Prepare release #56
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Prepare release | |
defaults: | |
run: | |
shell: bash -euo pipefail -O nullglob {0} | |
on: | |
workflow_dispatch: | |
inputs: | |
tag: | |
type: string | |
description: "Release version tag (e.g. v1.2.3)" | |
required: true | |
ref: | |
type: string | |
description: "Git ref from which to release" | |
required: true | |
default: "master" | |
do_build_native_images: | |
type: boolean | |
description: "Native Test Server" | |
required: true | |
default: "true" | |
do_publish_jars: | |
type: boolean | |
description: "Publish Java Artifacts" | |
required: true | |
default: "true" | |
env: | |
INPUT_REF: ${{ github.event.inputs.ref }} | |
INPUT_TAG: ${{ github.event.inputs.tag }} | |
jobs: | |
create_draft_release: | |
name: Create Github draft release | |
runs-on: ubuntu-latest | |
steps: | |
- name: Audit gh version | |
run: gh --version | |
- name: Check for existing release | |
id: check_release | |
run: | | |
echo "::echo::on" | |
gh release view --repo "$GITHUB_REPOSITORY" "$INPUT_TAG" \ | |
&& echo "::set-output name=already_exists::true" \ | |
|| echo "::set-output name=already_exists::false" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Checkout repo | |
if: steps.check_release.outputs.already_exists == 'false' | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ env.INPUT_REF }} | |
- name: Create release | |
if: steps.check_release.outputs.already_exists == 'false' | |
run: > | |
gh release create | |
"$INPUT_REF" | |
--draft | |
--repo "$GITHUB_REPOSITORY" | |
--title "$INPUT_TAG" | |
--target "$INPUT_REF" | |
--notes-file releases/"$INPUT_TAG" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
publish_java_artifacts: | |
name: Publish Java Artifacts | |
if: github.event.inputs.do_publish_jars == 'true' | |
runs-on: ubuntu-latest | |
needs: create_draft_release | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ env.INPUT_REF }} | |
# Our custom gradle version sniffing builds the maven release artifact | |
# names out of the git tag ... but the repo isn't tagged (yet) so add a | |
# tag to the _local_ clone just to get the right jar names. This tag | |
# does not get pushed back to the origin. Once the artifacts have been | |
# inspected and verified, the manual act of publishing the draft GH | |
# release creates the tag. | |
- name: Temporary tag | |
run: git tag "$INPUT_TAG" | |
- name: Set up Java | |
uses: actions/setup-java@v4 | |
with: | |
java-version: "11" | |
distribution: "temurin" | |
- name: Set up Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
- name: Set up signing key | |
run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg" | |
env: | |
KEY: ${{ secrets.JAR_SIGNING_KEY }} | |
# Prefer env variables here rather than inline ${{ secrets.FOO }} to | |
# decrease the likelihood that secrets end up printed to stdout. | |
- name: Set up secret gradle properties | |
run: | | |
mkdir -p "$HOME/.gradle" | |
envsubst >"$HOME/.gradle/gradle.properties" <<EOF | |
signing.keyId = $KEY_ID | |
signing.password = $KEY_PASSWORD | |
signing.secretKeyRingFile = $HOME/.gnupg/secring.gpg | |
ossrhUsername = $RH_USER | |
ossrhPassword = $RH_PASSWORD | |
EOF | |
env: | |
KEY_PASSWORD: ${{ secrets.JAR_SIGNING_KEY_PASSWORD }} | |
KEY_ID: ${{ secrets.JAR_SIGNING_KEY_ID }} | |
RH_USER: ${{ secrets.RH_USER }} | |
RH_PASSWORD: ${{ secrets.RH_PASSWORD }} | |
- name: Publish | |
run: ./gradlew publishToSonatype | |
build_native_images: | |
name: Build native test server | |
needs: create_draft_release | |
if: github.event.inputs.do_build_native_images == 'true' | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- runner: ubuntu-latest | |
os_family: linux | |
arch: amd64 | |
- runner: macos-13 | |
os_family: macOS | |
arch: amd64 | |
- runner: windows-2019 | |
os_family: windows | |
arch: amd64 | |
runs-on: ${{ matrix.runner }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ env.INPUT_REF }} | |
# See comment on temporary tag above. tldr: this is a local tag; never | |
# gets pushed | |
- name: Temporary tag | |
run: git tag "$INPUT_TAG" | |
- name: Build native test server (non-Docker) | |
if: matrix.os_family != 'Linux' | |
run: | | |
./gradlew -x :temporal-serviceclient:updateSubmodules :temporal-test-server:build | |
- name: Build native test server (Docker) | |
if: matrix.os_family == 'Linux' | |
uses: docker://openjdk:21-jdk-oraclelinux7 | |
with: | |
args: | | |
sh -c 'yum install -y git && ./gradlew -x :temporal-serviceclient:updateSubmodules :temporal-test-server:build' | |
# path ends in a wildcard because on windows the file ends in '.exe' | |
# path excludes *.txt because native-image also writes a build manifest txt file | |
- name: Upload executable to workflow | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.os_family }}_${{ matrix.arch }} | |
path: | | |
temporal-test-server/build/graal/temporal-test-server* | |
!temporal-test-server/build/graal/*.txt | |
if-no-files-found: error | |
retention-days: 1 | |
attach_to_release: | |
name: Attach native executables to release | |
needs: build_native_images | |
runs-on: ubuntu-latest | |
steps: | |
- name: Audit gh version | |
run: gh --version | |
# when no artifact is specified, all artifacts are downloaded and expanded into CWD | |
- name: Fetch executables | |
uses: actions/download-artifact@v4 | |
# example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64 | |
# the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and | |
# the root directory of the contents of the archive. | |
- name: Rename dirs | |
run: | | |
version="$(sed 's/^v//'<<<"$INPUT_TAG")" | |
for dir in *; do mv "$dir" "temporal-test-server_${version}_${dir}"; done | |
- name: Tar (linux, macOS) | |
run: for dir in *{linux,macOS}*; do tar cvzf "${dir}.tar.gz" "$dir"; done | |
- name: Zip (windows) | |
run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done | |
- name: Upload release archives | |
uses: actions/upload-artifact@v4 | |
with: | |
name: release-archives | |
path: | | |
*.zip | |
*.tar.gz | |
if-no-files-found: error | |
retention-days: 1 | |
- name: Upload | |
run: | | |
until gh release upload --clobber --repo $GITHUB_REPOSITORY "$INPUT_TAG" *.zip *.tar.gz; do | |
echo "Failed to upload release artifacts. Will retry in 20s" | |
sleep 20 | |
done | |
timeout-minutes: 10 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |