|
| 1 | +name: Release backport |
| 2 | +permissions: |
| 3 | + # This is required for requesting the OIDC token |
| 4 | + id-token: write |
| 5 | + |
| 6 | +on: |
| 7 | + push: |
| 8 | + branches: |
| 9 | + # - release-backport-version # TODO: used to test the workflow. Removed this line at some point int time. |
| 10 | + - 6.2.x |
| 11 | + - 7.2.x |
| 12 | + workflow_dispatch: |
| 13 | + |
| 14 | +jobs: |
| 15 | + build: |
| 16 | + runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }} |
| 17 | + outputs: |
| 18 | + java-version: ${{ steps.get-java-version.outputs.java-version }} |
| 19 | + release-version: ${{ steps.get-release-version.outputs.release-version }} |
| 20 | + steps: |
| 21 | + - name: Checkout client |
| 22 | + uses: actions/checkout@v4 |
| 23 | + with: |
| 24 | + repository: citrusleaf/release |
| 25 | + token: ${{ secrets.CLIENT_BOT_PAT }} |
| 26 | + path: release |
| 27 | + fetch-depth: 0 |
| 28 | + ref: legacy-ci-backport |
| 29 | + |
| 30 | + - name: Checkout client |
| 31 | + uses: actions/checkout@v4 |
| 32 | + with: |
| 33 | + path: client-java |
| 34 | + fetch-depth: 0 |
| 35 | + ref: ${{ github.ref_name }} |
| 36 | + |
| 37 | + - name: Get java version |
| 38 | + working-directory: client-java |
| 39 | + id: get-java-version |
| 40 | + run: | |
| 41 | + echo java-version="$(grep '<java.version>' pom.xml | sed -e 's/<[^>]*>//g' | awk '{$1=$1};1' | sed 's/^1\.8$/8/')" >> $GITHUB_OUTPUT |
| 42 | +
|
| 43 | + - name: Setup Java |
| 44 | + uses: actions/setup-java@v4 |
| 45 | + with: |
| 46 | + distribution: ${{ vars.JAVA_PROVIDER }} # See 'Supported distributions' for available options |
| 47 | + java-version: ${{ steps.get-java-version.outputs.java-version }} |
| 48 | + |
| 49 | + - name: Get release or snapshot-version |
| 50 | + id: get-release-version |
| 51 | + working-directory: client-java |
| 52 | + shell: bash |
| 53 | + run: | |
| 54 | + echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT |
| 55 | + |
| 56 | + - name: Get clent working directory |
| 57 | + id: get-client-working-directory |
| 58 | + working-directory: client-java |
| 59 | + shell: bash |
| 60 | + run: | |
| 61 | + echo client-working-directory="$(pwd)" >> $GITHUB_OUTPUT |
| 62 | +
|
| 63 | + - name: Import GPG key |
| 64 | + id: import-gpg-key |
| 65 | + env: |
| 66 | + GPG_PRIVATE_KEY: ${{ secrets.GPG_JAVA_CLIENT_PRIVATE_KEY }} |
| 67 | + shell: bash |
| 68 | + run: | |
| 69 | + set -euo pipefail |
| 70 | + mkdir -p ~/.gnupg |
| 71 | + chmod 700 ~/.gnupg |
| 72 | + # Ensure loopback pinentry works on CI |
| 73 | + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf |
| 74 | + gpgconf --kill gpg-agent |
| 75 | +
|
| 76 | + # Import the ASCII-armored key from the secret |
| 77 | + gpg --batch --yes --import <(printf "%s" "$GPG_PRIVATE_KEY") |
| 78 | +
|
| 79 | + # Grab the key fingerprint (first secret key in the keyring) |
| 80 | + FPR="$(gpg --batch --list-secret-keys --with-colons | awk -F: '/^fpr:/ {print $10; exit}')" |
| 81 | +
|
| 82 | + # Mark it ultimately trusted so non-interactive signing won't complain |
| 83 | + printf "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key "$FPR" trust quit |
| 84 | +
|
| 85 | + # Expose for later steps |
| 86 | + echo gpg_fpr="$FPR" >> $GITHUB_OUTPUT |
| 87 | +
|
| 88 | + - name: Debug - step |
| 89 | + shell: bash |
| 90 | + run: | |
| 91 | + ls -laR . |
| 92 | +
|
| 93 | + - name: Build artifacts |
| 94 | + working-directory: release/client-java |
| 95 | + env: |
| 96 | + JAVA_CLIENT: ${{ steps.get-client-working-directory.outputs.client-working-directory }} |
| 97 | + AEROKEY: ${{ steps.import-gpg-key.outputs.gpg_fpr }} |
| 98 | + GPG_PASSPHRASE: ${{ secrets.GPG_JAVA_CLIENT_PASS }} |
| 99 | + shell: bash |
| 100 | + run: | |
| 101 | + ./build_all ${{ steps.get-release-version.outputs.release-version }} |
| 102 | +
|
| 103 | + - name: Release all mavent artifacts |
| 104 | + working-directory: release/client-java |
| 105 | + env: |
| 106 | + JAVA_CLIENT: ${{ steps.get-client-working-directory.outputs.client-working-directory }} |
| 107 | + AEROKEY: ${{ steps.import-gpg-key.outputs.gpg_fpr }} |
| 108 | + shell: bash |
| 109 | + run: | |
| 110 | + ./release_maven_all ${{ steps.get-release-version.outputs.release-version }} |
| 111 | +
|
| 112 | + - name: Debug step |
| 113 | + working-directory: release/client-java |
| 114 | + shell: bash |
| 115 | + run: | |
| 116 | + ls -laR . |
| 117 | +
|
| 118 | + - name: Stage artifacts on maven central |
| 119 | + working-directory: release/client-java |
| 120 | + id: stage-release |
| 121 | + shell: bash |
| 122 | + run: | |
| 123 | + TOKEN=$(printf "${{ secrets.AEROSPIKE_SA_CICD_USERNAME }}:${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }}" | base64) |
| 124 | + responses=() |
| 125 | +
|
| 126 | + for f in $(find . -maxdepth 1 -type f -name "*.zip"); do |
| 127 | + echo "curl --request POST --verbose \ |
| 128 | + --header 'Authorization: Bearer ${TOKEN}' \ |
| 129 | + --form bundle=@${f} \ |
| 130 | + ${{ vars.SONATYPE_DOMAIN_NAME }}/api/v1/publisher/upload?publishingType=USER_MANAGED" |
| 131 | +
|
| 132 | + resp=$(curl --request POST --silent \ |
| 133 | + --header "Authorization: Bearer ${TOKEN}" \ |
| 134 | + --form bundle=@${f} \ |
| 135 | + ${{ vars.SONATYPE_DOMAIN_NAME }}/api/v1/publisher/upload?publishingType=USER_MANAGED) >> $GITHUB_OUTPUT |
| 136 | +
|
| 137 | + if echo "$resp" | grep -qi '"error"'; then |
| 138 | + echo "Upload error ${resp} detected in response for $f" >&2 |
| 139 | + exit 1 |
| 140 | + else |
| 141 | + echo "Upload successful for $f. Response: ${resp}" |
| 142 | + fi |
| 143 | + responses+=("$resp") |
| 144 | + done |
| 145 | +
|
| 146 | + echo "All responses: ${responses[@]}" |
| 147 | +
|
| 148 | + json=$(printf '%s\0' "${responses[@]}" | jq -Rsc 'split("\u0000")[:-1]') |
| 149 | + echo "stage-release-ids=${json}" >> $GITHUB_OUTPUT |
| 150 | +
|
| 151 | + # Validation check loop |
| 152 | + - name: Check validation |
| 153 | + working-directory: release/client-java |
| 154 | + shell: bash |
| 155 | + run: | |
| 156 | + TOKEN=$(printf "${{ secrets.AEROSPIKE_SA_CICD_USERNAME }}:${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }}" | base64) |
| 157 | + NUMBER_OF_CHECKS=${{ vars.VALIDATION_MAX_NUMBER_CHECKS }} |
| 158 | + STAGE_IDS='${{ steps.stage-release.outputs.stage-release-ids }}' |
| 159 | +
|
| 160 | + echo "$payload" | jq -r '.[]' | while read -r id; do |
| 161 | + for ((i = 1; i <= NUMBER_OF_CHECKS; i++)); do |
| 162 | + RESPONSE=$(curl --request POST --silent --header "Authorization: Bearer ${TOKEN}" "${{ vars.SONATYPE_DOMAIN_NAME }}/api/v1/publisher/status?id=$id" | jq -cr '.') |
| 163 | + SONATYPE_RESPONSE=$(echo "${RESPONSE}" | jq -cr '.deploymentState') |
| 164 | +
|
| 165 | + if [[ ${SONATYPE_RESPONSE} == 'FAILED' ]]; then |
| 166 | + ERRORS=$(echo "${RESPONSE}" | jq '.errors') |
| 167 | + echo "Package validation failed. Check build package logs to determine potential reasons why the uploaded package is not valid." |
| 168 | + echo "Errors: ${ERRORS}" |
| 169 | +
|
| 170 | + exit 1 |
| 171 | + elif [[ ${SONATYPE_RESPONSE} == 'VALIDATING' || ${SONATYPE_RESPONSE} == 'PENDING' ]]; then |
| 172 | + echo "Package validation is not done. Status: ${SONATYPE_RESPONSE}" |
| 173 | +
|
| 174 | + # Exponential backoff |
| 175 | + sleep_time=$((2 ** (i - 1))) |
| 176 | + echo "Next retry in ${sleep_time} second ...." |
| 177 | + sleep "$sleep_time" |
| 178 | + elif [[ "${SONATYPE_RESPONSE}" == 'VALIDATED' ]]; then |
| 179 | + echo "Package is validated. Run release confirmation." |
| 180 | +
|
| 181 | + break |
| 182 | + fi |
| 183 | + done |
| 184 | + done |
| 185 | +
|
| 186 | + # Peculating up the maven central release id |
| 187 | + - name: Maven Central release id |
| 188 | + working-directory: release/client-java |
| 189 | + id: get-maven-central-release-id |
| 190 | + shell: bash |
| 191 | + run: | |
| 192 | + echo "maven-central-release-id=${{ steps.stage-release.outputs.stage-release-ids }}" >> $GITHUB_OUTPUT |
| 193 | +
|
0 commit comments