-
-
Notifications
You must be signed in to change notification settings - Fork 873
111 lines (92 loc) · 3.88 KB
/
release-check-sign.yml
File metadata and controls
111 lines (92 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Release - Create checksums and GPG sign
on:
workflow_dispatch:
inputs:
gitReleaseTag:
description: 'Release tag to upload to. Must start with "release-"'
type: string
env:
RELEASE_FOLDER: '${{ github.workspace }}/releaseDist'
permissions:
contents: read
jobs:
sign_and_checksums:
if: ${{ inputs.gitReleaseTag && startsWith(inputs.gitReleaseTag, 'release-') }}
runs-on: ubuntu-24.04 # Updated in BRS
environment: release-env
permissions:
contents: write # So that we can upload to release
steps:
- name: Checkout and setup
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up JDK
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
java-version: '11'
distribution: 'temurin'
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Get all release files
run: |
mkdir -p ${RELEASE_FOLDER}
pushd ${RELEASE_FOLDER}
gh release download ${{ inputs.gitReleaseTag }} -p "*.zip" -p "*.tgz" -p "*.jar" --repo=${{ github.repository }}
popd
env:
GH_TOKEN: ${{ github.token }}
- name: Checksums and sign
run: |
source icu4j/releases_tools/shared.sh
pushd ${RELEASE_FOLDER}
sha512sum -b icu4c* > SHASUM512.txt
md5sum -b *.jar > icu4j-${github_rel_version}.md5
md5sum -b icu4c-*-data-bin-*.zip > icu4c-${github_rel_version}-binary.md5
md5sum -b icu4c-*-sources.* > icu4c-${github_rel_version}-sources.md5
find . -type f -exec gpg --no-tty --batch --pinentry-mode loopback --passphrase=$MAVEN_GPG_PASSPHRASE -a --output {}.asc --detach-sig {} \;
popd
env:
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
- name: Upload to release
run: |
gh release upload ${{ inputs.gitReleaseTag }} LICENSE --clobber --repo=${{ github.repository }}
gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/*.md5 --clobber --repo=${{ github.repository }}
gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/*.asc --clobber --repo=${{ github.repository }}
gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/SHASUM512.txt --clobber --repo=${{ github.repository }}
env:
GH_TOKEN: ${{ github.token }}
sign_and_checksums_icu4x:
if: ${{ inputs.gitReleaseTag && startsWith(inputs.gitReleaseTag, 'icu4x/') }}
runs-on: ubuntu-24.04 # Updated in BRS
environment: release-env
permissions:
contents: write # So that we can upload to release
steps:
- name: Checkout and setup
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up JDK
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
java-version: '11'
distribution: 'temurin'
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Get all release files
run: |
mkdir -p ${RELEASE_FOLDER}
pushd ${RELEASE_FOLDER}
gh release download ${{ inputs.gitReleaseTag }} -p "*.zip" --repo=${{ github.repository }}
popd
env:
GH_TOKEN: ${{ github.token }}
- name: Checksums and sign
run: |
pushd ${RELEASE_FOLDER}
find . -type f -exec gpg --no-tty --batch --pinentry-mode loopback --passphrase=$MAVEN_GPG_PASSPHRASE -a --output {}.asc --detach-sig {} \;
popd
env:
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
- name: Upload to release
run: |
gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/*.asc --clobber --repo=${{ github.repository }}
env:
GH_TOKEN: ${{ github.token }}