Add exit gate

Komal Yadav · Komal Yadav · commit bba47f273725 · 2025-10-13T05:46:17.000Z
updated

updated

updatex

updated

updated

updated

updated

updated
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -1,4 +1,4 @@
-# Copyright © 2022 Cask Data, Inc.
+# Copyright © 2025 Cask Data, Inc.
 #  Licensed under the Apache License, Version 2.0 (the "License"); you may not
 #  use this file except in compliance with the License. You may obtain a copy of
 #  the License at
@@ -26,10 +26,7 @@ jobs:
         uses: 'google-github-actions/get-secretmanager-secrets@v0'
         with:
           secrets: |-
-            CDAP_OSSRH_USERNAME:cdapio-github-builds/CDAP_OSSRH_USERNAME
-            CDAP_OSSRH_PASSWORD:cdapio-github-builds/CDAP_OSSRH_PASSWORD
-            CDAP_GPG_PASSPHRASE:cdapio-github-builds/CDAP_GPG_PASSPHRASE
-            CDAP_GPG_PRIVATE_KEY:cdapio-github-builds/CDAP_GPG_PRIVATE_KEY
+            secure_publish_bucket:cdapio-github-builds/publish_bucket
 
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -44,25 +41,15 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-maven-${{ github.workflow }}
 
-      - name: Set up GPG conf
-        run: |
-          echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
-          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
-
-      - name: Import GPG key
-        run: |
-          echo "$GPG_PRIVATE_KEY" > private.key
-          gpg --import --batch private.key
-        env:
-          GPG_PRIVATE_KEY: ${{ steps.secrets.outputs.CDAP_GPG_PRIVATE_KEY }}
-
       - name: Run tests
         run: mvn clean test -fae -T 2 -B -V -DcloudBuild -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30
 
-      - name: Publish to Maven Central
-        run: mvn clean -B -V -DskipTests deploy -P release -Dgpg.passphrase=$CDAP_GPG_PASSPHRASE -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30
-        env:
-          CDAP_OSSRH_USERNAME: ${{ steps.secrets.outputs.CDAP_OSSRH_USERNAME }}
-          CDAP_OSSRH_PASSWORD: ${{ steps.secrets.outputs.CDAP_OSSRH_PASSWORD }}
-          CDAP_GPG_PASSPHRASE: ${{ steps.secrets.outputs.CDAP_GPG_PASSPHRASE }}
-          MAVEN_OPTS: '-Xmx3200m'
+      - name: Submit Build to GCB
+        id: gcb
+        working-directory: google-cloud
+        run: |
+            gcloud builds submit . \
+              --config=cloudbuild-release.yaml \
+              --project='cdapio-github-builds' \
+              --substitutions="_ARTIFACT_ID='google-cloud',_SECURE_PUBLISH_BUCKET_NAME=${{ steps.gcp_secrets.outputs.secure_publish_bucket }}"
+
diff --git a/cloudbuild-release.yaml b/cloudbuild-release.yaml
@@ -0,0 +1,92 @@
+# Copyright © 2025 Cask Data, Inc.
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may not
+#  use this file except in compliance with the License. You may obtain a copy of
+#  the License at
+#  http://www.apache.org/licenses/LICENSE-2.0
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations under
+#  the License.
+
+steps:
+  - name: 'maven:3.8-jdk-8' # Specify a Maven image
+    id: maven-package
+    entrypoint: 'mvn'
+    args:
+      - -B
+      - -U
+      - clean
+      - package
+      - -DskipTests
+
+  - name: 'anchore/syft:v1.5.0'
+    id: generate-sbom
+    args:
+      - 'packages'
+      - '-o'
+      - 'spdx-json=/workspace/attestations/project-sbom.spdx.json'
+      - '.'
+    waitFor: ['maven-package']
+
+  - name: 'bash'
+    id: stage-artifacts
+    entrypoint: 'bash'
+    args:
+      - '-c'
+      - |
+        set -e
+        mkdir -p /workspace/staging
+        mkdir -p /workspace/attestations
+
+        # Copy Maven artifacts from the 'target' directory
+        echo "Copying Maven artifacts..."
+        find target -name "*.jar" -exec cp {} /workspace/staging/ \;
+        find target -name "*.pom" -exec cp {} /workspace/staging/ \;
+        # Add other artifact types if necessary
+
+        # Copy SBOM
+        echo "Copying SBOM..."
+        if [ -f /workspace/attestations/project-sbom.spdx.json ]; then
+          cp /workspace/attestations/project-sbom.spdx.json /workspace/staging/
+        else
+          echo "ERROR: SBOM file not found!"
+          exit 1
+        fi
+
+        echo "Staged files:"
+        ls -l /workspace/staging
+    waitFor: ['generate-sbom']
+
+  - name: 'bash'
+    id: create-manifest
+    entrypoint: 'bash'
+    args:
+      - '-c'
+      - |
+        set -e
+        echo "Creating manifest.json..."
+        cd /workspace/staging
+        printf '{\n  "artifacts": [\n' > manifest.json
+        find . -maxdepth 1 -type f ! -name "manifest.json" | sed 's|./||' | sed 's/.*/    "&",/' >> manifest.json
+        sed -i '$ s/,$//' manifest.json
+        printf '\n  ]\n}\n' >> manifest.json
+        echo "Generated manifest.json:"
+        cat manifest.json
+        cd /workspace
+    waitFor: ['stage-artifacts']
+
+  - name: 'gcr.io/cloud-builders/gsutil'
+    id: upload-to-staging
+    args:
+      - '-m'
+      - 'cp'
+      - '-r'
+      - '/workspace/staging/*'
+      - 'gs://${_SECURE_PUBLISH_BUCKET_NAME}/${_ARTIFACT_ID}/${BUILD_ID}/'
+    waitFor: ['create-manifest']
+
+options:
+  requestedVerifyOption: VERIFIED
+  machineType: 'E2_HIGHCPU_32'
+
