1
0
mirror of https://github.com/octoleo/plantuml.git synced 2024-11-01 03:32:29 +00:00

Add artifact signing to CI workflow & publish signature files in snapshot releases.

This commit is contained in:
matthew16550 2021-12-08 12:42:42 +11:00
parent 51ee3fb7c7
commit cb1468d8b3
5 changed files with 113 additions and 24 deletions

View File

@ -1,13 +1,18 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
mv plantuml.jar "plantuml-${POM_VERSION}.jar" RELEASE_DIR="target/github_release"
mv plantuml-javadoc.jar "plantuml-${POM_VERSION}-javadoc.jar"
mv plantuml-sources.jar "plantuml-${POM_VERSION}-sources.jar"
gh release create --target "${GITHUB_SHA}" "${TAG}" \ mkdir "${RELEASE_DIR}"
"plantuml-${POM_VERSION}.jar" \
"plantuml-${POM_VERSION}-javadoc.jar" \ ln -s "../plantuml.jar" "${RELEASE_DIR}/plantuml-${POM_VERSION}.jar"
"plantuml-${POM_VERSION}-sources.jar" ln -s "../plantuml-javadoc.jar" "${RELEASE_DIR}/plantuml-${POM_VERSION}-javadoc.jar"
ln -s "../plantuml-sources.jar" "${RELEASE_DIR}/plantuml-${POM_VERSION}-sources.jar"
# we do not release the .pom or .asc signature files here, they will be added in a later PR
gh release create \
--target "${GITHUB_SHA}" \
--title "${TAG}" \
"${TAG}" ${RELEASE_DIR}/*
echo "::notice title=::Released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} 🎉" echo "::notice title=::Released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} 🎉"

View File

@ -3,6 +3,7 @@ set -ex
TAG="snapshot" TAG="snapshot"
DATE_TIME_UTC=$(date -u +"%F at %T (UTC)") DATE_TIME_UTC=$(date -u +"%F at %T (UTC)")
RELEASE_DIR="target/github_release"
gh release delete "${TAG}" -y || true gh release delete "${TAG}" -y || true
@ -10,10 +11,22 @@ git tag --force "${TAG}"
git push --force origin "${TAG}" git push --force origin "${TAG}"
mv plantuml.jar plantuml-SNAPSHOT.jar mkdir "${RELEASE_DIR}"
mv plantuml-javadoc.jar plantuml-SNAPSHOT-javadoc.jar
mv plantuml-sources.jar plantuml-SNAPSHOT-sources.jar ln -s "../plantuml.pom" "${RELEASE_DIR}/plantuml-SNAPSHOT.pom"
echo -n "${DATE_TIME_UTC}" > plantuml-SNAPSHOT-timestamp.lock ln -s "../plantuml.jar" "${RELEASE_DIR}/plantuml-SNAPSHOT.jar"
ln -s "../plantuml-javadoc.jar" "${RELEASE_DIR}/plantuml-SNAPSHOT-javadoc.jar"
ln -s "../plantuml-sources.jar" "${RELEASE_DIR}/plantuml-SNAPSHOT-sources.jar"
if [[ -e "target/plantuml.pom.asc" ]]; then
# signatures are optional so that forked repos can release snapshots without needing a gpg signing key
ln -s "../plantuml.pom.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT.pom.asc"
ln -s "../plantuml.jar.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT.jar.asc"
ln -s "../plantuml-javadoc.jar.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT-javadoc.jar.asc"
ln -s "../plantuml-sources.jar.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT-sources.jar.asc"
fi
echo -n "${DATE_TIME_UTC}" > "${RELEASE_DIR}/plantuml-SNAPSHOT.timestamp"
cat <<-EOF >notes.txt cat <<-EOF >notes.txt
This is a pre-release of [the latest development work](https://github.com/plantuml/plantuml/commits/). This is a pre-release of [the latest development work](https://github.com/plantuml/plantuml/commits/).
@ -21,10 +34,11 @@ cat <<-EOF >notes.txt
⏱ _Snapshot taken the ${DATE_TIME_UTC}_ ⏱ _Snapshot taken the ${DATE_TIME_UTC}_
EOF EOF
gh release create --prerelease --target "${GITHUB_SHA}" --title "${TAG}" --notes-file notes.txt "${TAG}" \ gh release create \
plantuml-SNAPSHOT.jar \ --prerelease \
plantuml-SNAPSHOT-javadoc.jar \ --target "${GITHUB_SHA}" \
plantuml-SNAPSHOT-sources.jar \ --title "${TAG}" \
plantuml-SNAPSHOT-timestamp.lock --notes-file notes.txt \
"${TAG}" ${RELEASE_DIR}/*
echo "::notice title=release snapshot::Snapshot released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} and taken the ${DATE_TIME_UTC}" echo "::notice title=release snapshot::Snapshot released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} and taken the ${DATE_TIME_UTC}"

View File

@ -78,6 +78,8 @@ jobs:
os: ubuntu-20.04 os: ubuntu-20.04
java_version: 8 java_version: 8
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
env:
SIGN_ARTIFACTS: ${{ secrets.ARTIFACT_SIGNING_KEY != '' }}
steps: steps:
- name: Checkout the repository - name: Checkout the repository
uses: actions/checkout@v2 uses: actions/checkout@v2
@ -107,17 +109,45 @@ jobs:
- name: Test - name: Test
run: mvn --batch-mode test run: mvn --batch-mode test
- name: Package # The repeated "matrix.release_from_this_build" checks are messy, but I have not found a simple way to avoid them
if: matrix.release_from_this_build # See https://github.com/actions/runner/issues/662
run: mvn --batch-mode -DfinalName=plantuml -Dmaven.test.skip=true package
- name: Upload jar artifacts - name: Setup gpg
if: matrix.release_from_this_build && env.ARTIFACT_SIGNING_KEY
id: gpg
env:
ARTIFACT_SIGNING_KEY: ${{ secrets.ARTIFACT_SIGNING_KEY }}
run: |
echo "Importing key ..."
echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --import --import-options import-show
echo "Getting key id ..."
key_id="$(echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')"
echo "::set-output name=key_id::${key_id}"
- name: Create artifacts
if: matrix.release_from_this_build
env:
GPG_KEYNAME: ${{ steps.gpg.outputs.key_id }}
GPG_PASSPHRASE: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
run: |
mvn --batch-mode \
"-DfinalName=plantuml" \
"-Dgpg.keyname=${GPG_KEYNAME}" \
"-Dgpg.passphrase=${GPG_PASSPHRASE}" \
"-Dmaven.test.skip=true" \
verify
- name: Upload artifacts
if: matrix.release_from_this_build if: matrix.release_from_this_build
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2
with: with:
# Using github.run_number here to reduce confusion when downloading & comparing artifacts from several builds # Using github.run_number here to reduce confusion when downloading & comparing artifacts from several builds
name: ${{ github.run_number }}-jars name: ${{ github.run_number }}-artifacts
path: target/*.jar path: |
target/*.asc
target/*.jar
target/*.pom
release: release:
needs: [ workflow_config, build ] needs: [ workflow_config, build ]
@ -127,10 +157,11 @@ jobs:
- name: Checkout the repository - name: Checkout the repository
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Download jar artifacts - name: Download artifacts
uses: actions/download-artifact@v2 uses: actions/download-artifact@v2
with: with:
name: ${{ github.run_number }}-jars name: ${{ github.run_number }}-artifacts
path: target
- name: Create snapshot release - name: Create snapshot release
if: needs.workflow_config.outputs.do_snapshot_release == 'true' if: needs.workflow_config.outputs.do_snapshot_release == 'true'

View File

@ -10,6 +10,14 @@ Tags [cannot][3] be part of a pull request, so you need to push directly to the
The release will only happen if the username making the push is matched in the CI `Configure job` step. The release will only happen if the username making the push is matched in the CI `Configure job` step.
# Artifact Signing
The CI workflow will sign artifacts if the `ARTIFACT_SIGNING_KEY` [GitHub secret][4] is present. This should be a
private GPG key as described [here][5]. The passphrase is stored in the `ARTIFACT_SIGNING_PASSPHRASE` secret.
Currently, the signature files are only published as part of the [snapshot][6] releases.
In future, they will be part of the versioned releases as well.
# Releases Elsewhere # Releases Elsewhere
PlantUML is released to other places, currently that happens outside of GitHub and is not documented here. PlantUML is released to other places, currently that happens outside of GitHub and is not documented here.
@ -17,3 +25,6 @@ PlantUML is released to other places, currently that happens outside of GitHub a
[1]: https://github.com/plantuml/plantuml/releases [1]: https://github.com/plantuml/plantuml/releases
[2]: https://github.com/plantuml/plantuml/actions/workflows/ci.yml [2]: https://github.com/plantuml/plantuml/actions/workflows/ci.yml
[3]: https://stackoverflow.com/questions/12278660/adding-tags-to-a-pull-request [3]: https://stackoverflow.com/questions/12278660/adding-tags-to-a-pull-request
[4]: https://docs.github.com/en/actions/security-guides/encrypted-secrets
[5]: https://central.sonatype.org/publish/requirements/gpg/#generating-a-key-pair
[6]: https://github.com/plantuml/plantuml/releases/tag/snapshot

28
pom.xml
View File

@ -49,6 +49,7 @@
</description> </description>
<url>https://plantuml.com</url> <url>https://plantuml.com</url>
<parent> <parent>
<!-- TODO remove oss-parent https://central.sonatype.org/publish/publish-maven/#deprecated-oss-parent -->
<groupId>org.sonatype.oss</groupId> <groupId>org.sonatype.oss</groupId>
<artifactId>oss-parent</artifactId> <artifactId>oss-parent</artifactId>
<version>7</version> <version>7</version>
@ -292,5 +293,32 @@
</dependency> </dependency>
</dependencies> </dependencies>
</profile> </profile>
<profile>
<id>sign-artifacts</id>
<activation>
<property>
<name>env.SIGN_ARTIFACTS</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<plugin>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.0.1</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles> </profiles>
</project> </project>