gbfs-validator-java/.github/workflows/release.yml at master · MobilityData/gbfs-validator-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Release
# Required secrets / variables:
#
#   Secrets are loaded from 1Password when both of the following are set:
#     - secrets.OP_SERVICE_ACCOUNT_TOKEN   — 1Password service account token
#     - vars.ONE_PASSWORD_SECRET_REFERENCES — 1Password secret references for the variables below
#
#   Without 1Password, set these GitHub repository secrets directly as a fallback:
#     - MAVEN_GPG_PRIVATE_KEY              — armored GPG private key (used to sign artifacts)
#     - MAVEN_GPG_PASSPHRASE               — passphrase for the GPG key
#     - MAVEN_CENTRAL_PORTAL_TOKEN_USERNAME — Maven Central portal token username
#     - MAVEN_CENTRAL_PORTAL_TOKEN_PASSWORD — Maven Central portal token password

# Triggered when a GitHub release is published (released).
# Builds, signs, and publishes all artifacts to Maven Central automatically.
# The CLI fat jar is also uploaded to the GitHub release assets.
#
# The project version is derived from the git tag (e.g. v3.0.0 → 3.0.0) and applied to all
# modules in-place via versions:set before building. No pom.xml version commits are needed.
on:
  release:
    types: [released]

env:
  java_version: '17'
  java_distribution: 'zulu'

jobs:
  release:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
    env:
      HAS_1PASSWORD: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN != '' && vars.ONE_PASSWORD_SECRET_REFERENCES != '' }}
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
          # Check out the exact tagged commit so the version is correctly resolved from the tag.
          ref: ${{ github.event.release.tag_name }}
      - name: Set up JDK ${{ env.java_version }}-${{ env.java_distribution }}
        uses: actions/setup-java@v5
        with:
          java-version: ${{ env.java_version }}
          distribution: ${{ env.java_distribution }}
      - name: Print Java and Maven versions
        run: mvn --version
      - name: Cache Maven dependencies
        uses: actions/cache@v4
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
            ${{ runner.os }}-maven-
            ${{ runner.os }}-
      - name: Load secrets from 1Password
        if: env.HAS_1PASSWORD == 'true'
        # Pinned to a specific tag for supply-chain safety. Update the tag in gtfs-validator if the action changes.
        uses: MobilityData/gtfs-validator/.github/actions/extract-1password-secret@USED_BY_GBFS_VALIDATOR_JAVA # 7bf2832
        with:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          VARIABLES_TO_EXTRACT: 'MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, MAVEN_CENTRAL_PORTAL_TOKEN_USERNAME, MAVEN_CENTRAL_PORTAL_TOKEN_PASSWORD'
          ONE_PASSWORD_SECRET_REFERENCES: ${{ vars.ONE_PASSWORD_SECRET_REFERENCES }}
      - name: Load secrets from GitHub secrets (fallback for forks without 1Password)
        if: env.HAS_1PASSWORD != 'true'
        env:
          GPG_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
          GPG_PASS: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
          MVN_USER: ${{ secrets.MAVEN_CENTRAL_PORTAL_TOKEN_USERNAME }}
          MVN_PASS: ${{ secrets.MAVEN_CENTRAL_PORTAL_TOKEN_PASSWORD }}
        run: |
          {
            echo "MAVEN_GPG_PASSPHRASE=$GPG_PASS"
            echo "MAVEN_GPG_PRIVATE_KEY<<GPG_EOF"
            echo "$GPG_KEY"
            echo "GPG_EOF"
            echo "MAVEN_CENTRAL_PORTAL_TOKEN_USERNAME=$MVN_USER"
            echo "MAVEN_CENTRAL_PORTAL_TOKEN_PASSWORD=$MVN_PASS"
          } >> "$GITHUB_ENV"
      - name: Set release version from tag
        run: |
          TAG="${{ github.event.release.tag_name }}"
          VERSION="${TAG#v}"
          echo "Setting version: $VERSION"
          mvn --batch-mode -ntp versions:set -DnewVersion="$VERSION" -DprocessAllModules=true -DgenerateBackupPoms=false
      - name: Verify version is not placeholder
        run: |
          VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
          if [[ "$VERSION" == *"placeholder"* || "$VERSION" == "0.0.0"* ]]; then
            echo "ERROR: Version is still '$VERSION' — aborting release."
            exit 1
          fi
          echo "Version OK: $VERSION"
      - name: Stage artifacts
        run: mvn deploy -Ppublication -Dprettier.skip=true -ntp
      - name: Upload CLI fat jar to GitHub release
        run: |
          gh release upload "${{ github.event.release.tag_name }}" \
            gbfs-validator-java-cli/target/gbfs-validator-cli.jar \
            --clobber
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Deploy to Maven Central
        env:
          JRELEASER_GPG_PASSPHRASE: ${{ env.MAVEN_GPG_PASSPHRASE }}
          JRELEASER_GPG_SECRET_KEY: ${{ env.MAVEN_GPG_PRIVATE_KEY }}
        run: mvn jreleaser:deploy -Djreleaser.output.directory=out -ntp -N
      - name: Upload JReleaser output
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: jreleaser-release-logs
          path: out/