add Github Action workflows from Nodes

ist-dresden · Aug 10, 2023 · 52d59e9 · 52d59e9
1 parent b2a8134
commit 52d59e9
Show file tree

Hide file tree

Showing 8 changed files with 691 additions and 0 deletions.
diff --git a/.github/settings-istrepo.xml b/.github/settings-istrepo.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd"
+ xmlns="http://maven.apache.org/SETTINGS/1.1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <!-- Settings to build with IST repository and deploy to IST repository. -->
+
+ <servers>
+ <server>
+ <id>istrepo</id>
+ <username>${env.NEXUS_BUILD_USER}</username>
+ <password>${env.NEXUS_BUILD_PASSWD}</password>
+ </server>
+ <server>
+ <id>istrepo-internal</id>
+ <username>${env.NEXUS_BUILD_USER}</username>
+ <password>${env.NEXUS_BUILD_PASSWD}</password>
+ </server>
+ <server>
+ <id>istrepo-snapshots</id>
+ <username>${env.NEXUS_BUILD_USER}</username>
+ <password>${env.NEXUS_BUILD_PASSWD}</password>
+ </server>
+ <server>
+ <id>ossrh</id>
+ <username>${env.OSSRH_USER}</username>
+ <password>${env.OSSRH_PASSWD}</password>
+ </server>
+ <server>
+ <id>gpg.passphrase</id>
+ <passphrase>${env.GPG_PASSPHRASE}</passphrase>
+ </server>
+ </servers>
+
+ <mirrors>
+ <!-- -->
+ <mirror>
+ <id>istrepo</id>
+ <name>istrepo</name>
+ <mirrorOf>*</mirrorOf>
+ <url>https://repo.ist-software.com/repository/maven-public</url>
+ </mirror>
+ <!-- -->
+ </mirrors>
+
+ <profiles>
+
+ <!--
+ * deployment profiles for each branch
+ * starts the deployment for a branch if deployment configuration is present
+ * only one branch should have a working deployment configuration for one target
+ -->
+ <profile>
+ <id>master</id>
+ </profile>
+
+ <profile>
+ <id>develop</id>
+ <properties>
+ <deploy.package>true</deploy.package>
+ <sling.scheme>https</sling.scheme>
+ <sling.secure>true</sling.secure>
+ <sling.host>test.composum.com</sling.host>
+ <sling.port>443</sling.port>
+ <sling.context></sling.context>
+ <sling.password>${env.NEXUS_BUILD_PASSWD}</sling.password>
+ </properties>
+ </profile>
+
+ <!--
+ * default repository profiles
+ -->
+ <profile>
+ <id>istrepo</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <repositories>
+ <repository>
+ <id>istrepo-internal</id>
+ <name>istrepo</name>
+ <url>https://repo.ist-software.com/repository/maven-releases</url>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>istrepo-snapshots</id>
+ <name>istrepo</name>
+ <url>https://repo.ist-software.com/repository/maven-snapshots</url>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+ <pluginRepositories>
+ <pluginRepository>
+ <id>istrepo-internal</id>
+ <name>istrepo</name>
+ <url>https://repo.ist-software.com/repository/maven-releases</url>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </pluginRepository>
+ <pluginRepository>
+ <id>istrepo-snapshots</id>
+ <name>istrepo</name>
+ <url>https://repo.ist-software.com/repository/maven-snapshots</url>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </pluginRepository>
+ </pluginRepositories>
+ </profile>
+
+ </profiles>
+</settings>
diff --git a/.github/settings-public.xml b/.github/settings-public.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd"
+ xmlns="http://maven.apache.org/SETTINGS/1.1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <!-- Try building with only the public repositories -->
+
+ <profiles>
+
+ <!-- https://repo.adobe.com/index.html
+ According to https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/not-able-to-access-repo-adobe-com/td-p/386197
+ the adobe public repo is to be migrated to maven central, but as of 20/04/11 at least the
+ com.day.jcr.vault:content-package-maven-plugin-parent:pom:0.0.24 is missing for the
+ com.day.jcr.vault:content-package-maven-plugin:jar:0.0.24 .
+ TODO: remove this ASAP and just use normal settings provided by Github Actions.
+ -->
+ <profile>
+ <id>adobe-public</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <pluginRepositories>
+ <pluginRepository>
+ <!-- prefer maven central plugin repo -->
+ <id>central</id>
+ <name>Central Repository</name>
+ <releases>
+ <updatePolicy>never</updatePolicy>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ <url>https://repo.maven.apache.org/maven2</url>
+ </pluginRepository>
+
+ <pluginRepository>
+ <!-- But fall back to adobe repo for the missing things. :-( -->
+ <id>adobe-public-releases</id>
+ <name>Adobe Public Repository</name>
+ <url>https://repo.adobe.com/nexus/content/groups/public</url>
+ <releases>
+ <updatePolicy>never</updatePolicy>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </pluginRepository>
+ </pluginRepositories>
+ </profile>
+
+ </profiles>
+</settings>
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,36 @@
+# Composum Github Action Setup
+
+This directory contains the setup for the Github Actions normally used in the Composum repositories.
+
+(For IST users: See also the more extensive discussion 
+[in the internal Composum documents](https://cloud.composum.com/content/ist/composum/home/internaldocumentatio/releasingWithGithub.html) 
+with some non public detail.)
+
+## Updating the workflows
+
+The "master" of this directory is in composum-nodes - to keep maintenance simple, please change the files here and 
+then copy the changes to the other repositories, but by using diff in the IDE or reviewing the changes before committing - 
+there are some differences in some cases, especially in master.yml and in project composum-meta.
+
+## Workflows and usage
+
+### pullrequest.yml
+As a sanity check, this workflow is triggered on every pull request. It does a build and test, but does not deploy.
+
+### develop.yml
+Does a build and test on every push to the develop branch. This also deploys to the IST testserver.
+
+### master.yml
+Does a build and test after something is merged to the master branch, and creates the site and deploys that to 
+Github pages.
+
+### setversion.yml
+This workflow is triggered manually, and updates the version in the pom.xml files. Can be applied to every branch.
+
+### createrelease.yml
+This workflow is triggered manually, and creates a release on the branch it is triggered from. (Possibly you might 
+want to use setversion.yml, if it's not the immediately next action). It is done in a way that failures shouldn't leave
+any traces in the repository, so it can just be restarted after fixing the problem.
+
+It's possible to do a dryRun. Please be aware that this does everything, including the upload to OSSRH, but does not
+"release" the upload but drop it from there.
diff --git a/.github/workflows/createerelease.yml b/.github/workflows/createerelease.yml
@@ -0,0 +1,188 @@
+# Creates a release and uploads that. We don't upload the site - that's done in the master.yml workflow once it's merged.
+# Since our build sometimes fails (because some tests occasionally fail for reasons not in our code) we make this robust:
+# the irreversible actions are done only after all builds are done. That is the git push and the release to maven central.
+# The copy to the Sonatype staging area is likely repeatable. That way you just have to restart the job if it fails,
+# with no harm done and no traces in git.
+
+name: Create Release
+run-name: Create Release of ${{ github.ref_name }} , dryrun=${{ inputs.dryrun }}
+
+on:
+ workflow_dispatch:
+ inputs:
+ dryrun:
+ type: boolean
+ description: 'Dry run? If given, the release will be built but dropped afterwards from OSSRH, and the git changes will not be pushed.'
+ default: false
+
+jobs:
+ createrelease:
+ runs-on: ubuntu-latest
+
+ env:
+ SUBDIR: ${{ github.event.inputs.subdir }}
+ MVNCMD: mvn -B -ntp -s ${{ github.workspace }}/.github/settings-istrepo.xml -P nexus-staging
+
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 3
+
+ - name: print configuration
+ run: |
+ echo "MVNCMD: $MVNCMD"
+ echo "dryrun: ${{ github.event.inputs.dryrun }}"
+
+ - name: Set up JDK 11
+ uses: actions/setup-java@v3
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+ maven-version: 3.8.7
+ # deliberately not: cache: maven
+
+ - name: Dump event context for debugging
+ continue-on-error: true # Debugging output only, and this annoyingly fails when the commit messge has a (
+ run: |
+ echo '${{ github.event_name }} for ${{ github.ref_type }} ${{ github.ref_name }} or ${{ github.event.ref }}'
+ # https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#push
+ echo 'github.event:'
+ echo '${{ toJSON(github.event) }}'
+
+ - name: Dump github context for debugging
+ continue-on-error: true # Debugging output only, and this annoyingly fails when the commit message has a (
+ run: |
+ echo '${{ toJSON(github) }}'
+
+ - name: Try to set a master password
+ run: |
+ MASTERPWD=$(openssl rand -base64 25)
+ echo "<settingsSecurity> <master>$(mvn --encrypt-master-password "$MASTERPWD")</master></settingsSecurity>" > $HOME/.m2/settings-security.xml
+ # echo "MASTERPWD=\"$MASTERPWD\"" >> $GITHUB_ENV
+ # The master password isn't actually used, but the maven-gpg-plugin complains otherwise.
+
+ - name: Git & Maven Status
+ run: |
+ $MVNCMD -version
+ git remote -v
+ git status --untracked-files --ignored
+ git log -3 --no-color --decorate
+
+ - name: Mvn Effective POM
+ run: $MVNCMD -N help:effective-pom
+
+ - name: Mvn Effective Settings
+ run: $MVNCMD -N help:effective-settings
+
+ - name: Import GPG key
+ env:
+ GPG_SECRET_KEYS: ${{ secrets.GPG_SECRET_KEYS }}
+ GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
+ run: |
+ echo $GPG_SECRET_KEYS | base64 --decode | gpg --import --no-tty --batch --yes
+ echo $GPG_OWNERTRUST | base64 --decode | gpg --import-ownertrust --no-tty --batch --yes
+ gpg -v --refresh-keys
+ gpg --list-secret-keys --keyid-format LONG
+
+ - name: Configure git user for release commits
+ # specific to repository - we don't want that to be the same thing in a fork.
+ env:
+ X_RELEASE_USERNAME: ${{ vars.RELEASE_USERNAME }}
+ X_RELEASE_USEREMAIL: ${{ vars.RELEASE_USEREMAIL }}
+ run: |
+ git config --global user.email "${X_RELEASE_USERNAME}"
+ git config --global user.name "${X_RELEASE_USEREMAIL}"
+
+ - name: Check that we are on snapshot branch before creating the release
+ run: |
+ echo "Version: "
+ $MVNCMD help:evaluate -Dexpression=project.version -q -DforceStdout
+ $MVNCMD help:evaluate -Dexpression=project.version -q -DforceStdout | egrep -- '-SNAPSHOT$' > /dev/null || exit 1
+ # unfortunately, this would require a snapshot parent if just called from the command line, so we cannot use it: :-(
+ # mvn org.apache.maven.plugins:maven-enforcer-plugin:3.2.1:enforce -Drules=requireSnapshotVersion
+
+ - name: Dry run of release goals
+ env:
+ GPG_PASSPHRASE : ${{ secrets.GPG_PASSPHRASE }}
+ run: |
+ # export GPG_PASSPHRASE=$(mvn --encrypt-password "$(echo $GPG_PASSPHRASE_RAW | base64 --decode)")
+ $MVNCMD clean release:clean
+ $MVNCMD release:prepare -DdryRun=true -DpushChanges=false
+ $MVNCMD release:perform -DdryRun=true -DlocalCheckout=true -DdeployAtEnd=true
+ $MVNCMD clean release:clean
+ git clean -f -d -x
+
+ - name: Verify git is clean
+ run: |
+ git status --untracked-files --ignored
+ git log -3 --no-color --decorate
+ git clean -f -d
+
+ - name: Prepare release
+ env:
+ GPG_PASSPHRASE : ${{ secrets.GPG_PASSPHRASE }}
+ run: |
+ git clean -f -d -x
+ # we use -P allmodules to set the new versions here even in the modules that we want not pushed to maven central
+ # That is not done during mvn release:perform, so they aren't uploaded to maven central.
+ $MVNCMD -P allmodules clean release:clean release:prepare -DpushChanges=false
+
+ - name: Git status after prepare
+ run: |
+ git status --untracked-files --ignored
+ git log -3 --no-color --decorate
+ cat release.properties || true
+
+ - name: Perform release
+ env:
+ OSSRH_USER: ${{ secrets.OSSRH_USER }}
+ OSSRH_PASSWD: ${{ secrets.OSSRH_PASSWD }}
+ GPG_PASSPHRASE : ${{ secrets.GPG_PASSPHRASE }}
+ run: |
+ $MVNCMD release:perform -DlocalCheckout=true -DdeployAtEnd=true "-Dgoals=clean install package source:jar javadoc:jar deploy" "-Darguments=-DdeployAtEnd=true"
+
+ - name: Git Status after perform
+ if: always()
+ run: |
+ git status
+ git log -3 --no-color --decorate
+
+ - name: Git Status after perform, long
+ if: always()
+ run: |
+ git status --untracked-files --ignored
+
+ - name: Push changes
+ if: ${{ github.event.inputs.dryrun == 'false' }}
+ run: |
+ git push origin --follow-tags -v
+
+ - name: Release to maven central repository
+ if: ${{ github.event.inputs.dryrun == 'false' }}
+ env:
+ OSSRH_USER: ${{ secrets.OSSRH_USER }}
+ OSSRH_PASSWD: ${{ secrets.OSSRH_PASSWD }}
+ run: |
+ cd target/checkout
+ pwd
+ $MVNCMD nexus-staging:release
+
+ - name: Drop from OSSRH on dryrun
+ if: ${{ github.event.inputs.dryrun != 'false' }}
+ env:
+ OSSRH_USER: ${{ secrets.OSSRH_USER }}
+ OSSRH_PASSWD: ${{ secrets.OSSRH_PASSWD }}
+ run: |
+ cd target/checkout
+ pwd
+ $MVNCMD nexus-staging:drop
+
+ - name: List target files even if recipe fails
+ if: always()
+ run: |
+ pwd
+ ls -ld
+ ls -ld target
+ find . -type d -name target
+ ls -l ./target/checkout/target || true
+ ls -l ./target/checkout/commons/target || true