Merge branch 'main' of github.com:awslabs/aws-kotlin-repo-tools into asm-v2

Author: 0marperez

.github/actions/setup-kat/action.yml

@@ -5,10 +5,23 @@ description: >
 runs:
   using: composite
   steps:
-    - name: Install AWS CLI
+    - name: Install AWS CLI (Linux)
+      if: runner.os == 'Linux'
       shell: bash
       run: |
         sudo snap install aws-cli --classic
+    - name: Install AWS CLI (macOS)
+      if: runner.os == 'macOS'
+      shell: bash
+      run: |
+        curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
+        sudo installer -pkg AWSCLIV2.pkg -target /
+    - name: Install AWS CLI (Windows)
+      if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        Invoke-WebRequest -Uri "https://awscli.amazonaws.com/AWSCLIV2.msi" -OutFile "AWSCLIV2.msi"
+        Start-Process msiexec.exe -Wait -ArgumentList '/I AWSCLIV2.msi /quiet'
     - name: Set up kat
       shell: bash
       run: |

build-plugins/build-support/build.gradle.kts

@@ -9,6 +9,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 plugins {
     `kotlin-dsl`
     kotlin("jvm")
+    alias(libs.plugins.kotlin.serialization)
     `java-gradle-plugin`
 }
 
@@ -23,6 +24,9 @@ dependencies {
     compileOnly(gradleApi())
     implementation(libs.aws.sdk.s3)
     implementation(libs.aws.sdk.cloudwatch)
+    implementation(libs.okhttp)
+    implementation(libs.kotlinx.serialization.json)
+    implementation(libs.kotlinx.coroutines.core)
     testImplementation(kotlin("test"))
     testImplementation(libs.kotlinx.coroutines.test)
 }

build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt

@@ -19,6 +19,8 @@ import org.jreleaser.gradle.plugin.JReleaserExtension
 import org.jreleaser.model.Active
 import java.time.Duration
 
+// FIXME Relocate this file to `aws.sdk.kotlin.gradle.publishing`
+
 private object Properties {
     const val SKIP_PUBLISHING = "skipPublish"
 }
@@ -30,6 +32,7 @@ private const val SIGNING_PASSWORD_PROP = "signingPassword"
 private const val SONATYPE_USERNAME_PROP = "sonatypeUsername"
 private const val SONATYPE_PASSWORD_PROP = "sonatypePassword"
 
+// TODO Remove JReleaser environment variables when smithy-kotlin + aws-crt-kotlin are migrated to custom Sonatype integration
 private object EnvironmentVariables {
     const val GROUP_ID = "JRELEASER_PROJECT_JAVA_GROUP_ID"
     const val MAVEN_CENTRAL_USERNAME = "JRELEASER_MAVENCENTRAL_USERNAME"
@@ -40,6 +43,9 @@ private object EnvironmentVariables {
     const val GENERIC_TOKEN = "JRELEASER_GENERIC_TOKEN"
 }
 
+private const val SIGNING_PUBLIC_KEY = "SIGNING_KEY"
+private const val SIGNING_SECRET_KEY = "SIGNING_PASSWORD"
+
 internal val ALLOWED_PUBLICATION_NAMES = setOf(
     "common",
     "jvm",
@@ -73,6 +79,7 @@ internal val ALLOWED_KOTLIN_NATIVE_PUBLICATION_NAMES = setOf(
 private val ALLOWED_KOTLIN_NATIVE_GROUP_NAMES = setOf(
     "aws.sdk.kotlin.crt",
     "aws.smithy.kotlin",
+    "com.sonatype.central.testing.amazon",
 )
 
 // Optional override to the above set.
@@ -238,8 +245,8 @@ fun Project.configurePublishing(repoName: String, githubOrganization: String = "
             }
         }
 
-        val secretKey = System.getenv(EnvironmentVariables.GPG_SECRET_KEY)
-        val passphrase = System.getenv(EnvironmentVariables.GPG_PASSPHRASE)
+        val secretKey = System.getenv(SIGNING_PUBLIC_KEY)
+        val passphrase = System.getenv(SIGNING_SECRET_KEY)
 
         if (!secretKey.isNullOrBlank() && !passphrase.isNullOrBlank()) {
             apply(plugin = "signing")
@@ -253,6 +260,8 @@ fun Project.configurePublishing(repoName: String, githubOrganization: String = "
             tasks.withType<AbstractPublishToMaven>().configureEach {
                 mustRunAfter(signingTasks)
             }
+        } else {
+            logger.info("Skipping signing configuration, $SIGNING_PUBLIC_KEY or $SIGNING_SECRET_KEY are not set")
         }
     }
 
@@ -365,10 +374,21 @@ fun Project.configureJReleaser() {
             maven {
                 mavenCentral {
                     create("maven-central") {
-                        active = Active.ALWAYS // the Maven deployer default is ALWAYS, but MavenCentral is NEVER
-                        sign = false // Signing is done when publishing, see the 'configurePublishing' function
+                        active = Active.ALWAYS // the MavenDeployer default is ALWAYS, but MavenCentralDeployer is NEVER
                         url = "https://central.sonatype.com/api/v1/publisher"
                         stagingRepository(rootProject.layout.buildDirectory.dir("m2").get().toString())
+
+                        maxRetries = 100
+                        retryDelay = 60 // seconds
+                        snapshotSupported = false // do not allow publication of snapshot artifacts
+                        applyMavenCentralRules = true
+                        sign = false // Signing is done when publishing, see the 'configurePublishing' function
+                        // all of the following should be enabled by applyMavenCentralRules but set them explicitly to be sure
+                        checksums = true
+                        sourceJar = true
+                        javadocJar = true
+                        verifyPom = true
+
                         artifacts {
                             artifactOverride {
                                 artifactId = "version-catalog"
@@ -395,16 +415,6 @@ fun Project.configureJReleaser() {
                                 }
                             }
                         }
-                        maxRetries = 100
-                        retryDelay = 60 // seconds
-                        snapshotSupported = false // do not allow publication of snapshot artifacts
-                        applyMavenCentralRules = true
-                        // all of the following should be enabled by applyMavenCentralRules but set them explicitly to be sure
-                        sign = true
-                        checksums = true
-                        sourceJar = true
-                        javadocJar = true
-                        verifyPom = true
                     }
                 }
             }
@@ -426,7 +436,7 @@ internal fun isAvailableForPublication(project: Project, publication: MavenPubli
         // Standard publication
     } else if (publication.name in ALLOWED_KOTLIN_NATIVE_PUBLICATION_NAMES) {
         // Kotlin/Native publication
-        if (overrideGroupNameValidation && publication.groupId !in ALLOWED_KOTLIN_NATIVE_PUBLICATION_NAMES) {
+        if (overrideGroupNameValidation && publication.groupId !in ALLOWED_KOTLIN_NATIVE_GROUP_NAMES) {
             println("Overriding K/N publication, project=${project.name}; publication=${publication.name}; group=${publication.groupId}")
         } else {
             shouldPublish = shouldPublish && publication.groupId in ALLOWED_KOTLIN_NATIVE_GROUP_NAMES

build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/publishing/SonatypeCentralPortalClient.kt

@@ -0,0 +1,153 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.sdk.kotlin.gradle.publishing
+
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+import okhttp3.*
+import okhttp3.HttpUrl.Companion.toHttpUrl
+import okhttp3.MediaType.Companion.toMediaType
+import okhttp3.RequestBody.Companion.asRequestBody
+import okhttp3.RequestBody.Companion.toRequestBody
+import java.io.File
+import java.time.Duration
+import java.util.Base64
+import kotlin.time.Clock
+import kotlin.time.ExperimentalTime
+
+/**
+ * A client used for interacting with the Sonatype Publish Portal API
+ * https://central.sonatype.org/publish/publish-portal-api/
+ */
+class SonatypeCentralPortalClient(
+    private val authHeader: String,
+    private val client: OkHttpClient = OkHttpClient.Builder()
+        .connectTimeout(Duration.ofSeconds(30))
+        .readTimeout(Duration.ofSeconds(60))
+        .writeTimeout(Duration.ofSeconds(60))
+        .retryOnConnectionFailure(true)
+        .build(),
+    private val json: Json = Json {
+        ignoreUnknownKeys = true
+        prettyPrint = true
+    },
+) {
+    companion object {
+        const val CENTRAL_PORTAL_USERNAME = "SONATYPE_CENTRAL_PORTAL_USERNAME"
+        const val CENTRAL_PORTAL_PASSWORD = "SONATYPE_CENTRAL_PORTAL_PASSWORD"
+        const val CENTRAL_PORTAL_BASE_URL = "https://central.sonatype.com"
+
+        fun buildAuthHeader(user: String, password: String): String {
+            val b64 = Base64.getEncoder().encodeToString("$user:$password".toByteArray(Charsets.UTF_8))
+            return "Bearer $b64"
+        }
+
+        fun fromEnvironment(): SonatypeCentralPortalClient {
+            val user = System.getenv(CENTRAL_PORTAL_USERNAME)?.takeIf { it.isNotBlank() } ?: error("$CENTRAL_PORTAL_USERNAME not configured")
+            val pass = System.getenv(CENTRAL_PORTAL_PASSWORD)?.takeIf { it.isNotBlank() } ?: error("$CENTRAL_PORTAL_PASSWORD not configured")
+            return SonatypeCentralPortalClient(buildAuthHeader(user, pass))
+        }
+    }
+
+    private val apiBase = CENTRAL_PORTAL_BASE_URL.toHttpUrl()
+
+    @Serializable
+    data class StatusResponse(
+        val deploymentId: String,
+        val deploymentName: String? = null,
+        val deploymentState: String,
+        val purls: List<String>? = null,
+        val errors: Map<String, List<String>>? = null,
+    )
+
+    /** Uploads a bundle and returns deploymentId. */
+    fun uploadBundle(bundle: File, deploymentName: String): String {
+        require(bundle.isFile && bundle.length() > 0L) { "Bundle does not exist or is empty: $bundle" }
+
+        val url = apiBase.newBuilder()
+            .addPathSegments("api/v1/publisher/upload")
+            .addQueryParameter("name", deploymentName)
+            .addQueryParameter("publishingType", "AUTOMATIC") // set USER_MANAGED to upload the deployment, but not release it
+            .build()
+
+        val body = MultipartBody.Builder()
+            .setType(MultipartBody.FORM)
+            .addFormDataPart(
+                "bundle",
+                bundle.name,
+                bundle.asRequestBody("application/octet-stream".toMediaType()),
+            )
+            .build()
+
+        val request = Request.Builder()
+            .url(url)
+            .header("Authorization", authHeader)
+            .post(body)
+            .build()
+
+        client.newCall(request).execute().use { resp ->
+            if (!resp.isSuccessful) throw httpError("upload", resp)
+            val id = resp.body?.string()?.trim().orEmpty()
+            if (resp.code != 201 || id.isEmpty()) {
+                throw RuntimeException("Upload returned ${resp.code} but no deploymentId body; body=$id")
+            }
+            return id
+        }
+    }
+
+    /** Returns current deployment status. */
+    fun getStatus(deploymentId: String): StatusResponse {
+        val url = apiBase.newBuilder()
+            .addPathSegments("api/v1/publisher/status")
+            .addQueryParameter("id", deploymentId)
+            .build()
+
+        val request = Request.Builder()
+            .url(url)
+            .header("Authorization", authHeader)
+            .post("".toRequestBody(null))
+            .build()
+
+        client.newCall(request).execute().use { resp ->
+            if (!resp.isSuccessful) throw httpError("status", resp)
+            val payload = resp.body?.string().orEmpty()
+            return try {
+                json.decodeFromString<StatusResponse>(payload)
+            } catch (e: Exception) {
+                throw RuntimeException("Failed to parse status JSON (HTTP ${resp.code}): $payload", e)
+            }
+        }
+    }
+
+    /** Polls until one of [terminalStates] is reached, returning the final StatusResponse. */
+    @OptIn(ExperimentalTime::class) // for Clock.System.now()
+    fun waitForStatus(
+        deploymentId: String,
+        terminalStates: Set<String>,
+        pollInterval: kotlin.time.Duration,
+        timeout: kotlin.time.Duration,
+        onStateChange: (old: String?, new: String) -> Unit = { _, _ -> },
+    ): StatusResponse {
+        val deadline = Clock.System.now() + timeout
+        var lastState: String? = null
+
+        while (Clock.System.now() < deadline) {
+            val status = getStatus(deploymentId)
+            if (status.deploymentState != lastState) {
+                onStateChange(lastState, status.deploymentState)
+                lastState = status.deploymentState
+            }
+            if (status.deploymentState in terminalStates) return status
+            Thread.sleep(pollInterval.inWholeMilliseconds)
+        }
+        throw RuntimeException("Timed out waiting for deployment $deploymentId to reach one of $terminalStates")
+    }
+
+    private fun httpError(context: String, resp: Response): RuntimeException {
+        val body = resp.body?.string().orEmpty()
+        return RuntimeException("HTTP error during $context: ${resp.code}.\nResponse: $body")
+    }
+}

build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/publishing/SonatypeCentralPortalPublishTask.kt

@@ -0,0 +1,79 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.sdk.kotlin.gradle.publishing
+
+import org.gradle.api.DefaultTask
+import org.gradle.api.file.RegularFileProperty
+import org.gradle.api.provider.Property
+import org.gradle.api.tasks.*
+import org.gradle.api.tasks.options.Option
+import kotlin.io.path.Path
+import kotlin.io.path.exists
+import kotlin.time.Duration
+import kotlin.time.Duration.Companion.minutes
+import kotlin.time.Duration.Companion.seconds
+
+/**
+ * Publishes a bundle to Sonatype Portal and waits for it to be validated (but not fully published).
+ * States: PENDING, VALIDATING, VALIDATED, FAILED
+ * https://central.sonatype.org/publish/publish-portal-api/
+ */
+abstract class SonatypeCentralPortalPublishTask : DefaultTask() {
+    @get:InputFile
+    abstract val bundle: RegularFileProperty
+
+    @Option(option = "bundle", description = "Path to bundle")
+    fun setBundleFromOption(path: String) {
+        check(Path(path).exists()) { "Bundle not found at $path" }
+        bundle.set(Path(path).toFile())
+    }
+
+    /** Max time to wait for final state. */
+    @get:Input
+    @get:Optional
+    abstract val timeoutDuration: Property<Duration>
+
+    /** Poll interval. */
+    @get:Input
+    @get:Optional
+    abstract val pollInterval: Property<Duration>
+
+    init {
+        timeoutDuration.convention(45.minutes)
+        pollInterval.convention(15.seconds)
+    }
+
+    @TaskAction
+    fun run() {
+        val client = SonatypeCentralPortalClient.fromEnvironment()
+        val file = bundle.asFile.get()
+
+        // 1) Upload
+        val deploymentId = client.uploadBundle(file, file.name)
+        logger.lifecycle("📤 Uploaded bundle; deploymentId=$deploymentId")
+
+        // 2) Wait for PUBLISHING (which comes after VALIDATING) or FAILED
+        val result = client.waitForStatus(
+            deploymentId = deploymentId,
+            terminalStates = setOf("PUBLISHING", "FAILED"),
+            pollInterval = pollInterval.get(),
+            timeout = timeoutDuration.get(),
+        ) { _, new ->
+            logger.lifecycle("📡 Status: $new (deploymentId=$deploymentId)")
+        }
+
+        // 3) Evaluate
+        when (result.deploymentState) {
+            "PUBLISHING" -> logger.lifecycle("✅ Bundle validated by Maven Central")
+            "FAILED" -> {
+                val reasons = result.errors?.values?.joinToString("\n- ", prefix = "\n- ")
+                    ?: "\n(no error details returned)"
+                throw RuntimeException("❌ Sonatype deployment FAILED for ${result.deploymentId}$reasons")
+            }
+            else -> error("Unexpected terminal state: ${result.deploymentState}")
+        }
+    }
+}