Prepare release #45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Prepare release | |
| defaults: | |
| run: | |
| shell: bash -euo pipefail -O nullglob {0} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| type: string | |
| description: "Release version tag (e.g. v1.2.3)" | |
| required: true | |
| ref: | |
| type: string | |
| description: "Git ref from which to release" | |
| required: true | |
| default: "master" | |
| do_build_native_images: | |
| type: boolean | |
| description: "Native Test Server" | |
| required: true | |
| default: "true" | |
| do_publish_jars: | |
| type: boolean | |
| description: "Publish Java Artifacts" | |
| required: true | |
| default: "true" | |
| env: | |
| INPUT_REF: ${{ github.event.inputs.ref }} | |
| INPUT_TAG: ${{ github.event.inputs.tag }} | |
| jobs: | |
| create_draft_release: | |
| name: Create Github draft release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Audit gh version | |
| run: gh --version | |
| - name: Check for existing release | |
| id: check_release | |
| run: | | |
| echo "::echo::on" | |
| gh release view --repo "$GITHUB_REPOSITORY" "$INPUT_TAG" \ | |
| && echo "::set-output name=already_exists::true" \ | |
| || echo "::set-output name=already_exists::false" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout repo | |
| if: steps.check_release.outputs.already_exists == 'false' | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ env.INPUT_REF }} | |
| - name: Create release | |
| if: steps.check_release.outputs.already_exists == 'false' | |
| run: > | |
| gh release create | |
| "$INPUT_REF" | |
| --draft | |
| --repo "$GITHUB_REPOSITORY" | |
| --title "$INPUT_TAG" | |
| --target "$INPUT_REF" | |
| --notes-file releases/"$INPUT_TAG" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| publish_java_artifacts: | |
| name: Publish Java Artifacts | |
| if: github.event.inputs.do_publish_jars == 'true' | |
| runs-on: ubuntu-latest | |
| needs: create_draft_release | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ env.INPUT_REF }} | |
| # Our custom gradle version sniffing builds the maven release artifact | |
| # names out of the git tag ... but the repo isn't tagged (yet) so add a | |
| # tag to the _local_ clone just to get the right jar names. This tag | |
| # does not get pushed back to the origin. Once the artifacts have been | |
| # inspected and verified, the manual act of publishing the draft GH | |
| # release creates the tag. | |
| - name: Temporary tag | |
| run: git tag "$INPUT_TAG" | |
| - name: Set up Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: "11" | |
| distribution: "temurin" | |
| - name: Set up Gradle | |
| uses: gradle/actions/setup-gradle@v3 | |
| - name: Set up signing key | |
| run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg" | |
| env: | |
| KEY: ${{ secrets.JAR_SIGNING_KEY }} | |
| # Prefer env variables here rather than inline ${{ secrets.FOO }} to | |
| # decrease the likelihood that secrets end up printed to stdout. | |
| - name: Set up secret gradle properties | |
| run: | | |
| mkdir -p "$HOME/.gradle" | |
| envsubst >"$HOME/.gradle/gradle.properties" <<EOF | |
| signing.keyId = $KEY_ID | |
| signing.password = $KEY_PASSWORD | |
| signing.secretKeyRingFile = $HOME/.gnupg/secring.gpg | |
| ossrhUsername = $RH_USER | |
| ossrhPassword = $RH_PASSWORD | |
| EOF | |
| env: | |
| KEY_PASSWORD: ${{ secrets.JAR_SIGNING_KEY_PASSWORD }} | |
| KEY_ID: ${{ secrets.JAR_SIGNING_KEY_ID }} | |
| RH_USER: ${{ secrets.RH_USER }} | |
| RH_PASSWORD: ${{ secrets.RH_PASSWORD }} | |
| - name: Publish | |
| run: ./gradlew publishToSonatype | |
| build_native_images: | |
| name: Build native test server | |
| needs: create_draft_release | |
| if: github.event.inputs.do_build_native_images == 'true' | |
| strategy: | |
| matrix: | |
| include: | |
| - runner: buildjet-2vcpu-ubuntu-1804 | |
| os_family: linux | |
| arch: amd64 | |
| - runner: macos-latest | |
| os_family: macOS | |
| arch: amd64 | |
| - runner: windows-2019 | |
| os_family: windows | |
| arch: amd64 | |
| runs-on: ${{ matrix.runner }} | |
| env: | |
| # This is required to allow continuing usage of Node 16 for actions, | |
| # as Node 20 won't run on the builder we use for linux builds | |
| # (Node 20 require glibc 2.28+, but ubuntu-1804 has glibc 2.27). | |
| # https://github.blog/changelog/2024-05-17-updated-dates-for-actions-runner-using-node20-instead-of-node16-by-default/ | |
| ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
| steps: | |
| - name: Checkout repo | |
| # FIXME: v4+ requires Node 20 | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ env.INPUT_REF }} | |
| # See comment on temporary tag above. tldr: this is a local tag; never | |
| # gets pushed | |
| - name: Temporary tag | |
| run: git tag "$INPUT_TAG" | |
| - name: Set up Java | |
| # FIXME: v4+ requires Node 20 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: "11" | |
| distribution: "temurin" | |
| - name: Set up Gradle | |
| # FIXME: v3+ requires Node 20 | |
| uses: gradle/gradle-build-action@v2 | |
| - name: Build native test server | |
| run: ./gradlew :temporal-test-server:build | |
| # path ends in a wildcard because on windows the file ends in '.exe' | |
| # path excludes *.txt because native-image also writes a build manifest txt file | |
| - name: Upload executable to workflow | |
| # FIXME: v4+ requires Node 20 | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.os_family }}_${{ matrix.arch }} | |
| path: | | |
| temporal-test-server/build/graal/temporal-test-server* | |
| !temporal-test-server/build/graal/*.txt | |
| if-no-files-found: error | |
| retention-days: 1 | |
| attach_to_release: | |
| name: Attach native executables to release | |
| needs: build_native_images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Audit gh version | |
| run: gh --version | |
| # when no artifact is specified, all artifacts are downloaded and expanded into CWD | |
| - name: Fetch executables | |
| # Need v3 here to stay compatible with the build_native_images job. | |
| uses: actions/download-artifact@v3-node20 | |
| # example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64 | |
| # the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and | |
| # the root directory of the contents of the archive. | |
| - name: Rename dirs | |
| run: | | |
| version="$(sed 's/^v//'<<<"$INPUT_TAG")" | |
| for dir in *; do mv "$dir" "temporal-test-server_${version}_${dir}"; done | |
| - name: Tar (linux, macOS) | |
| run: for dir in *{linux,macOS}*; do tar cvzf "${dir}.tar.gz" "$dir"; done | |
| - name: Zip (windows) | |
| run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done | |
| - name: Upload release archives | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: release-archives | |
| path: | | |
| *.zip | |
| *.tar.gz | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Upload | |
| run: | | |
| until gh release upload --clobber --repo $GITHUB_REPOSITORY "$INPUT_TAG" *.zip *.tar.gz; do | |
| echo "Failed to upload release artifacts. Will retry in 20s" | |
| sleep 20 | |
| done | |
| timeout-minutes: 10 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |