Merge pull request #2670 from ozangunalp/release_workflow_gh_secrets

Release workflow using GH secrets
smallrye · Jun 28, 2024 · d6153a6 · d6153a6
2 parents 3b6a92b + 067264c
commit d6153a6
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 24 deletions.
diff --git a/.build/maven-settings.xml.gpg b/.build/maven-settings.xml.gpg
diff --git a/.build/smallrye-sign.asc.gpg b/.build/smallrye-sign.asc.gpg
diff --git a/.github/workflows/push-release-to-maven-central.yml b/.github/workflows/push-release-to-maven-central.yml
@@ -9,7 +9,9 @@ jobs:
     deploy:
         runs-on: ubuntu-latest
         env:
-            SECRET_FILES_PASSPHRASE: ${{ secrets.SECRET_FILES_PASSPHRASE }}
+            MAVEN_DEPLOY_USERNAME: ${{ secrets.MAVEN_DEPLOY_USERNAME }}
+            MAVEN_DEPLOY_TOKEN: ${{ secrets.MAVEN_DEPLOY_TOKEN }}
+            MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
         steps:
             - name: Git checkout
               uses: actions/checkout@v4
@@ -19,6 +21,11 @@ jobs:
                   java-version: '17'
                   distribution: 'temurin'
                   cache: maven
+                  server-id: 'oss.sonatype'
+                  server-username: 'MAVEN_DEPLOY_USERNAME'
+                  server-password: 'MAVEN_DEPLOY_TOKEN'
+                  gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+                  gpg-passphrase: 'MAVEN_GPG_PASSPHRASE'
             - name: Install just
               uses: taiki-e/install-action@just
             - name: Deploy to Maven Central

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,7 +24,6 @@ jobs:
         env:
             GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
             RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-            SECRET_FILES_PASSPHRASE: ${{ secrets.SECRET_FILES_PASSPHRASE }}
             RELEASE_VERSION: ${{ github.event.inputs.version }}
             DEPLOY_WEBSITE: ${{ github.event.inputs.deployWebsite }}
             CLEAR_REVAPI: ${{ github.event.inputs.clearRevAPI }}

diff --git a/.gitignore b/.gitignore
@@ -140,3 +140,7 @@ local.properties
 **/nb*.xml
 
 **/.cache/formatter-maven-cache.properties
+
+# File created during the release on the CI
+maven-settings.xml
+smallrye-sign.asc
diff --git a/justfile b/justfile
@@ -28,38 +28,23 @@ test-ci:
 perform-release: pre-release release post-release
     @echo "🎉 Successfully released Smallrye Reactive Messaging ${RELEASE_VERSION} 🚀"
 
-# Decrypt secrets
-decrypt-secrets:
-    @if [[ -z "${SECRET_FILES_PASSPHRASE}" ]]; then exit 1; fi
-    @echo "🔐 Decrypting smallrye signature"
-    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET_FILES_PASSPHRASE}" \
-        --output smallrye-sign.asc .build/smallrye-sign.asc.gpg
-    @echo "🔐 Decrypting Maven settings"
-    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET_FILES_PASSPHRASE}" \
-        --output maven-settings.xml .build/maven-settings.xml.gpg
-
-# Initialize GnuPG
-init-gpg:
-    @echo "🔐 GnuPG setup"
-    gpg --fast-import --no-tty --batch --yes smallrye-sign.asc
-
 # Initialize Git
 init-git:
     @echo "🔀 Git setup"
     git config --global user.name "smallrye-ci"
     git config --global user.email "smallrye@googlegroups.com"
 
 # Steps before releasing
-pre-release: decrypt-secrets init-gpg init-git
+pre-release: init-git
     @echo "🚀 Pre-release steps..."
     @if [[ -z "${RELEASE_TOKEN}" ]]; then exit 1; fi
     @if [[ -z "${RELEASE_VERSION}" ]]; then exit 1; fi
     @echo "Pre-release verifications"
     jbang .build/PreRelease.java --token=${RELEASE_TOKEN} --release-version=${RELEASE_VERSION}
     @echo "Bump project version to ${RELEASE_VERSION}"
-    ./mvnw -B -ntp versions:set -DnewVersion=${RELEASE_VERSION} -DgenerateBackupPoms=false -s .build/ci-maven-settings.xml
+    ./mvnw -B -ntp versions:set -DnewVersion=${RELEASE_VERSION} -DgenerateBackupPoms=false
     @echo "Check that the project builds (no tests)"
-    ./mvnw -B -ntp clean install -Prelease -DskipTests -s maven-settings.xml
+    ./mvnw -B -ntp clean install -Prelease -DskipTests
     @echo "Check that the website builds"
     -[[ ${DEPLOY_WEBSITE} == "true" ]] && cd documentation && pipenv install && pipenv run mkdocs build
 
@@ -74,17 +59,17 @@ release: pre-release
     git push
     jbang .build/CompatibilityUtils.java extract
     @echo "Call JReleaser"
-    ./mvnw -B -ntp jreleaser:full-release -Pjreleaser -pl :smallrye-reactive-messaging -s .build/ci-maven-settings.xml
+    ./mvnw -B -ntp jreleaser:full-release -Pjreleaser -pl :smallrye-reactive-messaging
     -[[ ${DEPLOY_WEBSITE} == "true" ]] && just deploy-docs
     @echo "Bump to 999-SNAPSHOT and push upstream"
-    ./mvnw -B -ntp versions:set -DnewVersion=999-SNAPSHOT -DgenerateBackupPoms=false -s .build/ci-maven-settings.xml
+    ./mvnw -B -ntp versions:set -DnewVersion=999-SNAPSHOT -DgenerateBackupPoms=false
     git commit -am "[RELEASE] - Next development version: 999-SNAPSHOT"
     git push
 
 # Deploy to Maven Central
-deploy-to-maven-central: decrypt-secrets init-gpg
+deploy-to-maven-central:
     @echo "🔖 Deploy to Maven Central"
-    ./mvnw -B -ntp deploy -Prelease -DskipTests -s maven-settings.xml
+    ./mvnw -B -ntp deploy -Prelease -DskipTests
 
 # Steps post-release
 post-release: