -0,0 +1,26 @@
+# *******************************************************************************
+# Copyright (c) 2023 Eclipse Foundation and others.
+# This program and the accompanying materials are made available
+# under the terms of the MIT License
+# which is available at https://spdx.org/licenses/MIT.html
+# SPDX-License-Identifier: MIT
+# *******************************************************************************
+
+import sys
+from semver.version import Version
+
+
+def run(current_version: str, version_fragment: str) -> None:
+    v = Version.parse(current_version)
+    print(str(v.next_version(part=version_fragment)))
+
+
+if __name__ == "__main__":
+    args = sys.argv[1:]
+
+    if len(args) != 2:
+        print("Error: Need to provide 2 arguments: 'current-version' and 'version-fragment'.")
+        exit(1)
+
+    run(args[0], args[1])
+    exit(0)

.github/actions/increase-semver/requirements.txt

@@ -0,0 +1 @@
+semver==3.0.2

.github/workflows/release.yml

@@ -1,31 +1,42 @@
 name: Release
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version'
+        required: true
+      version-fragment:
+        description: 'Version fragment to increase for next development cycle'
+        required: false
+        default: 'minor'
 
 env:
   BOT_USER_NAME: eclipse-cbi-bot
   BOT_EMAIL: [email protected]
-  JAVA_VERSION: '17'
+  JAVA_VERSION: 17
   JAVA_DISTRO: 'temurin'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions:  # added using https://github.com/step-security/secure-repo
-  contents: read
+  cancel-in-progress: false
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    # don't run this workflow in forks
-    if: github.repository == 'eclipse-cbi/macos-notarization-service'
+  precheck:
+    runs-on: ubuntu-22.04
     permissions:
       contents: write
+    if: github.repository == 'netomi/macos-notarization-service'
     outputs:
-      tag: ${{ steps.retrieve-tag.outputs.tag }}
-      hash: ${{ steps.hash.outputs.hash }}
+      release-version: ${{ steps.prepare-release.outputs.RELEASE_VERSION }}
     steps:
+      - name: Check ref
+        shell: bash
+        run: |
+          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
+            echo "Release shall only be made from 'main' branch, triggered branch '${{ github.ref_name }}', aborting."
+            exit 1
+          fi
+
       - name: Setup Git User
         run: |
           git config --global user.name '${{ env.BOT_USER_NAME }}'
@@ -34,6 +45,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.ref }}
+          fetch-depth: 0
 
       - name: Setup Java
         uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
@@ -42,70 +54,77 @@ jobs:
           distribution: ${{ env.JAVA_DISTRO }}
           cache: maven
 
-      - name: Build Release
-        run: |
-          ./mvnw -ntp -B -Prelease release:clean release:prepare -Dmaven.test.skip=true
-          ./mvnw -ntp -B -Pdist -Prelease -Psbom release:perform -Darguments="-Dmaven.deploy.skip=true" -Dgoals=package
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - id: retrieve-tag
+      - name: Prepare release
+        id: prepare-release
+        shell: bash
         run: |
-          echo "tag=$(git describe --tags --abbrev=0)" >> "$GITHUB_OUTPUT"
-
-      - if: cancelled() || failure()
-        run: ./mvnw -B -Prelease release:rollback
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-        # Generate hashes used for provenance.
-      - name: generate hash
-        id: hash
-        run: cd target/checkout/target/distributions && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
-
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          path: target/checkout/target/distributions
+          PROJECT_VERSION="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)"
+          RELEASE_VERSION="${{ github.event.inputs.version }}"
 
+          echo "PROJECT_VERSION=$(echo $PROJECT_VERSION)" >> $GITHUB_OUTPUT
+          echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_OUTPUT
+          
+          echo "Project version: $PROJECT_VERSION"
+          echo "Release version: $RELEASE_VERSION"
+          
+          if git show-ref --tags --verify --quiet "refs/tags/v${RELEASE_VERSION}"; then
+            echo "Release Tag 'v${RELEASE_VERSION}' already exists, aborting."
+            exit 1
+          fi
+  
+          if [ "$PROJECT_VERSION" != "$RELEASE_VERSION" ]; then
+            ./mvnw -B versions:set versions:commit -DnewVersion=$RELEASE_VERSION
+            git commit -a -m "Releasing version $RELEASE_VERSION"
+            git push origin ${{ github.ref }}
+          fi
 
-  update_release_draft:
-    needs: ['build']
+  release:
+    needs: ['precheck']
     permissions:
       contents: write
-      pull-requests: read
-    runs-on: ubuntu-latest
-    steps:
-      # Update the release notes for the released version
-      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
-        with:
-          tag: ${{ needs.build.outputs.tag }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  provenance:
-    needs: ['build']
-    permissions:
       actions: read
+      packages: write
       id-token: write
-      contents: write
-    # Can't pin with hash due to how this workflow works.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    uses: jreleaser/release-action/.github/workflows/builder_slsa3.yml@java
     with:
-      base64-subjects: ${{ needs.build.outputs.hash }}
+      project-version: ${{ needs.precheck.outputs.release-version }}
+      branch: ${{ github.ref_name }}
+      jreleaser-version: '1.9.0'
+      java-version: 17
+      java-distribution: 'temurin'
+      rekor-log-public: true
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
 
-  upload-artifacts:
-    # Upload the distribution and provenance to a GitHub release. They remain
-    # available as build artifacts for a while as well.
-    needs: ['build', 'provenance', 'update_release_draft']
-    runs-on: ubuntu-latest
+  prepare-for-next-development-cycle:
+    runs-on: ubuntu-22.04
+    needs: ['precheck', 'release']
     permissions:
       contents: write
     steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-      - name: upload artifacts to release
-        run: >
-          gh release upload --repo ${{ github.repository }}
-          ${{ needs.build.outputs.tag }}
-          *.intoto.jsonl/* artifact/*
-        env:
-          GH_TOKEN: ${{ github.token }}
+      - name: Setup Git User
+        run: |
+          git config --global user.name '${{ env.BOT_USER_NAME }}'
+          git config --global user.email '${{ env.BOT_EMAIL }}'
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup Java
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: ${{ env.JAVA_DISTRO }}
+          cache: maven
+
+      - id: increase-semver
+        uses: ./.github/actions/increase-semver
+        with:
+          current-version: ${{ needs.precheck.outputs.release-version }}
+          version-fragment: ${{ github.event.inputs.version-fragment }}
+      - name: Update next development version in POMs
+        run: |
+          ./mvnw -B versions:set versions:commit -DnewVersion=${{ steps.increase-semver.outputs.next-version }}-SNAPSHOT -DgenerateBackupPoms=false
+          git commit -a -m "Prepare for next development cycle"
+          git push origin ${{ github.ref }}

.gitignore

@@ -3,6 +3,7 @@
 .classpath
 .settings/
 bin/
+out/
 
 # IntelliJ
 .idea

pom.xml

@@ -7,7 +7,7 @@
 	<properties>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<project.build.outputTimestamp>1698421459</project.build.outputTimestamp>
+		<project.build.outputTimestamp>1702162494</project.build.outputTimestamp>
 		<maven.compiler.source>17</maven.compiler.source>
 		<maven.compiler.target>17</maven.compiler.target>
 		<maven.compiler.parameters>true</maven.compiler.parameters>