Skip to content

Prepare release

Prepare release #56

Workflow file for this run

name: Prepare release
defaults:
run:
shell: bash -euo pipefail -O nullglob {0}
on:
workflow_dispatch:
inputs:
tag:
type: string
description: "Release version tag (e.g. v1.2.3)"
required: true
ref:
type: string
description: "Git ref from which to release"
required: true
default: "master"
do_build_native_images:
type: boolean
description: "Native Test Server"
required: true
default: "true"
do_publish_jars:
type: boolean
description: "Publish Java Artifacts"
required: true
default: "true"
env:
INPUT_REF: ${{ github.event.inputs.ref }}
INPUT_TAG: ${{ github.event.inputs.tag }}
jobs:
create_draft_release:
name: Create Github draft release
runs-on: ubuntu-latest
steps:
- name: Audit gh version
run: gh --version
- name: Check for existing release
id: check_release
run: |
echo "::echo::on"
gh release view --repo "$GITHUB_REPOSITORY" "$INPUT_TAG" \
&& echo "::set-output name=already_exists::true" \
|| echo "::set-output name=already_exists::false"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout repo
if: steps.check_release.outputs.already_exists == 'false'
uses: actions/checkout@v4
with:
ref: ${{ env.INPUT_REF }}
- name: Create release
if: steps.check_release.outputs.already_exists == 'false'
run: >
gh release create
"$INPUT_REF"
--draft
--repo "$GITHUB_REPOSITORY"
--title "$INPUT_TAG"
--target "$INPUT_REF"
--notes-file releases/"$INPUT_TAG"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_java_artifacts:
name: Publish Java Artifacts
if: github.event.inputs.do_publish_jars == 'true'
runs-on: ubuntu-latest
needs: create_draft_release
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: ${{ env.INPUT_REF }}
# Our custom gradle version sniffing builds the maven release artifact
# names out of the git tag ... but the repo isn't tagged (yet) so add a
# tag to the _local_ clone just to get the right jar names. This tag
# does not get pushed back to the origin. Once the artifacts have been
# inspected and verified, the manual act of publishing the draft GH
# release creates the tag.
- name: Temporary tag
run: git tag "$INPUT_TAG"
- name: Set up Java
uses: actions/setup-java@v4
with:
java-version: "11"
distribution: "temurin"
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v3
- name: Set up signing key
run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg"
env:
KEY: ${{ secrets.JAR_SIGNING_KEY }}
# Prefer env variables here rather than inline ${{ secrets.FOO }} to
# decrease the likelihood that secrets end up printed to stdout.
- name: Set up secret gradle properties
run: |
mkdir -p "$HOME/.gradle"
envsubst >"$HOME/.gradle/gradle.properties" <<EOF
signing.keyId = $KEY_ID
signing.password = $KEY_PASSWORD
signing.secretKeyRingFile = $HOME/.gnupg/secring.gpg
ossrhUsername = $RH_USER
ossrhPassword = $RH_PASSWORD
EOF
env:
KEY_PASSWORD: ${{ secrets.JAR_SIGNING_KEY_PASSWORD }}
KEY_ID: ${{ secrets.JAR_SIGNING_KEY_ID }}
RH_USER: ${{ secrets.RH_USER }}
RH_PASSWORD: ${{ secrets.RH_PASSWORD }}
- name: Publish
run: ./gradlew publishToSonatype
build_native_images:
name: Build native test server
needs: create_draft_release
if: github.event.inputs.do_build_native_images == 'true'
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-latest
os_family: linux
arch: amd64
- runner: macos-13
os_family: macOS
arch: amd64
- runner: windows-2019
os_family: windows
arch: amd64
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
ref: ${{ env.INPUT_REF }}
# See comment on temporary tag above. tldr: this is a local tag; never
# gets pushed
- name: Temporary tag
run: git tag "$INPUT_TAG"
- name: Build native test server (non-Docker)
if: matrix.os_family != 'Linux'
run: |
./gradlew -x :temporal-serviceclient:updateSubmodules :temporal-test-server:build
- name: Build native test server (Docker)
if: matrix.os_family == 'Linux'
uses: docker://openjdk:21-jdk-oraclelinux7
with:
args: |
sh -c 'yum install -y git && ./gradlew -x :temporal-serviceclient:updateSubmodules :temporal-test-server:build'
# path ends in a wildcard because on windows the file ends in '.exe'
# path excludes *.txt because native-image also writes a build manifest txt file
- name: Upload executable to workflow
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os_family }}_${{ matrix.arch }}
path: |
temporal-test-server/build/graal/temporal-test-server*
!temporal-test-server/build/graal/*.txt
if-no-files-found: error
retention-days: 1
attach_to_release:
name: Attach native executables to release
needs: build_native_images
runs-on: ubuntu-latest
steps:
- name: Audit gh version
run: gh --version
# when no artifact is specified, all artifacts are downloaded and expanded into CWD
- name: Fetch executables
uses: actions/download-artifact@v4
# example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64
# the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and
# the root directory of the contents of the archive.
- name: Rename dirs
run: |
version="$(sed 's/^v//'<<<"$INPUT_TAG")"
for dir in *; do mv "$dir" "temporal-test-server_${version}_${dir}"; done
- name: Tar (linux, macOS)
run: for dir in *{linux,macOS}*; do tar cvzf "${dir}.tar.gz" "$dir"; done
- name: Zip (windows)
run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done
- name: Upload release archives
uses: actions/upload-artifact@v4
with:
name: release-archives
path: |
*.zip
*.tar.gz
if-no-files-found: error
retention-days: 1
- name: Upload
run: |
until gh release upload --clobber --repo $GITHUB_REPOSITORY "$INPUT_TAG" *.zip *.tar.gz; do
echo "Failed to upload release artifacts. Will retry in 20s"
sleep 20
done
timeout-minutes: 10
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}