This project containers reusable GitHub Actions Workflows to build Spring projects with Gradle or Maven. The workflows are designed for specific tasks and can be reused individually or in combinations in the target projects.
To use these workflows in your project a set of organization secrets must be granted to the repository:
GH_ACTIONS_REPO_TOKEN
DEVELOCITY_ACCESS_KEY
JF_ARTIFACTORY_SPRING
ARTIFACTORY_USERNAME
ARTIFACTORY_PASSWORD
SPRING_RELEASE_CHAT_WEBHOOK_URL
OSSRH_S01_TOKEN_USERNAME
OSSRH_S01_TOKEN_PASSWORD
OSSRH_STAGING_PROFILE_NAME
GPG_PASSPHRASE
GPG_PRIVATE_KEY
The Develocity secret is optional: not used by Maven and Gradle project might not be enrolled for the service.
The SPRING_RELEASE_CHAT_WEBHOOK_URL secret is also optional: probably you don't want to notify Google Space about your release, or it is not available for GitHub organization.
As well as OSSRH_* secret, since not all releases might go to Maven Central, e.g. private (commercial) repositories only.
The mentioned secrets must be passed explicitly since these reusable workflows might be in different GitHub org than target project.
The SNAPSHOT and Release workflows uses JFrog Artifactory plugin to publish artifacts into Artifactory.
The spring-gradle-pull-request-build.yml and spring-maven-pull-request-build.yml are straight forward, single job reusable workflows.
They perform Gradle check task and Maven verify goal, respectively.
The caller workflow is as simple as follows.
spring-github-workflows/samples/pr-build-gradle.yml
Lines 1 to 10 in 78b2912
spring-github-workflows/samples/pr-build-maven.yml
Lines 1 to 10 in 78b2912
You can add more branches to react for pull request events.
The SNAPSHOT workflows (spring-artifactory-gradle-snapshot.yml and spring-artifactory-maven-snapshot.yml, respectively) are also that simple.
They use JFrog Artifactory plugin to be able to publish artifacts into libs-snapshot-local (by default) repository.
The Gradle workflow can be supplied with Gradle Enterprise secrets.
spring-github-workflows/samples/ci-snapshot-gradle.yml
Lines 1 to 18 in 78b2912
spring-github-workflows/samples/ci-snapshot-maven.yml
Lines 1 to 13 in 78b2912
Both Gradle and Maven SNAPSHOT build workflow requires ARTIFACTORY_USERNAME & ARTIFACTORY_PASSWORD secretes to authorise spring-io/artifactory-deploy-action.
Optionally, all the artifacts can be signed if GPG_PASSPHRASE and GPG_PRIVATE_KEY secrets are provided.
The spring-artifactory-gradle-release.yml (and therefore spring-artifactory-maven-release.yml) workflow is complex enough, has some branching jobs and makes some assumptions and expects particular conditions on your repository:
- The versioning schema must follow these rules: 3-digit-dotted number for
major,minorandpatchparts, snapshot is suffixed with-SNAPSHOT, milestones are with-M{number}and-RC{number}suffix, the GA release is without any suffix. For example:0.0.1-SNAPSHOT,1.0.0-M1,2.1.0-RC2,3.3.3. - GitHub Milestone titles must be exact as the version to release number.
For example:
1.0.0-M1,2.1.0-RC2,3.3.3. - GitHub Milestones must be scheduled: have a
Due ondate set. Otherwise, release workflow will be cancelled with a warning that nothing to release for respective SNAPSHOT in a branch.
The logic of this release workflow:
- Take a SNAPSHOT version from a dispatched branch (Maven
help:evaluate -Dexpression="project.version"and Gradlegradle properties | grep "^version:", respectively). The composite internal extract-release-version action is implemented for this goal - List GitHub milestones matching the candidate version and select the closest one by due on date
- Cancel workflow if no scheduled Milestone
- Call Maven or Gradle (according to the workflow choice for the project in the repository) with the release version extracted from the previous job.
This job stages released artifacts using JFrog Artifactory plugin into
libs-staging-localrepository on Spring Artifactory and commitsNext development versionto the branch we are releasing against - The next job is to verify staged artifacts
- When verification is successful, next job promotes release from staging either to
libs-milestone-localorlibs-release-local(by default) (and optional to Maven Central: ifOSSRH_STAGING_PROFILE_NAMEsecret is provided) according to the releasing version schema - Then spring-finalize-release.yml job is executed, which generates release notes using Spring Changelog Generator excluding repository admins from
Contributorssection. Thegh release createcommand is performed on a tag for just released version. And in the end the milestone is closed and specific Google Space is notified about release (ifSPRING_RELEASE_CHAT_WEBHOOK_URLsecret is present in the repository).
spring-github-workflows/samples/release.yml
Lines 1 to 25 in 78b2912
Such a workflow must be on every branch which is supposed to be released via GitHub actions.
The buildToolArgs parameter for this job means extra build tool arguments.
For example, the mentioned dist value is a Gradle task in the project.
Can be any Maven goal or other command line arguments.
The signing released artifacts is done by the spring-io/artifactory-deploy-action if GPG_PASSPHRASE and GPG_PRIVATE_KEY secrets are provided.
In the end all the artifacts, together with their signatures, are uploaded to the Artifactory according to the respective workflow inputs.
In the end you just need to go to the Actions tab on your project, press Run workflow on your release workflow and choose a branch from drop-down list to release currently scheduled Milestone against.
Such a release workflow can also be scheduled (cron, fo example) against branches matrix.
spring-github-workflows/samples/schedule-releases.yml
Lines 1 to 19 in 78b2912
Warning The spring-artifactory-gradle-release.yml (and spring-artifactory-maven-release.yml) already uses 3 of 4 levels of nested reusable workflows. Where the caller workflow is the last one. Therefore don't try to reuse your caller workflow.
The verify-staged job expects an optional verifyStagedWorkflow input (the verify-staged-artifacts.yml, by default) workflow supplied from the target project.
For example, Spring Integration for AWS uses jfrog rt download command to verify that released spring-integration-aws-${{ inputs.releaseVersion }}.jar is valid.
Other projects may check out their samples repository and setup release version to perform smoke tests against just staged artifacts.
spring-github-workflows/samples/verify-staged-artifacts.yml
Lines 1 to 28 in 78b2912
The spring-backport-issue.yml uses Spring Backport Bot to create a back-port issue according to the event configured in a caller workflow. See its documentation for labeling convention and respective GitHub events for calling this workflow.
spring-github-workflows/samples/backport-issue.yml
Lines 1 to 16 in 78b2912
If Dependabot is enabled for repository, its config should set a label compatible with Spring Changelog Generator.
Typically, it is type: dependency-upgrade.
It is also a good practice to group all the development dependencies into a single pull request from Dependabot.
This includes all the Gradle and Maven plugins and those dependencies which are used only for testing in the project.
This projects provides a spring-merge-dependabot-pr.yml reusable workflow to make modifications to the Dependabot pull requests.
However, there are some prerequisites to use this workflow in your project:
- Pull requests must be protected by some check to pass, usually a workflow to build the project with this pull request changes;
- The auto-merge must be enabled in the repository (if
--autois used);
The spring-merge-dependabot-pr workflow does these modifications to the Dependabot pull requests:
- Modify label from
dependency-upgradeto thetaskfor the development dependencies group update to skip them from release notes by Spring Changelog Generator; - Adds a currently scheduled milestone to the pull request against a snapshot version extracted from the target branch;
- And if milestone is scheduled, the pull request is queued for auto-merging after required checks have passed;
- If
autoMergeSnapshotsinput is set totrue, the upgrade from Milestone/Release Candidate dependency to its SNAPSHOT is going to be merged automatically without assigning a milestone to the PR.
The mergeArguments input of this workflow is applied to the gh pr merge command.
spring-github-workflows/samples/merge-dependabot-pr.yml
Lines 1 to 14 in 710bf12
The spring-cherry-pick.yml workflow offers a logic to cherry-pick pushed commit to branches suggested by the specific sentence in commit message.
For example Auto-cherry-pick to 6.2.x & 6.1.x.
The Auto-cherry-pick token is a default value for the autoCherryPickToken input of this workflow.
The branches to cherry-pick to are extracted from the matching sentence.
The "Auto-cherry-pick" sentence is remove from the target commit message.
The -x option of git cherry-pick command adds a link back to the original commit.
The spring-announce-milestone-planning.yml workflow offers an automatic chat message publishing when due_on on the repository milestone is changed.
The callers workflow must be configured like this:
name: Announce Milestone Planning in Chat
on:
milestone:
types: [ created, edited ]
jobs:
announce-milestone-planning:
uses: spring-io/spring-github-workflows/.github/workflows/spring-announce-milestone-planning.yml@main
secrets:
SPRING_RELEASE_CHAT_WEBHOOK_URL: ${{ secrets.SPRING_RELEASE_GCHAT_WEBHOOK_URL }}The workflow reacts to non-empty due_on property of the event's milestone payload and check if this property really was changed on milestone edit.
The spring-dispatch-workflow-and-wait action implements the logic to call gh workflow run for the provided workflow file and wait until it is complete, successful or not.
This action is used in the verify-staged job of the release workflow.
The [deployment-repository-init.gradle](utils/deployment-repository-init.gradle) script adds a Maven repository for publishing artifacts into a local directory (/deployment-repository) via respective publishAllPublicationsToDeploymentRepository Gradle task.
Then spring-io/artifactory-deploy-action picks up those artifacts for uploading to the Artifactory.
The Maven build does that via deploy goal and respective -DaltDeploymentRepository=local::file:deployment-repository CLI option.
See more information in the Reusing Workflows.