diff --git a/.github/actions/run-ee-server/action.yaml b/.github/actions/run-ee-server/action.yaml index 97b3287c..b0975779 100644 --- a/.github/actions/run-ee-server/action.yaml +++ b/.github/actions/run-ee-server/action.yaml @@ -1,6 +1,10 @@ name: "Run EE Server" description: "Run EE server. Returns once server is ready. Only tested on Linux and macOS" +permissions: + # This is required for requesting the OIDC token + id-token: write + inputs: # All inputs in composite actions are strings use-server-rc: diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml new file mode 100644 index 00000000..c0132ca7 --- /dev/null +++ b/.github/workflows/create-release.yaml @@ -0,0 +1,21 @@ +name: create-release + +on: + workflow_dispatch: + inputs: + version: + type: string + required: true + description: New version to set + +jobs: + build-stage: + name: Build stage + uses: ./.github/workflows/release-stage.yaml + with: + # This will need to change to point to staging branch + ref: dev/dev-ci-fixes-stage + version: ${{ inputs.version }} + build-number: ${{ github.run_number }} + is-snapshot: false + secrets: inherit diff --git a/.github/workflows/promote-prod.yaml b/.github/workflows/promote-prod.yaml index ae9f2224..dc77ff8b 100644 --- a/.github/workflows/promote-prod.yaml +++ b/.github/workflows/promote-prod.yaml @@ -11,13 +11,18 @@ on: build-number: type: number description: Build number used to build artifact to be promoted + target-branch: + type: choice + description: Target branch to promote to + options: + - dev-stage jobs: promote-from-stage-to-prod: - name: Promot from stage to prod + name: Promote from stage to prod uses: ./.github/workflows/promote.yaml with: build-number: ${{ inputs.build-number }} target-repository: clients-maven-stage-local - target-branch: dev-stage + target-branch: ${{ inputs.target-branch }} secrets: inherit diff --git a/.github/workflows/promote.yaml b/.github/workflows/promote.yaml index 23301f1b..390ac7e2 100644 --- a/.github/workflows/promote.yaml +++ b/.github/workflows/promote.yaml @@ -12,6 +12,10 @@ on: target-branch: type: string description: Target branch to promote token + jf-target-build: + type: string + description: Target build name + default: clients-java-push-to-dev secrets: SONATYPE_MAVEN_USER: required: true @@ -42,7 +46,18 @@ jobs: - name: Get info id: get-build-info run: | - echo build-info=$(jf rt curl /api/build/clients-java-push-to-dev/${{ inputs.build-number }}) >> $GITHUB_OUTPUT + echo build-info=$(jf rt curl /api/build/${{ inputs.jf-target-build }}/${{ inputs.build-number }}) >> $GITHUB_OUTPUT + + - name: Check if build is a release build + id: get-is-snapshot + run: | + IS_SNAPSHOT=$(echo '${{ steps.get-build-info.outputs.build-info }}' | jq -r '.buildInfo.env.IS_SNAPSHOT') + + if [ $IS_SNAPSHOT == 'true' ];then + # Nothing to do bail + echo "You are trying to promote SNAPSHOT build to PROD" + exit 1 + fi - name: Get commit hash from repo id: get-commit-hash @@ -90,7 +105,7 @@ jobs: BUILD_NAMES=(${{ steps.get-build-name.outputs.build-names }}) if [ ${#MODULES[@]} -eq 0 ];then - echo "Missing build names for modules in 'clients-java-push-to-dev'" + echo "Missing build names for modules in '${{ inputs.jf-target-build }}'" fi for BUILD_NAME in "${BUILD_NAMES[@]}"; do diff --git a/.github/workflows/pull-request-open.yaml b/.github/workflows/pull-request-open.yaml index 48690fb0..165ec9a4 100644 --- a/.github/workflows/pull-request-open.yaml +++ b/.github/workflows/pull-request-open.yaml @@ -1,5 +1,9 @@ name: PR open +permissions: + # This is required for requesting the OIDC token + id-token: write + on: pull_request: branches: diff --git a/.github/workflows/push-to-stage.yaml b/.github/workflows/push-to-stage.yaml index 5448b164..e5c90855 100644 --- a/.github/workflows/push-to-stage.yaml +++ b/.github/workflows/push-to-stage.yaml @@ -11,5 +11,6 @@ jobs: name: Build stage uses: ./.github/workflows/release-stage.yaml with: - branch: ${{ github.ref }} + ref: ${{ github.ref }} + build-number: ${{ github.run_number }} secrets: inherit diff --git a/.github/workflows/release-stage.yaml b/.github/workflows/release-stage.yaml index 7420c270..d6bde680 100644 --- a/.github/workflows/release-stage.yaml +++ b/.github/workflows/release-stage.yaml @@ -1,7 +1,10 @@ on: workflow_call: inputs: - branch: + ref: + type: string + required: true + build-number: type: string required: true @@ -11,7 +14,7 @@ jobs: steps: - name: debug run: | - echo "${{ inputs.branch }}" + echo "${{ inputs.ref }}" echo "${{ github.base_ref }}" java-version: @@ -23,7 +26,7 @@ jobs: - name: Checkout client uses: actions/checkout@v4 with: - ref: ${{ inputs.branch }} + ref: ${{ inputs.ref }} - name: Get java version id: get-java-version @@ -41,8 +44,8 @@ jobs: matrix: crypto-type: [bouncycastle, gnu] with: + ref: ${{ inputs.ref }} java-version: ${{ needs.java-version.outputs.java-version }} - branch: ${{ inputs.branch }} crypto-type: ${{ matrix.crypto-type }} secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2e6e45c9..19b88c6d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,7 +5,7 @@ permissions: on: workflow_call: inputs: - branch: + ref: type: string required: true java-version: @@ -31,7 +31,8 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - ref: ${{ inputs.branch }} + fetch-depth: 0 + ref: ${{ inputs.ref }} # Java plugin will setup gpg but we are not using maven to deploy do JFrog. # - jf mvn clean install on publish does not publish POM we would like to publish @@ -43,9 +44,56 @@ jobs: gpg-private-key: ${{ secrets.GPG_SECRET_KEY_ORG }} gpg-passphrase: GPG_PASS + - name: Detect if snapshot + id: get-is-snapshot + shell: bash + run: | + # Getting previous commit + COMMIT_REF="HEAD~1" + + # Checking if previous commit contains pom.xml. This should always return true + if ! git show "${COMMIT_REF}:pom.xml" &>/dev/null; then + echo "Error: pom.xml not found in commit ${COMMIT_REF}" + exit 1 + fi + + # Getting previous version + OLD_VERSIONS=$(git show "${COMMIT_REF}:pom.xml" | + sed -n 's/.*\([^<]*\)<\/revision>.*/\1/p') + + # Getting current version + NEW_VERSIONS=$(sed -n 's/.*\([^<]*\)<\/revision>.*/\1/p' pom.xml) + + # Compare the extracted versions. CI will not commit snapshot version. + if [[ "${OLD_VERSIONS}" != "${NEW_VERSIONS}" ]]; then + echo "is-snapshot='false'" >> $GITHUB_OUTPUT + else + echo "is-snapshot='true'" >> $GITHUB_OUTPUT + fi + + - shell: bash + run: | + echo "IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }}" >> $GITHUB_ENV + + - name: Get release or snapshot-version + id: get-release-version + shell: bash + run: | + IS_SNAPSHOT=${{ steps.get-is-snapshot.outputs.is-snapshot }} + if [ $IS_SNAPSHOT == 'true' ];then + echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-SNAPSHOT_$GITHUB_SHA" >> $GITHUB_OUTPUT + else + echo release-version="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT + fi + + - name: Set version + shell: bash + run: | + ./set_version ${{ steps.get-release-version.outputs.release-version }} ${{ inputs.crypto-type }} + - name: Build all modules shell: bash - run: mvn clean install -P ${{ inputs.crypto-type }} # The crypto profile is usually set with set_crypto but since we need to toggle multiple prfiles set_crypto option is not being picked up + run: mvn clean install -P ${{ inputs.crypto-type }} # The crypto profile is usually set with set_crypto but since we need to toggle multiple profiles set_crypto option is not being picked up - name: Stage artifacts for publish working-directory: client diff --git a/set_version b/set_version new file mode 100755 index 00000000..382c8719 --- /dev/null +++ b/set_version @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# +# Function definitions +# +function update_version() { + VERSION="$1" + BUILD_TYPE=$2 + PARENT_POM="pom.xml" + PUBLIC_POM="client/deploy-resources/${BUILD_TYPE}_pom.xml" + + # Detecting host type. `sed` on bsd and linux are not the same + if [[ "$(uname)" == "Darwin" ]]; then + sed -i "" "s#[^<]*#${VERSION}#g" "$PARENT_POM" + sed -i "" "1,/[^<]*<\/version>/ s#[^<]*#${VERSION}#" "$PUBLIC_POM" + else + sed -i "s#[^<]*#${VERSION}#g" "$PARENT_POM" + sed -i "0,/[^<]*<\/version>/ s//${VERSION}<\/version>/" "$PUBLIC_POM" + fi +} + +function main() { + VERSION=$1 + BUILD_TYPE=$2 + + # If version has been set using set_crypto we are honoring that setting + if [ -f "bouncycastle.config" ];then + BUILD_TYPE="bouncycastle" + elif [ -f "gnu.config" ];then + BUILD_TYPE="gnu" + fi + + update_version $VERSION $BUILD_TYPE +} + +# +# Main entry +# +VERSION=$1 +BUILD_TYPE=${2:-"gnu"} +REGEX="^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT_[a-zA-Z0-9]+)?$" + +if [ -z $VERSION ];then + printf "Missing version ..." + + exit 1 +elif [[ ! "$1" =~ $REGEX ]];then + printf "Version format not valid. Valid format are [0 - 9].[0 - 9].[0 - 9] | [0 - 9].[0 - 9].[0 - 9]-SNAPSHOT_[git_sha]" + + exit 1 +else + # Call main + main $VERSION $BUILD_TYPE + + exit 0 +fi \ No newline at end of file