Conversation
cpswan
left a comment
cpswan
left a comment
There was a problem hiding this comment.
I've not had a chance to thoroughly review this yet, but let's get the SHA pinning done
akafredperry
force-pushed
the
java_release_process
branch
from
23e7339 to
04e92ed
Compare
cpswan
left a comment
cpswan
left a comment
There was a problem hiding this comment.
We should be generating an SBOM and SLSA attestations during the release workflow (though I'm happy to do that as a standalone piece of work once the basic mechanics are in place).
https://github.com/atsign-foundation/noports/blob/trunk/.github/workflows/npt_flutter_release.yaml is a good example of a workflow where we've recently added that stuff.
.github/workflows/release.yml
Outdated
| default: '' | ||
|
|
||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
permissions should be job scoped rather than for the whole workflow.
| contents: write | |
| contents: read |
There was a problem hiding this comment.
gotcha, that's done
| name: Release | ||
|
|
||
| on: | ||
| workflow_dispatch: |
There was a problem hiding this comment.
Normally we trigger a release with a tag that's generated by creating a GitHub release.
We often also have a workflow_dispatch trigger for manual testing.
There was a problem hiding this comment.
I did start off with that approach but ran into problems in that the version tag should be on the commit that updated the pom versions, README edit and CHANGELOG. I guess we could have 2 lots of tags, those that trigger the release workflow and then a corresponding version tag that gets added as part of the workflow. Shall I go with that?
There was a problem hiding this comment.
Take a look at https://github.com/atsign-foundation/noports/blob/trunk/.github/workflows/multibuild.yaml for how we handle similar needs for NoPorts
| server-username: "CENTRAL_USERNAME" # env variable for username in deploy | ||
| server-password: "CENTRAL_TOKEN" # env variable for token in deploy | ||
| gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # Value of the GPG private key to import | ||
| gpg-passphrase: "GPG_PASSPHRASE" # env variable for GPG private key passphrase |
There was a problem hiding this comment.
Should probably be a secret rather than an ENV variable
There was a problem hiding this comment.
The values are all secrets, but the comment is ambiguous, what is being configured in line 1,2 and 4 is the name of environment variables used in the setup-java. These match the secrets names. If that makes sense?
There was a problem hiding this comment.
Not really. If there's no ${{ ... }} to bring things in then where are the values being sourced from?
.github/workflows/release.yml
Outdated
|
|
||
| - name: Configure git | ||
| run: | | ||
| git config user.name "github-actions" |
There was a problem hiding this comment.
| git config user.name "github-actions" | |
| git config user.name 'library-action[bot]' |
.github/workflows/release.yml
Outdated
| - name: Configure git | ||
| run: | | ||
| git config user.name "github-actions" | ||
| git config user.email "github-actions@github.com" |
There was a problem hiding this comment.
| git config user.email "github-actions@github.com" | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' |
| id: compute | ||
| run: | | ||
| if [ -n "${{ inputs.release_version }}" ]; then | ||
| RELEASE=${{ inputs.release_version }} |
There was a problem hiding this comment.
Likely needs to be reworked to use a release tag
I have create an issue for this and assigned for next sprint #383 |
2 participants
closes #377
- What I did
Added Release workflow that should be triggerable from GitHub UI. This creates official versions of the Java SDK and uploads the artifacts to maven central.
- How I did it
- How to verify it
- Description for the changelog
build: release workflow