temporalio · mmcshane · Jan 31, 2022 · Jan 31, 2022
@@ -1,5 +1,33 @@
 # sdk-java Github Workflows
 
+## Prepare Release (prepare-release.yml)
+
+This is a [manually triggered](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow) workflow that uses the gradle build files already present in the sdk-java repository to prepare release artifacts for publication.  This workflow takes a tag string and a git ref to use in peparing a release.  There is an expectation that if preparing a given release (e.g. v1.2.3) then there exists a file in the repository, releases/<tag> (i.e. releases/v1.2.3) containing release notes. This file must be present on the ref passed to the workflow invocation.
+
+This workflow requires five secrets:
+
+- `JAR_SIGNING_KEY`
+- `JAR_SIGNING_KEY_ID`
+- `JAR_SIGNING_KEY_PASSWORD`
+- `RH_PASSWORD`
+- `RH_USER`
+
+ The results of running this workflow are
+
+ - A *DRAFT* Github release will be created
+ - Signed jars *STAGED* to the Sonatype Nexus artifact repository
+
+ To complete the release, the releaser should
+
+ - Validate and publish the Github release
+ - Approve and publish the jars via the Sonatype UI
+
+### Testing
+
+This workflow does not publish release artifacts in a way that is externally
+visible and thus it is safe to execute at any time as long as the resulting
+draft release and unpublished jars are cleaned up.
+
 ## Native Testserver Images (native-testserver-images.yml)
 
 This is a [manually triggered](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow) workflow that uses the gradle build files already present in the sdk-java repository to build native executables for Windows, MacOS, and Linux. Currently only the amd64 architecture is supported. We plan to add macOS/aarch64 native builds when builders for that platform become available.  This workflow takes two parameters:

@@ -0,0 +1,169 @@
+name: Prepare Release
+defaults:
+  run:
+    shell: bash -euo pipefail -O nullglob {0}
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        type: string
+        description: 'Release version tag (e.g. v1.2.3)'
+        required: true
+      ref:
+        type: string
+        description: 'Git ref from which to release'
+        required: true
+        default: 'master'
+
+jobs:
+  draft_release:
+    name: Create Github Draft Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          ref: '${{ github.event.inputs.ref }}'
+      - name: Create Release
+        run: >
+          gh release create
+          '${{ github.event.inputs.tag }}'
+          --draft
+          --repo '${{ github.repository }}' 
+          --title '${{ github.event.inputs.tag }} release' 
+          --target '${{ github.event.inputs.ref }}'
+          --notes-file 'releases/${{ github.event.inputs.tag }}'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  gradle_publish:
+    name: Publish via Gradle
+    runs-on: ubuntu-latest
+    needs: draft_release 
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          ref: '${{ github.event.inputs.ref }}'
+
+        # Our custom gradle version sniffing builds the maven release artifact
+        # names out of the git tag ... but the repo isn't tagged (yet) so add a
+        # tag to the _local_ clone just to get the right jar names. This tag
+        # does not get pushed back to the origin. Once the artifacts have been
+        # inspected and verified, the manual act of publishing the draft GH
+        # release creates the tag.
+      - name: Temporary tag
+        run: git tag '${{ github.event.inputs.tag }}'
+
+      - name: Set up Java
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+
+      # TODO unclear if `gpg --batch --import "$HOME/.gnupg/secring.gpg` is
+      # needed here as well It's in the old Concourse code but there's no clear
+      # indication as to why.
+      - name: Setup Signing Key
+        run: mkdir -p "$HOME/.gnupg" && echo -n "$KEY" | base64 -d > "$HOME/.gnupg/secring.gpg"
+        env:
+          KEY: ${{ secrets.JAR_SIGNING_KEY }}
+
+      # Prefer env variables here rather than inline ${{ secrets.FOO }} to
+      # decrease the likelihood that secrets end up printed to stdout.
+      - name: Setup Gradle Properties Secrets
+        run: |
+          mkdir -p "$HOME/.gradle"
+          envsubst >"$HOME/.gradle/gradle.properties" <<EOF
+          signing.keyId = $KEY_ID
+          signing.password = $KEY_PASSWORD
+          signing.secretKeyRingFile = $HOME/.gnupg/secring.gpg
+          ossrhUsername = $RH_USER
+          ossrhPassword = $RH_PASSWORD
+          EOF
+        env:
+          KEY_PASSWORD: ${{ secrets.JAR_SIGNING_KEY_PASSWORD }}
+          KEY_ID: ${{ secrets.JAR_SIGNING_KEY_ID }}
+          RH_USER: ${{ secrets.RH_USER }}
+          RH_PASSWORD: ${{ secrets.RH_PASSWORD }}
+
+      - name: Gradle publish
+        run: ./gradlew publish
+
+  native_images:
+    name: Build native images
+    needs: draft_release
+    strategy:
+      matrix:
+        include:
+          - dist: ubuntu-latest
+            os_family: linux
+            arch: amd64
+          - dist: macos-latest
+            os_family: macOS
+            arch: amd64
+          - dist: windows-2019
+            os_family: windows
+            arch: amd64
+    runs-on: ${{ matrix.dist }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Java
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+
+      - name: Build Native Image
+        run: ./gradlew :temporal-test-server:build
+
+      # path ends in a wildcard because on windows the file ends in '.exe'
+      # path excludes *.txt because native-image also writes a build manifest txt file
+      - name: Upload executable to workflow
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ matrix.os_family }}_${{ matrix.arch }}
+          path: |
+            temporal-test-server/build/graal/temporal-test-server*
+            !temporal-test-server/build/graal/*.txt
+          if-no-files-found: error
+          retention-days: 1
+
+  attach_to_release:
+    name: Attach native executables to release
+    needs: native_images
+    runs-on: ubuntu-latest
+    steps:
+
+      # when no artifact is specified, all artifacts are downloaded and expanded into CWD
+      - name: Fetch executables
+        uses: actions/download-artifact@v2
+
+      # example: linux_amd64/ -> temporal-test-server_1.2.3_linux_amd64
+      # the name of the directory created becomes the basename of the archive (*.tar.gz or *.zip) and 
+      # the root directory of the contents of the archive.
+      - name: Rename dirs
+        run: |
+          version="$(sed 's/v//'<<<'${{ github.event.inputs.tag }}')"
+          for dir in *; do mv "$dir" "temporal-test-server_${version}_${dir}"; done        
+
+      - name: Tar (linux, macOS)
+        run: for dir in *{linux,macOS}*; do tar cvzf "${dir}.tar.gz" "$dir"; done
+
+      - name: Zip (windows)
+        run: for dir in *windows*; do zip -r "${dir}.zip" "$dir"; done
+
+      - name: Upload
+        run: gh release upload --clobber --repo ${{ github.repository }} ${{ github.event.inputs.tag }} *.zip *.tar.gz
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -72,4 +72,4 @@ subprojects {
             }
         }
     }
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -72,4 +72,4 @@ subprojects { @@
                 }
             }
         }
-    }
+    }