.github/workflows/deploy-site-reusable.yaml - logging-parent - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to you under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 name: deploy-site-reusable

 on:
   workflow_call:
     inputs:
       asf-yaml-content:
         description: The contents of the `.asf.yaml` that will be created
         required: true
         type: string
       java-version:
         description: The Java compiler version
         default: 17
         type: string
       install-required:
         description: Flag indicating if Maven `install` goal should be run before running the `site` goal
         default: false
         type: boolean
       target-branch:
         description: The name of the branch the generated site content will be written to
         required: true
         type: string
       target-path:
         description: The directory path the generated site content will be placed under
         default: "."
         type: string
     secrets:
       GPG_SECRET_KEY:
         description: GPG secret key for signing commits
         required: true

 jobs:

   deploy:

     runs-on: ubuntu-latest

     steps:

       - name: Checkout the source branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # 4.2.2

       - name: Set up Java
         uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b   # 3.7.0
         with:
           distribution: zulu
           java-version: ${{ inputs.java-version }}
           cache: maven
           gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}

       - name: Build the project
         shell: bash
         if: inputs.install-required
         run: |
           ./mvnw \
             --show-version --batch-mode --errors --no-transfer-progress \
             -Dmaven.test.skip \
             install

       # Node.js cache is needed for Antora
       - name: Set up Node.js cache
         id: nodejs-cache
         uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8   # 4.1.1
         with:
           # We should be calculating the cache key using `package-lock.json` instead!
           # See https://stackoverflow.com/a/48524475/1278899
           # For that, `package-lock.json` needs to be committed into the repository – right now it is `.gitignore`d.
           # Once it is there, we should ideally switch from `npm i` to `npm ci`.
           # For that, we need to configure `dependabot` to update hundreds of dependencies listed in `package-lock.json`.
           # That translates to a never ending rain of `dependabot` PRs.
           # I doubt if the wasted CPU cycles worth the gain.
           key: ${{ runner.os }}-nodejs-cache-${{ hashFiles('node', 'node_modules') }}
           # `actions/cache` doesn't recommend caching `node_modules`.
           # Though none of its recipes fit our bill, since we install Node.js using `frontend-maven-plugin`.
           # See https://github.com/actions/cache/blob/main/examples.md#node---npm
           # We settle for this quick-n-dirty solution for the time being.
           path: |
             node
             node_modules

       - name: Build the website
         shell: bash
         env:
           # Making Node.js cache hit visible for debugging purposes
           NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }}
         run: |
           ./mvnw \
             --show-version --batch-mode --errors --no-transfer-progress \
             site
           cd target/site
           find . -empty -type d -delete
           find . -print0 | sort --zero-terminated | xargs -0 zip -qoX /tmp/site.zip
           echo "SOURCE_COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_ENV

       - name: Set up Git user
         shell: bash
         run: |
           # Set up user name and email required for `git commit`
           git config user.name "ASF Logging Services RM"
           git config user.email private@logging.apache.org

       - name: Create the target branch
         shell: bash
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
         run: |
           git ls-remote --exit-code --heads origin "refs/heads/$TARGET_BRANCH" >/dev/null 2>&1 || {
             echo "Remote branch \`$TARGET_BRANCH\` doesn't exist, creating it"
             git checkout --orphan "$TARGET_BRANCH"
             echo "Content for initializing an orphan branch for the website to be generated from \`$SOURCE_COMMIT_ID\`" > README.txt
             git add README.txt
             git commit -S README.txt -m "Initial content for the website to be generated from \`$SOURCE_COMMIT_ID\`"
             git push origin "$TARGET_BRANCH"
           }

       - name: Checkout the target branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # 4.2.2
         with:
           ref: ${{ inputs.target-branch }}

       - name: Update the target path
         shell: bash
         env:
           TARGET_PATH: ${{ inputs.target-path }}
           ASF_YAML_CONTENT: ${{ inputs.asf-yaml-content }}
         run: |

           # Check if there already exists an `.asf.yaml`
           ASF_YAML_EXISTS=$([ -f .asf.yaml ] && echo "true" || echo "false")

           # Clean up the target path
           if [ "." = "$TARGET_PATH" ]; then
             git ls-files -z | xargs -0 git rm -rfq
           else
             git rm -rfq "$TARGET_PATH"
           fi

           # Place the generated site
           unzip -q /tmp/site.zip -d "$TARGET_PATH"
           git add "$TARGET_PATH"

           # Recover `.asf.yaml`, if there was one.
           # Otherwise `git status` will always show a change even when there are no changes in the website content.
           # That is because we always populate `.asf.yaml` with some random values at the end to fix an INFRA issue.
           if [ "$ASF_YAML_EXISTS" = "true" ]; then
             git checkout HEAD .asf.yaml
           fi

           # Commit changes, if there are any
           if [ -n "$(git status --porcelain)" ]; then

             # Commit & push site changes
             git commit -S -a -m "Add website content generated from \`$SOURCE_COMMIT_ID\`"
             git push -f origin

             # Populate `.asf.yaml`
             cat >.asf.yaml <<EOF
           $ASF_YAML_CONTENT

           # INFRA cannot handle change sets bigger than a certain size: https://the-asf.slack.com/archives/CBX4TSBQ8/p1709724983391709
           # This file will be used to push a small commit to help the INFRA to recover.
           #
           # Random values to cause a change:
           #
           # - Seed: $RANDOM
           # - Commit ID: $SOURCE_COMMIT_ID
           # - Timestamp: $(date --utc '+%Y-%m-%dT%H:%M:%SZ')
           EOF
             git add .asf.yaml
             git commit -S .asf.yaml -m "Add \`.asf.yaml\` along with an INFRA fix for the website content generated from \`$SOURCE_COMMIT_ID\`"

             # Push changes *separately*!
             # A separate small commit push necessary due to the INFRA issue explained above.
             git push -f origin

           fi
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to you under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	name: deploy-site-reusable

	on:
	workflow_call:
	inputs:
	asf-yaml-content:
	description: The contents of the `.asf.yaml` that will be created
	required: true
	type: string
	java-version:
	description: The Java compiler version
	default: 17
	type: string
	install-required:
	description: Flag indicating if Maven `install` goal should be run before running the `site` goal
	default: false
	type: boolean
	target-branch:
	description: The name of the branch the generated site content will be written to
	required: true
	type: string
	target-path:
	description: The directory path the generated site content will be placed under
	default: "."
	type: string
	secrets:
	GPG_SECRET_KEY:
	description: GPG secret key for signing commits
	required: true

	jobs:

	deploy:

	runs-on: ubuntu-latest

	steps:

	- name: Checkout the source branch
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

	- name: Set up Java
	uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # 3.7.0
	with:
	distribution: zulu
	java-version: ${{ inputs.java-version }}
	cache: maven
	gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}

	- name: Build the project
	shell: bash
	if: inputs.install-required
	run: \|
	./mvnw \
	--show-version --batch-mode --errors --no-transfer-progress \
	-Dmaven.test.skip \
	install

	# Node.js cache is needed for Antora
	- name: Set up Node.js cache
	id: nodejs-cache
	uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # 4.1.1
	with:
	# We should be calculating the cache key using `package-lock.json` instead!
	# See https://stackoverflow.com/a/48524475/1278899
	# For that, `package-lock.json` needs to be committed into the repository – right now it is `.gitignore`d.
	# Once it is there, we should ideally switch from `npm i` to `npm ci`.
	# For that, we need to configure `dependabot` to update hundreds of dependencies listed in `package-lock.json`.
	# That translates to a never ending rain of `dependabot` PRs.
	# I doubt if the wasted CPU cycles worth the gain.
	key: ${{ runner.os }}-nodejs-cache-${{ hashFiles('node', 'node_modules') }}
	# `actions/cache` doesn't recommend caching `node_modules`.
	# Though none of its recipes fit our bill, since we install Node.js using `frontend-maven-plugin`.
	# See https://github.com/actions/cache/blob/main/examples.md#node---npm
	# We settle for this quick-n-dirty solution for the time being.
	path: \|
	node
	node_modules

	- name: Build the website
	shell: bash
	env:
	# Making Node.js cache hit visible for debugging purposes
	NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }}
	run: \|
	./mvnw \
	--show-version --batch-mode --errors --no-transfer-progress \
	site
	cd target/site
	find . -empty -type d -delete
	find . -print0 \| sort --zero-terminated \| xargs -0 zip -qoX /tmp/site.zip
	echo "SOURCE_COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_ENV

	- name: Set up Git user
	shell: bash
	run: \|
	# Set up user name and email required for `git commit`
	git config user.name "ASF Logging Services RM"
	git config user.email private@logging.apache.org

	- name: Create the target branch
	shell: bash
	env:
	TARGET_BRANCH: ${{ inputs.target-branch }}
	run: \|
	git ls-remote --exit-code --heads origin "refs/heads/$TARGET_BRANCH" >/dev/null 2>&1 \|\| {
	echo "Remote branch \`$TARGET_BRANCH\` doesn't exist, creating it"
	git checkout --orphan "$TARGET_BRANCH"
	echo "Content for initializing an orphan branch for the website to be generated from \`$SOURCE_COMMIT_ID\`" > README.txt
	git add README.txt
	git commit -S README.txt -m "Initial content for the website to be generated from \`$SOURCE_COMMIT_ID\`"
	git push origin "$TARGET_BRANCH"
	}

	- name: Checkout the target branch
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
	with:
	ref: ${{ inputs.target-branch }}

	- name: Update the target path
	shell: bash
	env:
	TARGET_PATH: ${{ inputs.target-path }}
	ASF_YAML_CONTENT: ${{ inputs.asf-yaml-content }}
	run: \|

	# Check if there already exists an `.asf.yaml`
	ASF_YAML_EXISTS=$([ -f .asf.yaml ] && echo "true" \|\| echo "false")

	# Clean up the target path
	if [ "." = "$TARGET_PATH" ]; then
	git ls-files -z \| xargs -0 git rm -rfq
	else
	git rm -rfq "$TARGET_PATH"
	fi

	# Place the generated site
	unzip -q /tmp/site.zip -d "$TARGET_PATH"
	git add "$TARGET_PATH"

	# Recover `.asf.yaml`, if there was one.
	# Otherwise `git status` will always show a change even when there are no changes in the website content.
	# That is because we always populate `.asf.yaml` with some random values at the end to fix an INFRA issue.
	if [ "$ASF_YAML_EXISTS" = "true" ]; then
	git checkout HEAD .asf.yaml
	fi

	# Commit changes, if there are any
	if [ -n "$(git status --porcelain)" ]; then

	# Commit & push site changes
	git commit -S -a -m "Add website content generated from \`$SOURCE_COMMIT_ID\`"
	git push -f origin

	# Populate `.asf.yaml`
	cat >.asf.yaml <<EOF
	$ASF_YAML_CONTENT

	# INFRA cannot handle change sets bigger than a certain size: https://the-asf.slack.com/archives/CBX4TSBQ8/p1709724983391709
	# This file will be used to push a small commit to help the INFRA to recover.
	#
	# Random values to cause a change:
	#
	# - Seed: $RANDOM
	# - Commit ID: $SOURCE_COMMIT_ID
	# - Timestamp: $(date --utc '+%Y-%m-%dT%H:%M:%SZ')
	EOF
	git add .asf.yaml
	git commit -S .asf.yaml -m "Add \`.asf.yaml\` along with an INFRA fix for the website content generated from \`$SOURCE_COMMIT_ID\`"

	# Push changes separately!
	# A separate small commit push necessary due to the INFRA issue explained above.
	git push -f origin

	fi