diff --git a/.github/GitHub-Actions.org b/.github/GitHub-Actions.org new file mode 100644 index 0000000..1c882b8 --- /dev/null +++ b/.github/GitHub-Actions.org @@ -0,0 +1,41 @@ +* Deploying using Github Actions + +** Actions definition: workflow/sonatype-deploy.yml + +When a GitHub Release is created, usually from a tag, this action will trigger. + +Using JDK8 the software will be packaged, including running any tests. + +Then the Deploy script will sign the created artifacts then deploy them according to the distributionManagement configuration in the `pom.xml`. + +** Deploy Script + +Uses a signing key provided from the GitHub Actions Secrets as an environment variable to sign the artifact(s) before they are then deployed. + +*** Inputs + +**** DEPLOY_PROJECTS (optional) + +An optional list of modules in a multi-module project to be deployed. If this value is not specified, then all projects will be deployed. + +** Maven Configuration + +Picks up the credentials from Environment variables for authenticating both with GPG and with the target deployment server (e.g. sonatype-nexus). + +*** Inputs + +**** NEXUS_USERNAME + +The username for your account on the deployment server. + +**** NEXUS_PASSWORD + +The password for your account on the deployement server. + +**** GPG_KEYNAME + +The key to use when signing. + +**** GPG_PASSPHRASE + +The passphrase to unlock the key to use when signing. diff --git a/.github/NOTES b/.github/NOTES new file mode 100644 index 0000000..64253c9 --- /dev/null +++ b/.github/NOTES @@ -0,0 +1,53 @@ +Add subkeys: + +???? + +Publish: + +gpg --send-keys --keyserver keyserver.ubuntu.com $KEYID +gpg --send-keys --keyserver pgp.mit.edu $KEYID +gpg --send-keys --keyserver pool.sks-keyservers.net $KEYID + +Backup: + +gpg --export --armor pcampbell@kemitix.net > gpg-key-backup.asc +gpg --export-secret-keys --armor pcampbell@kemitix.net >> gpg-key-backup.asc + +Export sub-keys: + +gpg --export-secret-subkeys pcampbell@kemitix.net > subkeys + +Remove master keys: + +gpg --delete-secret-key pcampbell@kemitix.net + +Import sub-keys and clean up: + +gpg --import subkeys + +shred --remove subkeys + +Delete any encryption subkeys: + +gpg --edit-key pcampbell@kemitix.net + +2 +delkey +save + +Change passphrase: + +gpg --edit-key pcampbell@kemitix.net +passwd +save + +Export keys: + +gpg --export --armor pcampbell@kemitix.net > codesigning.asc +gpg --export-secret-keys --armor pcampbell@kemitix.net >> codesigning.asc + +Encrypt keys: + +gpg --symmetric --cipher-algo AES256 codesigning.asc + +shred codesigning.asc diff --git a/.github/codesigning.asc.gpg b/.github/codesigning.asc.gpg new file mode 100644 index 0000000..f5c71e0 Binary files /dev/null and b/.github/codesigning.asc.gpg differ diff --git a/.github/settings.xml b/.github/settings.xml new file mode 100644 index 0000000..8791e47 --- /dev/null +++ b/.github/settings.xml @@ -0,0 +1,28 @@ + + + + + sonatype-nexus-snapshots + ${env.NEXUS_USERNAME} + ${env.NEXUS_PASSWORD} + + + sonatype-nexus-staging + ${env.NEXUS_USERNAME} + ${env.NEXUS_PASSWORD} + + + + + gpg-sign + + true + + + gpg + ${env.GPG_KEYNAME} + ${env.GPG_PASSPHRASE} + + + + diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml new file mode 100644 index 0000000..a2d20ca --- /dev/null +++ b/.github/workflows/maven-build.yml @@ -0,0 +1,25 @@ +# This workflow will build a Java project with Maven +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven + +name: Java CI with Maven + +on: + push: + branches: '*' + pull_request: + branches: '*' + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + java: [ 8, 11 ] + steps: + - uses: actions/checkout@v2 + - name: Set up JDK ${{ matrix.java }} + uses: actions/setup-java@v1 + with: + java-version: ${{ matrix.java }} + - name: Build with Maven + run: mvn -B install diff --git a/.github/workflows/sonatype-deploy.yml b/.github/workflows/sonatype-deploy.yml new file mode 100644 index 0000000..63b14fe --- /dev/null +++ b/.github/workflows/sonatype-deploy.yml @@ -0,0 +1,38 @@ +name: Deploy to Sonatype Nexus + +on: + release: + types: [created] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + - name: Build with Maven + run: mvn -B install + - name: Nexus Repo Publish + run: | + gpg --quiet \ + --batch \ + --yes \ + --decrypt \ + --passphrase="${{ secrets.GPG_PASSPHRASE }}" \ + --output codesigning.asc \ + .github/codesigning.asc.gpg + gpg --batch \ + --fast-import codesigning.asc + mvn --settings .github/settings.xml \ + -Dskip-Tests=true \ + -P release \ + -B \ + deploy + env: + NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }} + NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} + GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} diff --git a/Jenkinsfile.groovy b/Jenkinsfile.groovy deleted file mode 100644 index e26af0a..0000000 --- a/Jenkinsfile.groovy +++ /dev/null @@ -1,91 +0,0 @@ -final String publicRepo = 'https://github.com/kemitix/' -final String mvn = "mvn --batch-mode --update-snapshots --errors" - -pipeline { - agent any - stages { - stage('Build & Test') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 1.8') { - sh "${mvn} clean compile checkstyle:checkstyle pmd:pmd test" - // PMD to Jenkins - pmd canComputeNew: false, defaultEncoding: '', healthy: '', pattern: '', unHealthy: '' - } - } - } - stage('Report Coverage') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 1.8') { - // Code Coverage to Jenkins - jacoco exclusionPattern: '**/*{Test|IT|Main|Application|Immutable}.class' - } - } - } - stage('Report Checkstyle') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 1.8') { - // Checkstyle to Jenkins - step([$class: 'hudson.plugins.checkstyle.CheckStylePublisher', - pattern: '**/target/checkstyle-result.xml', - healthy:'20', - unHealthy:'100']) - } - } - } - stage('Verify & Install') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 1.8') { - sh "${mvn} -DskipTests install" - } - } - } - stage('Deploy (published release branch)') { - when { - expression { - (isReleaseBranch() && - isPublished(publicRepo) && - notSnapshot()) - } - } - steps { - withMaven(maven: 'maven', jdk: 'JDK 1.8') { - sh "${mvn} --activate-profiles release deploy" - } - } - } - stage('Build Java 11') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 11') { - sh "${mvn} clean verify -Djava.version=11" - } - } - } - stage('Build Java 12') { - steps { - withMaven(maven: 'maven', jdk: 'JDK 12') { - sh "${mvn} clean verify -Djava.version=12" - } - } - } - } -} - -private boolean isReleaseBranch() { - return branchStartsWith('release/') -} - -private boolean branchStartsWith(final String branchName) { - startsWith(env.GIT_BRANCH, branchName) -} - -private boolean isPublished(final String repo) { - startsWith(env.GIT_URL, repo) -} - -private static boolean startsWith(final String value, final String match) { - value != null && value.startsWith(match) -} - -private boolean notSnapshot() { - return !(readMavenPom(file: 'pom.xml').version).contains("SNAPSHOT") -}