| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # https://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| name: build |
| |
| on: |
| push: |
| # Avoid workflow run for _merged_ `dependabot` PRs. |
| # They were (hopefully!) already tested in PR-triggered workflow. |
| branches-ignore: "dependabot/**" |
| pull_request: |
| paths-ignore: |
| - "**.adoc" |
| - "**.md" |
| - "**.txt" |
| |
| permissions: |
| contents: write |
| pull-requests: write |
| |
| jobs: |
| |
| build: |
| |
| runs-on: ${{ matrix.os }} |
| |
| strategy: |
| matrix: |
| os: [ macos-latest, ubuntu-latest, windows-latest ] |
| |
| steps: |
| |
| - name: Checkout repository |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # 3.3.0 |
| |
| - name: Setup JDK 11 |
| uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # 3.7.0 |
| with: |
| distribution: temurin |
| java-version: 11 |
| java-package: jdk |
| architecture: x64 |
| cache: maven |
| |
| # We could have used `verify`, but `clean install` is required while generating the build reproducibility report, which is performed in the next step. |
| # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility |
| - name: Build |
| shell: bash |
| run: | |
| ./mvnw \ |
| --show-version --batch-mode --errors --no-transfer-progress \ |
| -DtrimStackTrace=false \ |
| -DinstallAtEnd=true \ |
| clean install |
| |
| # `clean verify artifact:compare` is required to generate the build reproducibility report. |
| # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility |
| - name: Report build reproducibility |
| shell: bash |
| run: | |
| ./mvnw \ |
| --show-version --batch-mode --errors --no-transfer-progress \ |
| -DskipTests=true \ |
| clean verify artifact:compare |
| |
| - name: Verify build reproducibility |
| shell: bash |
| run: | |
| for report_file in target/*.buildcompare **/target/*.buildcompare; do |
| if ! grep -q "^ko=0$" "$report_file"; then |
| echo "Spotted build reproducibility failure in \`$report_file\`:" |
| cat "$report_file" |
| exit 1 |
| fi |
| done |
| |
| merge: |
| |
| runs-on: ubuntu-latest |
| needs: build |
| |
| steps: |
| |
| - name: "[dependabot] Fetch metadata" |
| id: metadata |
| if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' |
| uses: dependabot/fetch-metadata@v1.3.5 |
| with: |
| github-token: "${{ secrets.GITHUB_TOKEN }}" |
| |
| - name: "[dependabot] Auto-merge the PR" |
| if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' |
| run: gh pr merge --auto --squash "$PR_URL" |
| env: |
| PR_URL: ${{ github.event.pull_request.html_url }} |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| |
| deploy: |
| |
| runs-on: ubuntu-latest |
| needs: merge |
| if: github.repository == 'apache/logging-log4j-tools' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release/')) |
| |
| steps: |
| |
| - name: Checkout repository |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # 3.3.0 |
| |
| - name: Setup Java & GPG |
| uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # 3.7.0 |
| with: |
| distribution: temurin |
| java-version: 11 |
| java-package: jdk |
| architecture: x64 |
| cache: maven |
| server-id: ${{ github.ref == 'refs/heads/master' && 'apache.snapshots.https' || 'apache.releases.https' }} |
| server-username: NEXUS_USERNAME |
| server-password: NEXUS_PASSWORD |
| # We won't use `maven-gpg-plugin`, but this is convenient to import the GPG secret key |
| gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} |
| |
| - name: Export artifact version |
| run: | |
| export PROJECT_VERSION=$(./mvnw \ |
| --quiet --batch-mode -DforceStdout=true \ |
| -Dexpression=project.version \ |
| help:evaluate \ |
| | tail -n 1) |
| echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV |
| |
| - name: Check version (SNAPSHOT) |
| if: github.ref == 'refs/heads/master' |
| run: | |
| [[ "$PROJECT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-SNAPSHOT$ ]] || { |
| echo "was expecting a snapshot version, found: \"$PROJECT_VERSION\"" 1>&2 |
| exit 1 |
| } |
| |
| - name: Check version (RELEASE) |
| if: startsWith(github.ref, 'refs/heads/release/') |
| run: | |
| [[ "${GITHUB_REF/refs\/heads\/release\//}" == "$PROJECT_VERSION" ]] || { |
| echo "git ref \"$GITHUB_REF\" mismatches with the version: \"$PROJECT_VERSION\"" 1>&2 |
| exit 1 |
| } |
| [[ "$PROJECT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || { |
| echo "was expecting a release version, found: \"$PROJECT_VERSION\"" 1>&2 |
| exit 1 |
| } |
| export CHANGELOG_VERSION=$(grep "^== " CHANGELOG.adoc | head -n 1 | sed -r 's/^== (.+) \(.+\)$/\1/') |
| [[ "$PROJECT_VERSION" == "$CHANGELOG_VERSION" ]] || { |
| echo "version \"$PROJECT_VERSION\" doesn't match the one in changelog: \"$CHANGELOG_VERSION\"" 1>&2 |
| exit 1 |
| } |
| export CURRENT_DATE=$(date +%Y-%m-%d) |
| export CHANGELOG_DATE=$(grep "^== " CHANGELOG.adoc | head -n 1 | sed -r 's/^== .+ \((.+)\)$/\1/') |
| [[ "$CURRENT_DATE" == "$CHANGELOG_DATE" ]] || { |
| echo "current date \"$CURRENT_DATE\" doesn't match the one in the changelog: \"$CHANGELOG_DATE\"" 1>&2 |
| exit 1 |
| } |
| |
| - name: Deploy |
| run: | |
| gpg --list-secret-keys |
| ./mvnw \ |
| --show-version --batch-mode --errors --no-transfer-progress \ |
| -P release |
| env: |
| # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in `~/.m2/settings.xml` created by `setup-java` action |
| NEXUS_USERNAME: ${{ github.ref == 'refs/heads/master' && secrets.NEXUS_USER || secrets.LOGGING_STAGE_DEPLOYER_USER }} |
| NEXUS_PASSWORD: ${{ github.ref == 'refs/heads/master' && secrets.NEXUS_PW || secrets.LOGGING_STAGE_DEPLOYER_PW }} |
| # `SIGN_KEY` is used by `sign-maven-plugin` |
| SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }} |
| |
| - name: Create artifacts (RELEASE) |
| if: startsWith(github.ref, 'refs/heads/release/') |
| run: | |
| export ZIP_FILEPATH="/tmp/apache-log4j-tools-${PROJECT_VERSION}-src.zip" |
| git ls-files -z | xargs -0 zip -9 "$ZIP_FILEPATH" -- |
| gpg --armor --detach-sign --yes --pinentry-mode error "$ZIP_FILEPATH" |
| |
| - name: Upload artifacts (RELEASE) |
| if: startsWith(github.ref, 'refs/heads/release/') |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2 |
| with: |
| name: Sources |
| path: /tmp/apache-log4j-tools-*-src.zip* |
| if-no-files-found: error |
| |
| - name: Tag version (RELEASE) |
| if: startsWith(github.ref, 'refs/heads/release/') |
| run: | |
| export TAG="v$PROJECT_VERSION" |
| git config user.name github-actions |
| git config user.email github-actions@github.com |
| git tag --force "$TAG" |
| git push --force origin "$TAG" |