diff --git a/.github/workflows/release-publish-ossrh.yml b/.github/workflows/release-publish-ossrh.yml deleted file mode 100644 index 5065498c..00000000 --- a/.github/workflows/release-publish-ossrh.yml +++ /dev/null @@ -1,114 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow performs a Maven Release -# - -name: Maven Release OSSRH - -on: - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# This workflow is part of the release group and will not run concurrently with other workflows in the same group -concurrency: - group: release - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # The e2e-test job first verifies the release with multiple fusionauth versions - e2e-test: - uses: ./.github/workflows/e2e-test-fusionauth-matrix-android-latest.yml - - # The create_staging_repository job creates a repository in sonatype used in later jobs - create_staging_repository: - runs-on: ubuntu-latest - name: Create staging repository - outputs: - repository_id: ${{ steps.create.outputs.repository_id }} - steps: - - id: create - uses: nexus-actions/create-nexus-staging-repo@990063f02160c633c168037b8b3e8585c76469fe # v1.3.0 - with: - username: ${{ secrets.NXRM_TOKEN_USERNAME }} - password: ${{ secrets.NXRM_TOKEN_PASSWORD }} - staging_profile_id: ${{ secrets.NXRM_PROFILE_ID }} - description: ${{ github.repository }}/${{ github.workflow }}#${{ github.run_number }} - - # The publish job builds and publishes the release in to sonatype staging repository - publish: - name: Maven Release - - permissions: - # required for all workflows - security-events: write - # only required for workflows in private repositories - actions: read - contents: read - - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Requires the staging_profile_id and e2e-test job - needs: [ create_staging_repository,e2e-test ] - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Sets up JDK as a prerequisite to run Gradle - - name: Setup Java - uses: actions/setup-java@v5 - with: - java-version: '17' - distribution: 'zulu' - - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - name: Checkout repository - uses: actions/checkout@v6 - - # Sets up Gradle as a prerequisite to run Maven Release - - name: Setup Gradle - uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 - with: - gradle-home-cache-cleanup: true - - # Performs a Local Maven Release - - name: Run Maven Local Release - env: - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }} - run: ./gradlew publishReleasePublicationToMavenLocal - - # Performs a Maven Release to oss.sonatype.org - - name: Run Maven Release to OSSRH - env: - ossrhUsername: ${{ secrets.NXRM_TOKEN_USERNAME }} - ossrhPassword: ${{ secrets.NXRM_TOKEN_PASSWORD }} - ORG_GRADLE_PROJECT_ossrhUsername: ${{ secrets.NXRM_TOKEN_USERNAME }} - ORG_GRADLE_PROJECT_ossrhPassword: ${{ secrets.NXRM_TOKEN_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }} - SONATYPE_REPOSITORY_ID: ${{ needs.create_staging_repository.outputs.repository_id }} - run: ./gradlew clean publishReleasePublicationToOSSRHRepository - - # The finalize job checks for the success for failure of previous jobs and then either discards or releases the published build - finalize: - runs-on: ubuntu-latest - needs: [ create_staging_repository,publish,e2e-test ] - if: ${{ always() && needs.create_staging_repository.result == 'success' }} - steps: - - name: Discard - if: ${{ needs.publish.result != 'success' }} - uses: nexus-actions/drop-nexus-staging-repo@c27212525c2a475b7f87728fefd2f899002183fa # v1.1.0 - with: - username: ${{ secrets.NXRM_TOKEN_USERNAME }} - password: ${{ secrets.NXRM_TOKEN_PASSWORD }} - staging_repository_id: ${{ needs.create_staging_repository.outputs.repository_id }} - - name: Release - if: ${{ needs.publish.result == 'success' }} - uses: nexus-actions/release-nexus-staging-repo@6632a81bfab63557b2717e8423b0a620ae5aa414 # v1.3.0 - with: - username: ${{ secrets.NXRM_TOKEN_USERNAME }} - password: ${{ secrets.NXRM_TOKEN_PASSWORD }} - staging_repository_id: ${{ needs.create_staging_repository.outputs.repository_id }} diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml new file mode 100644 index 00000000..d423522e --- /dev/null +++ b/.github/workflows/release-publish.yml @@ -0,0 +1,122 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a Maven Release to Central Portal +# + +name: Maven Release Central Portal + +on: + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# This workflow is part of the release group and will not run concurrently with other workflows in the same group +concurrency: + group: release + +env: + AWS_REGION: us-west-2 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # The e2e-test job first verifies the release with multiple fusionauth versions + e2e-test: + uses: ./.github/workflows/e2e-test-fusionauth-matrix-android-latest.yml + + # The publish job builds and publishes the release to Central Portal + publish: + name: Maven Release + + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + id-token: write + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Requires e2e-test job + needs: [ e2e-test ] + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Sets up JDK as a prerequisite to run Gradle + - name: Setup Java + uses: actions/setup-java@v5 + with: + java-version: '17' + distribution: 'zulu' + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - name: Checkout repository + uses: actions/checkout@v6 + + - name: set aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::752443094709:role/gha-fusionauth-android-sdk + role-session-name: aws-auth-action + aws-region: ${{ env.AWS_REGION }} + + - name: get secrets into the env + run: | + while IFS=$'\t' read -r key value; do + echo "::add-mask::${value}" + echo "${key}=${value}" >> $GITHUB_ENV + done < <(aws secretsmanager get-secret-value \ + --region us-west-2 \ + --secret-id platform/maven \ + --query SecretString \ + --output text | \ + jq -r 'to_entries[] | [.key, .value] | @tsv') + + # Sets up Gradle as a prerequisite to run Maven Release + - name: Setup Gradle + uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + with: + gradle-home-cache-cleanup: true + + # Performs a Local Maven Release + - name: Run Maven Local Release + env: + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }} + run: ./gradlew publishReleasePublicationToMavenLocal + + # Build and sign the publication bundle + - name: Build Publication Bundle + env: + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }} + run: ./gradlew publishReleasePublicationToMavenLocalRepository + + # Create deployment bundle for Central Portal + - name: Create Deployment Bundle + run: | + cd library/build/maven-local-repository + zip -r ../deployment-bundle.zip . + + # Publish to Central Portal + - name: Publish to Central Portal + run: | + HTTP_STATUS=$(curl --request POST \ + --silent \ + --output response.json \ + --write-out "%{http_code}" \ + --user '${{ env.CENTRAL_USERNAME }}:${{ env.CENTRAL_PASSWORD }}' \ + --form bundle=@library/build/deployment-bundle.zip \ + https://central.sonatype.com/api/v1/publisher/upload?publishingType=AUTOMATIC) + + echo "Response from Central Portal:" + cat response.json + echo + + # Check if the upload was successful based on HTTP status code + if [ "$HTTP_STATUS" -lt 200 ] || [ "$HTTP_STATUS" -ge 300 ]; then + echo "Error: Upload failed with HTTP status ${HTTP_STATUS}" + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1278dd8..ce1804bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -137,7 +137,7 @@ jobs: GH_TOKEN: ${{ github.token }} RELEASE_TAG: ${{ needs.prerelease-prep.outputs.tag_name }} run: | - gh workflow run release-publish-ossrh.yml --ref refs/tags/$RELEASE_TAG + gh workflow run release-publish.yml --ref refs/tags/$RELEASE_TAG # This job runs post-release steps post-release: diff --git a/library/build.gradle.kts b/library/build.gradle.kts index d706d2dd..0c9aabb0 100644 --- a/library/build.gradle.kts +++ b/library/build.gradle.kts @@ -111,26 +111,10 @@ publishing { // Here we define some repositories that we can publish our outputs to. repositories { - // Specifying that this is a custom maven repository. maven { - // This is the name of the repo that is used as the value of ${target} - // from above. - name = "OSSRH" - - // Self-explanatory. - setUrl { - val repositoryId = - System.getenv("SONATYPE_REPOSITORY_ID") ?: error("Missing env variable: SONATYPE_REPOSITORY_ID") - "https://oss.sonatype.org/service/local/staging/deployByRepositoryId/${repositoryId}/" - } - - // These need to be defined in ~/.gradle/gradle.properties: - // ossrhUsername= - // ossrhPassword= - credentials { - username = project.findProperty("ossrhUsername") as String? - password = project.findProperty("ossrhPassword") as String? - } + // publish to a local directory first + name = "MavenLocal" + url = uri("${buildDir}/maven-local-repository") } } }