Add exit gate

Komal Yadav · Komal Yadav · commit 2c9922d24e2f · 2025-10-12T02:57:46.000Z
updated
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -1,4 +1,4 @@
-# Copyright © 2022 Cask Data, Inc.
+# Copyright © 2025 Cask Data, Inc.
 #  Licensed under the Apache License, Version 2.0 (the "License"); you may not
 #  use this file except in compliance with the License. You may obtain a copy of
 #  the License at
@@ -26,10 +26,7 @@ jobs:
         uses: 'google-github-actions/get-secretmanager-secrets@v0'
         with:
           secrets: |-
-            CDAP_OSSRH_USERNAME:cdapio-github-builds/CDAP_OSSRH_USERNAME
-            CDAP_OSSRH_PASSWORD:cdapio-github-builds/CDAP_OSSRH_PASSWORD
-            CDAP_GPG_PASSPHRASE:cdapio-github-builds/CDAP_GPG_PASSPHRASE
-            CDAP_GPG_PRIVATE_KEY:cdapio-github-builds/CDAP_GPG_PRIVATE_KEY
+            secure_publish_bucket:cdapio-github-builds/publish_bucket
 
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -44,25 +41,18 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-maven-${{ github.workflow }}
 
-      - name: Set up GPG conf
-        run: |
-          echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
-          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
-
-      - name: Import GPG key
-        run: |
-          echo "$GPG_PRIVATE_KEY" > private.key
-          gpg --import --batch private.key
-        env:
-          GPG_PRIVATE_KEY: ${{ steps.secrets.outputs.CDAP_GPG_PRIVATE_KEY }}
-
       - name: Run tests
         run: mvn clean test -fae -T 2 -B -V -DcloudBuild -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30
 
-      - name: Publish to Maven Central
-        run: mvn clean -B -V -DskipTests deploy -P release -Dgpg.passphrase=$CDAP_GPG_PASSPHRASE -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30
-        env:
-          CDAP_OSSRH_USERNAME: ${{ steps.secrets.outputs.CDAP_OSSRH_USERNAME }}
-          CDAP_OSSRH_PASSWORD: ${{ steps.secrets.outputs.CDAP_OSSRH_PASSWORD }}
-          CDAP_GPG_PASSPHRASE: ${{ steps.secrets.outputs.CDAP_GPG_PASSPHRASE }}
-          MAVEN_OPTS: '-Xmx3200m'
+      - name: 'Submit Build to Google Cloud Build'
+        id: gcb
+        working-directory: e2e
+        run: |
+            APP_VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
+            echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV
+            
+            echo "Submitting build to Google Cloud Build for version ${APP_VERSION}, ref ${{ inputs.ref }}"
+            gcloud builds submit . \
+              --config=cloudbuild-release.yaml \
+              --project='cdap-github-builds' \
+              --substitutions="_APP_VERSION=${APP_VERSION},_SECURE_PUBLISH_BUCKET_NAME=${{ steps.gcp_secrets.outputs.secure_publish_bucket }}"
diff --git a/cloudbuild-release.yaml b/cloudbuild-release.yaml
@@ -0,0 +1,73 @@
+steps:
+  # Step 1: Build Artifacts and Generate SBOM
+  - name: 'maven:3.8-jdk-8'
+    id: build-and-sbom
+    entrypoint: 'mvn'
+    env:
+      - 'MAVEN_OPTS=-Xmx3200m'
+    args:
+      - -B
+      - -V
+      - -DskipTests
+      - clean
+      - package # Build and package
+      - -P release
+      - org.cyclonedx:cyclonedx-maven-plugin:2.7.10:makeAggregateBom # Generate SBOM
+
+  # Step 2: Prepare and Stage Artifacts for Secure Publishing
+  - name: 'gcr.io/cloud-builders/gsutil'
+    id: stage-for-secure-publishing
+    entrypoint: 'bash'
+    args:
+      - -c
+      - |
+        set -ex
+
+        # Check if substitutions are provided
+        if [[ -z "${_SECURE_PUBLISH_BUCKET_NAME}" || "${_SECURE_PUBLISH_BUCKET_NAME}" == "YOUR_SECURE_PUBLISH_BUCKET_NAME" ]]; then
+          echo "ERROR: _SECURE_PUBLISH_BUCKET_NAME substitution is missing or not set."
+          exit 1
+        fi
+        if [[ -z "${_APP_VERSION}" ]]; then
+          echo "ERROR: _APP_VERSION substitution is missing."
+          exit 1
+        fi
+
+        SECURE_GCS_PATH="gs://${_SECURE_PUBLISH_BUCKET_NAME}"
+        STAGING_DIR="/workspace/secure-staging"
+        mkdir -p "$${STAGING_DIR}"
+
+        echo "Gathering Maven artifacts for Secure Publishing..."
+        # Find all relevant artifacts from the build in the root target directory
+        find /workspace/target -maxdepth 1 -type f \( -name "*.pom" -o -name "*.jar" \) ! -name "original-*.jar" ! -name "*-tests.jar" -exec cp {} "$${STAGING_DIR}/" \;
+
+        # Add the aggregate SBOM if it's at the root target
+        if [ -f /workspace/target/bom.json ]; then
+          cp /workspace/target/bom.json "$${STAGING_DIR}/bom.json"
+        else
+          echo "WARNING: bom.json not found in /workspace/target"
+        fi
+
+        echo "Uploading artifacts to Secure Publishing bucket: $${SECURE_GCS_PATH}"
+        # Check if there are files to upload
+        if [ -n "$(ls -A "$${STAGING_DIR}")" ]; then
+          gsutil -m cp -r "$${STAGING_DIR}/." "$${SECURE_GCS_PATH}/"
+        else
+          echo "No artifacts found in $${STAGING_DIR} to upload."
+          exit 1
+        fi
+
+        echo "Generating manifest.json"
+        cd "$${STAGING_DIR}"
+        printf '{\n  "artifacts": [\n' > /workspace/manifest.json
+        # escape double quotes in file names
+        find . -type f -exec printf '    "%s",\n' {} \; | sed 's/"/\\"/g; s/^    "\\"/    "/' | sed '$ s/,$//' >> /workspace/manifest.json
+        printf '  ]\n}\n' >> /workspace/manifest.json
+        cd /workspace
+        gsutil cp /workspace/manifest.json "$${SECURE_GCS_PATH}/manifest.json"
+        echo "Secure Publishing staging complete."
+
+options:
+  requestedVerifyOption: VERIFIED
+  logging: CLOUD_LOGGING_ONLY
+  machineType: 'E2_HIGHCPU_32'
