-
Notifications
You must be signed in to change notification settings - Fork 1
195 lines (187 loc) · 6.33 KB
/
module.publish.yml
File metadata and controls
195 lines (187 loc) · 6.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
name: "Module: Publish"
on:
## Manual dispatch
workflow_dispatch: {}
## Sub-workflow call
workflow_call:
inputs:
runner:
type: string
required: false
description: "Runner to use"
snapshot:
type: boolean
default: false
description: "Snapshot"
live:
type: boolean
default: false
description: "Live"
secrets:
BUILDLESS_APIKEY:
required: true
description: "API key for build caching"
PUBLISH_TOKEN:
required: true
description: "Publishing token"
GPG_PRIVATE_KEY:
required: true
description: "GPG private key"
env:
CI: true
# Read-only permissions by default.
permissions:
contents: read
# One active build per reference, per workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
## Stage: Download Artifacts
download-artifacts:
name: "Setup: Artifacts"
runs-on: ${{ vars.RUNNER || inputs.runner || 'ubuntu-latest' }}
permissions:
contents: read
outputs:
artifacts: ${{ steps.download.outputs.artifacts }}
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: "Setup: JDK ${{ inputs.java_version || vars.JVM_VERSION }}"
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: ${{ inputs.java_version || vars.JVM_VERSION }}
distribution: ${{ inputs.jvm || vars.JVM_VARIANT || 'zulu' }}
- name: "Setup: Artifacts"
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: libraries-jvm
## Stage: Publish Snapshot
publish-snapshot:
name: "Publish: Snapshot"
runs-on: ${{ vars.RUNNER || inputs.runner || 'ubuntu-latest' }}
needs: ['download-artifacts']
if: inputs.snapshot
environment:
name: "snapshots"
permissions:
id-token: write
contents: read
packages: write
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.azul.com:443
cdn.azul.com:443
fulcio.sigstore.dev:443
github.com:443
gradle.less.build:443
gradle.pkg.st:443
dl.less.build:443
agent.less.build:443
global.less.build:443
maven.pkg.st:443
gradle.pkg.st:443
edge.pkg.st:443
maven.pkg.github.com:443
rekor.sigstore.dev:443
scans-in.gradle.com:443
tuf-repo-cdn.sigstore.dev:443
- name: "Setup: Checkout"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: "Setup: Signing Keys"
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
- name: "Setup: JDK ${{ inputs.java_version || vars.JVM_VERSION }}"
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: ${{ inputs.java_version || vars.JVM_VERSION }}
distribution: ${{ inputs.jvm || vars.JVM_VARIANT || 'zulu' }}
- name: "Setup: Artifacts"
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: libraries-jvm
- name: "Publish: Snapshots"
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v2
id: publish
env:
CI: true
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
cache-read-only: false
arguments: |
publishSandbox
-Pstamp=false
-Pversion=1.0-SNAPSHOT
--scan
--warning-mode=none
--dependency-verification=lenient
--no-configuration-cache
-Pci=true
## Stage: Publish Live
publish-live:
name: "Publish: Live"
runs-on: ${{ vars.RUNNER || inputs.runner || 'ubuntu-latest' }}
needs: ['download-artifacts', 'publish-snapshot']
if: inputs.live
environment:
name: "live"
permissions:
id-token: write
contents: read
packages: write
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: "Setup: Signing Keys"
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
- name: "Setup: JDK ${{ inputs.java_version || vars.JVM_VERSION }}"
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: ${{ inputs.java_version || vars.JVM_VERSION }}
distribution: ${{ inputs.jvm || vars.JVM_VARIANT || 'zulu' }}
- name: "Setup: Artifacts"
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: libraries-jvm
- name: "Publish: Live"
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v2
id: publish
env:
CI: true
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
GITHUB_ACTOR: ${{ vars.PUBLISH_ACTOR }}
with:
cache-read-only: false
arguments: |
publishAllPublicationsToGitHubPackagesRepository
-Pstamp=true
--scan
--warning-mode=none
--dependency-verification=lenient
--no-configuration-cache
-Pci=true