Publish versions from CI

.github/workflows/publishing/github_actions.key.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lFgEY+C3ohYJKwYBBAHaRw8BAQdAKZmbRikx7CVF9UxMOEp6vfq8e08nZ2uMVqgH
+SWwibvgAAQDlRfjq3R4woy8weO5Rewbf2n3kb+1OcsuFEBs7gav3bhDvtDREYXZp
+ZCBIb2VwZWxtYW4gKEZsZXhwb3J0KSA8ZGhvZXBlbG1hbkBmbGV4cG9ydC5jb20+
+iJkEExYKAEEWIQSZ8nlCkNOjoFcU9jznhAB1SHvxVQUCY+C3ogIbAwUJA8JnAAUL
+CQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRDnhAB1SHvxVZcIAQD4/In1LgXk
+/BPRqs2p0cx3TbXpQcOHVGzaofZ3zw8spQEA/5yjtdagPtmKzaKy3FEr6fSz0yLX
+YQ8JiGoFz+MzagacXQRj4LeiEgorBgEEAZdVAQUBAQdAKoSj0wPcJR2CLchXCkVE
+3FRCykgj/mxPvsX+fTs5g0gDAQgHAAD/fe5YpQDZmGlnUvF6CkX/lLZsYIjn7dVI
+XrOmsAWjQegSeoh+BBgWCgAmFiEEmfJ5QpDTo6BXFPY854QAdUh78VUFAmPgt6IC
+GwwFCQPCZwAACgkQ54QAdUh78VWFSwEA+hD3YFExJJBecZa7lnNeW+vCjt/G1I7Y
+keR6+Vd0T3EA/2b3FBBSv9Nc35Oc/XriAM/1u0V52jn6Vrl6m9JclYUOlIYEZgr/
+3BYJKwYBBAHaRw8BAQdAxQa9OZ57L+TOnRN7St4Sw+orKh7PJrJ5mkbmulSG85n+
+BwMCeKQCkxQjFZP7WZGErXrNBMgUDiOz5cnLYN3yK+5HAtRMHmWcIK8/nzxQezFA
+p+m2xIB9SfxAPSJXYe/6YoBdrScjXH0RDtD3F/9sWemCwbRES29uZm9ybSBDSSAo
+UEdQIGtleSBmb3IgYXV0b21hdGljYWxseSBzaWduaW5nIG9uIENJKSA8Y2lAa29u
+Zm9ybS5pbz6IkwQTFgoAOxYhBEHinW0N/MGpHydyXufxhdeNbfLzBQJmCv/cAhsD
+BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEOfxhdeNbfLzr9sA/A8nh5nJ
+CO+4wLsw7JNo1UkyAwHJQX9lnZhAj/d0GXz/AQCU5jIFNsTbUD5SNhzaHvENIMp1
+VJOvtaQHG585PlxHBpyLBGYK/9wSCisGAQQBl1UBBQEBB0BdCO1FBIYdVz4ljBD3
+EOxFyXqu9sW68+onlNbYIqF3KQMBCAf+BwMCIziSicQnvKb741zcF/+2vtG5V2jX
+5QwpLgmVi9ZZ1KYJZvoR5FGkDTF7MhlI18OTOT+hEX+1Y3rMr7oVBhjxyt/PWjki
+1vJP2YHIeN+Cqoh4BBgWCgAgFiEEQeKdbQ38wakfJ3Je5/GF141t8vMFAmYK/9wC
+GwwACgkQ5/GF141t8vN4IAEA5BAd6HmU+q870eGQUcVwFM9jJbXxfeQWbLEcdjCt
+9ToA/3DjLlJbBn85vgmJqQvgm3PWybfTahf5C7l36W4YeDkP
+=fJzZ
+-----END PGP PRIVATE KEY BLOCK-----

.github/workflows/publishing/github_actions.pub.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZgr/3BYJKwYBBAHaRw8BAQdAxQa9OZ57L+TOnRN7St4Sw+orKh7PJrJ5mkbm
+ulSG85m0REtvbmZvcm0gQ0kgKFBHUCBrZXkgZm9yIGF1dG9tYXRpY2FsbHkgc2ln
+bmluZyBvbiBDSSkgPGNpQGtvbmZvcm0uaW8+iJMEExYKADsWIQRB4p1tDfzBqR8n
+cl7n8YXXjW3y8wUCZgr/3AIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
+CRDn8YXXjW3y86/bAPwPJ4eZyQjvuMC7MOyTaNVJMgMByUF/ZZ2YQI/3dBl8/wEA
+lOYyBTbE21A+UjYc2h7xDSDKdVSTr7WkBxufOT5cRwa4OARmCv/cEgorBgEEAZdV
+AQUBAQdAXQjtRQSGHVc+JYwQ9xDsRcl6rvbFuvPqJ5TW2CKhdykDAQgHiHgEGBYK
+ACAWIQRB4p1tDfzBqR8ncl7n8YXXjW3y8wUCZgr/3AIbDAAKCRDn8YXXjW3y83gg
+AQDkEB3oeZT6rzvR4ZBRxXAUz2MltfF95BZssRx2MK31OgD/cOMuUlsGfzm+CYmp
+C+Cbc9bJt9NqF/kLuXfpbhh4OQ8=
+=tJG3
+-----END PGP PUBLIC KEY BLOCK-----

.github/workflows/release.yml

@@ -0,0 +1,88 @@
+name: Test & Release
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+permissions:
+  contents: read
+  issues: write
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+  release:
+    name: release
+    # First run the normal tests
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 8
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+        with:
+          gradle-version: 8.7
+      - name: Get Version
+        id: get-version
+        shell: bash
+        run: |
+          if [[ $GITHUB_REF =~ refs/tags/v(.+) ]]; then
+            echo "Version is determined by git tag."
+            VERSION=${BASH_REMATCH[1]}
+            IS_SNAPSHOT="false"
+          else
+            echo "Version is determined by Gradle properties."
+            VERSION=$(./gradlew properties --console=plain -q | grep "^version:" | awk '{print $2}')
+
+            if [[ $VERSION != *"SNAPSHOT"* ]]; then
+              echo "Error: Non-tagged versions must be SNAPSHOT versions."
+              echo "::error file=build.gradle.kts,line=4::Must be SNAPSHOT version"
+              exit 1
+            fi
+            IS_SNAPSHOT="true"
+          fi
+          echo "Version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Is snapshot: $IS_SNAPSHOT"
+          echo "is_snapshot=$IS_SNAPSHOT" >> $GITHUB_OUTPUT
+      - name: Publish version '${{ steps.get-version.outputs.version }}' to sonatype & close staging repo
+        env:
+          CI_VERSION: ${{ steps.get-version.outputs.version }}
+          IS_SNAPSHOT: ${{ steps.get-version.outputs.is_snapshot }}
+          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
+          MAVEN_CENTRAL_TOKEN_USER: ${{ secrets.MAVEN_CENTRAL_TOKEN_USER }}
+          MAVEN_CENTRAL_TOKEN_PW: ${{ secrets.MAVEN_CENTRAL_TOKEN_PW }}
+        run: |
+          echo "Publishing version '$CI_VERSION' to sonatype."
+          if [[ $IS_SNAPSHOT == "true" ]]; then
+            ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository --info
+          else
+            ./gradlew publishToSonatype closeSonatypeStagingRepository --info
+          fi
+
+
+      - uses: trstringer/manual-approval@v1
+        name: "Wait for approval to publish version '${{ steps.get-version.outputs.version }}'"
+        if: ${{ steps.get-version.outputs.is_snapshot == 'false' }}
+        with:
+          secret: ${{ github.TOKEN }}
+          approvers: dhoepelman,nlochschmidt
+          minimum-approvals: 1
+          issue-title: "Release version '${{ steps.get-version.outputs.version }}'"
+          issue-body: "Please approve or deny the release of version '${{ steps.get-version.outputs.version }}'."
+          # Default included: "approve", "approved", "lgtm", "yes"
+          additional-approved-words: ''
+          # Default included: "deny", "denied", "no"
+          additional-denied-words: ''
+
+      - name: "Release version '${{ steps.get-version.outputs.version }}'"
+        if: ${{ steps.get-version.outputs.is_snapshot == 'false' }}
+        env:
+          CI_VERSION: ${{ steps.get-version.outputs.version }}
+          MAVEN_CENTRAL_TOKEN_USER: ${{ secrets.MAVEN_CENTRAL_TOKEN_USER }}
+          MAVEN_CENTRAL_TOKEN_PW: ${{ secrets.MAVEN_CENTRAL_TOKEN_PW }}
+        run: ./gradlew findSonatypeStagingRepository releaseSonatypeStagingRepository --info

.github/workflows/gradle.yml → .github/workflows/test.yml

@@ -1,10 +1,9 @@
 name: Test
 
 on:
-  push:
-    branches: [main]
   pull_request:
     branches: [main]
+  workflow_call:
 
 permissions:
   contents: read

.gitignore

@@ -29,3 +29,6 @@ local.properties
 
 # Javascript
 node_modules/
+
+# Secrets
+*.secret

PUBLISHING.md

@@ -0,0 +1,3 @@
+Publishing is done automatically from CI using [release.yml](.github/workflows/release.yml)
+if a new git tag matching "v*" pattern is made.
+The version is retrieved from the git tag.

README.md

@@ -1,4 +1,4 @@
-[![Test](https://github.com/konform-kt/konform/actions/workflows/gradle.yml/badge.svg?branch=main)](https://github.com/konform-kt/konform/actions/workflows/gradle.yml)
+[![Test](https://github.com/konform-kt/konform/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/konform-kt/konform/actions/workflows/gradle.yml)
 [![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.konform/konform/badge.svg)](https://maven-badges.herokuapp.com/maven-central/io.konform/konform)
 
 # Portable validations for Kotlin
@@ -203,7 +203,8 @@ val validateEvent = Validation<Event> {
 }
 ```
 
-Errors in the `ValidationResult` can also be accessed using the index access method. In case of `Iterables` and `Arrays` you use the numerical index and in case of `Maps` you use the key as string.
+Errors in the `ValidationResult` can also be accessed using the index access method. In case of `Iterables` and `Arrays` you use the
+numerical index and in case of `Maps` you use the key as string.
 
 ```Kotlin
 // get the error messages for the first attendees age if any
@@ -220,7 +221,9 @@ result[Event::ticketPrices, "free"]
 
 ### Integration with testing libraries
 
-- [Kotest](https://kotest.io) provides various matchers for use with Konform. They can be used in your tests to assert that a given object is validated successfully or fails validation with specific error messages. See [documentation](https://kotest.io/docs/assertions/konform-matchers.html).
+- [Kotest](https://kotest.io) provides various matchers for use with Konform. They can be used in your tests to assert that a given object
+  is validated successfully or fails validation with specific error messages.
+  See [documentation](https://kotest.io/docs/assertions/konform-matchers.html).
 
 ##### Author
 

build.gradle.kts

@@ -1,3 +1,4 @@
+import org.jetbrains.kotlin.cli.common.toBooleanLenient
 import org.jetbrains.kotlin.config.JvmTarget
 
 val projectVersion = "0.5.0-SNAPSHOT"
@@ -17,6 +18,9 @@ val kotlinApiTarget = "1.7"
 val jvmTarget = JvmTarget.JVM_1_8
 val javaVersion = 8
 
+/** The "CI" env var is a quasi-standard way to indicate that we're running on CI. */
+val onCI: Boolean = System.getenv("CI")?.toBooleanLenient() ?: false
+
 plugins {
     kotlin("multiplatform") version "1.9.23"
     id("maven-publish")
@@ -31,7 +35,7 @@ repositories {
 }
 
 group = projectGroup
-version = projectVersion
+version = System.getenv("CI_VERSION") ?: projectVersion
 
 kotlin {
     // Since we are a library, prevent accidentally making things part of the public API
@@ -141,13 +145,23 @@ publishing {
 }
 
 signing {
-    useGpgCmd()
+    if (onCI) {
+        val encryptedSigningKey = layout.projectDirectory.file(".github/workflows/publishing/github_actions.key.asc").asFile.readText()
+        useInMemoryPgpKeys(encryptedSigningKey, System.getenv("PGP_PASSPHRASE"))
+    } else {
+        useGpgCmd()
+    }
     sign(publishing.publications)
 }
 
 nexusPublishing {
     repositories {
-        sonatype()
+        sonatype {
+            // Fallback to empty for local and CI builds with no access to the secrets
+            // They should not need to publish anyway
+            username.set(System.getenv("MAVEN_CENTRAL_TOKEN_USER") ?: "")
+            password.set(System.getenv("MAVEN_CENTRAL_TOKEN_PW") ?: "")
+        }
     }
 }