fix: decode base64 PGP key before signing (KOJAK-35) (#19) #52
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| push: | |
| branches: [ main ] | |
| tags: [ v* ] | |
| permissions: | |
| contents: write # auto-merge requirement | |
| pull-requests: write # auto-merge requirement | |
| jobs: | |
| build: | |
| name: Build & Test (core modules) | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: [ "21", "25" ] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up JDK ${{ matrix.java }} | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: 'temurin' | |
| java-version: ${{ matrix.java }} | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 | |
| - name: Check formatting | |
| run: ./gradlew ktlintCheck | |
| - name: Build and test core modules | |
| run: ./gradlew build -x :okapi-spring-boot:test -x :okapi-kafka:test -x ktlintCheck | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v7 | |
| if: success() || failure() | |
| with: | |
| name: test-results-java-${{ matrix.java }} | |
| path: '**/build/test-results/test/TEST-*.xml' | |
| - name: Prepare release notes | |
| if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/') | |
| uses: release-drafter/release-drafter@v7 | |
| with: | |
| config-name: release-drafter.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| spring-compat: | |
| name: "Spring Boot ${{ matrix.spring-boot }}" | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| strategy: | |
| matrix: | |
| include: | |
| - spring-boot: "3.5.12" | |
| spring: "6.2.17" | |
| - spring-boot: "4.0.4" | |
| spring: "7.0.6" | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-java@v5 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 | |
| - name: Test okapi-spring-boot | |
| run: >- | |
| ./gradlew :okapi-spring-boot:test | |
| -PspringBootVersion=${{ matrix.spring-boot }} | |
| -PspringVersion=${{ matrix.spring }} | |
| kafka-compat: | |
| name: "Kafka ${{ matrix.kafka }}" | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| strategy: | |
| matrix: | |
| kafka: ["3.9.0", "4.0.2"] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-java@v5 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 | |
| - name: Test okapi-kafka | |
| run: ./gradlew :okapi-kafka:test -PkafkaVersion=${{ matrix.kafka }} | |
| publish: | |
| name: Publish to Maven Central | |
| needs: [build, spring-compat, kafka-compat] | |
| runs-on: ubuntu-24.04 | |
| if: github.event_name != 'pull_request' && (startsWith(github.ref, 'refs/tags/v')) | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1 | |
| - name: Decode PGP key | |
| run: | | |
| echo "$PGP_SECRET_BASE64" | base64 -d > /tmp/secring.asc | |
| echo "ORG_GRADLE_PROJECT_signingInMemoryKey<<EOF" >> $GITHUB_ENV | |
| cat /tmp/secring.asc >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| rm /tmp/secring.asc | |
| env: | |
| PGP_SECRET_BASE64: ${{ secrets.PGP_SECRET }} | |
| - name: Publish to Maven Central | |
| run: ./gradlew publishAndReleaseToMavenCentral | |
| env: | |
| ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.SONATYPE_USERNAME }} | |
| ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.SONATYPE_PASSWORD }} | |
| ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.PGP_PASSPHRASE }} | |
| - name: Extract version from tag | |
| run: | | |
| version=${GITHUB_REF/refs\/tags\/v/} | |
| echo "VERSION=$version" >> $GITHUB_ENV | |
| - name: Publish release notes | |
| uses: release-drafter/release-drafter@v7 | |
| with: | |
| config-name: release-drafter.yml | |
| publish: true | |
| name: "v${{ env.VERSION }}" | |
| tag: "v${{ env.VERSION }}" | |
| version: "v${{ env.VERSION }}" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| auto-merge-dependabot: | |
| # only for PRs by dependabot[bot] | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' | |
| needs: [ build ] | |
| uses: softwaremill/github-actions-workflows/.github/workflows/auto-merge.yml@main | |
| secrets: | |
| github-token: ${{ secrets.SOFTWAREMILL_CI_PR_TOKEN }} |