Allow manual runs of the security check (#233) #75
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yamllint --format github .github/workflows/deploy.yml | |
--- | |
name: deploy | |
# We deploy on master and release versions, regardless of if the commit is | |
# documentation-only or not. | |
on: # yamllint disable-line rule:truthy | |
push: | |
branches: | |
- master | |
# Don't deploy tags because the same commit for MAJOR.MINOR.PATCH is also | |
# on master: Redundant deployment of a release version will fail uploading. | |
tags-ignore: | |
- '*' | |
jobs: | |
deploy: | |
runs-on: ubuntu-24.04 # newest available distribution, aka numbat | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
with: | |
# Prevent use of implicit GitHub Actions read-only GITHUB_TOKEN | |
# because javadoc_to_gh_pages pushes commits to the gh-pages branch. | |
token: ${{ secrets.GH_TOKEN }} | |
- name: Setup java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'zulu' # zulu as it supports a wide version range | |
java-version: '17' # earliest LTS supported by Spring Boot 3 | |
- name: Cache local Maven repository | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-jdk-17-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-jdk-17-maven- | |
# Don't attempt to cache Docker. Sensitive information can be stolen | |
# via forks, and login session ends up in ~/.docker. This is ok because | |
# we publish DOCKER_PARENT_IMAGE to ghcr.io, hence local to the runner. | |
- name: Deploy | |
env: | |
# GH_USER=<user that created GH_TOKEN> | |
GH_USER: ${{ secrets.GH_USER }} | |
# GH_TOKEN=<hex token value> | |
# * pushes gh-pages during build-bin/javadoc_to_gh_pages | |
# * pushes Docker images to ghcr.io | |
# * create via https://github.com/settings/tokens | |
# * needs repo:status, public_repo, write:packages, delete:packages | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} | |
# GPG_PASSPHRASE=<passphrase for GPG_SIGNING_KEY> | |
# * referenced in .settings.xml | |
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
# SONATYPE_USER=<sonatype account token> | |
# * deploys snapshots and releases to Sonatype | |
# * needs access to io.zipkin via OSSRH-16669 | |
# * generate via https://oss.sonatype.org/#profile;User%20Token | |
# * referenced in .settings.xml | |
SONATYPE_USER: ${{ secrets.SONATYPE_USER }} | |
# SONATYPE_PASSWORD=<password to sonatype account token> | |
# * referenced in .settings.xml | |
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} | |
# DOCKERHUB_USER=<typically dockerzipkindeployer> | |
# * only push repos in openzipkin org to Docker Hub on release | |
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} | |
# DOCKERHUB_TOKEN=<access token for DOCKERHUB_USER> | |
# * Access Token from here https://hub.docker.com/settings/security | |
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
run: | # GITHUB_REF = refs/heads/master or refs/tags/MAJOR.MINOR.PATCH | |
build-bin/configure_deploy && | |
build-bin/deploy $(echo ${GITHUB_REF} | cut -d/ -f 3) |