Replace Jenkins with Github Actions (#17)

2020-03-20 08:34:26 +00:00 · 2020-03-20 08:34:26 +00:00 · 5d041cdc19
commit 5d041cdc19
parent 25572300bb
9 changed files with 230 additions and 69 deletions
--- a/.github/GitHub-Actions.org
+++ b/.github/GitHub-Actions.org
@ -0,0 +1,41 @@
+* Deploying using Github Actions
+
+** Actions definition: workflow/sonatype-deploy.yml
+
+When a GitHub Release is created, usually from a tag, this action will trigger.
+
+Using JDK8 the software will be packaged, including running any tests.
+
+Then the Deploy script will sign the created artifacts then deploy them according to the distributionManagement configuration in the `pom.xml`.
+
+** Deploy Script
+
+Uses a signing key provided from the GitHub Actions Secrets as an environment variable to sign the artifact(s) before they are then deployed.
+
+*** Inputs
+
+**** DEPLOY_PROJECTS (optional)
+
+An optional list of modules in a multi-module project to be deployed. If this value is not specified, then all projects will be deployed.
+
+** Maven Configuration
+
+Picks up the credentials from Environment variables for authenticating both with GPG and with the target deployment server (e.g. sonatype-nexus).
+
+*** Inputs
+
+**** NEXUS_USERNAME
+
+The username for your account on the deployment server.
+
+**** NEXUS_PASSWORD
+
+The password for your account on the deployement server.
+
+**** GPG_KEYNAME
+
+The key to use when signing.
+
+**** GPG_PASSPHRASE
+
+The passphrase to unlock the key to use when signing.
--- a/.github/NOTES
+++ b/.github/NOTES
@ -0,0 +1,53 @@
+Add subkeys:
+
+????
+
+Publish:
+
+gpg --send-keys --keyserver keyserver.ubuntu.com $KEYID
+gpg --send-keys --keyserver pgp.mit.edu $KEYID
+gpg --send-keys --keyserver pool.sks-keyservers.net $KEYID
+
+Backup:
+
+gpg --export --armor pcampbell@kemitix.net > gpg-key-backup.asc
+gpg --export-secret-keys --armor pcampbell@kemitix.net >> gpg-key-backup.asc
+
+Export sub-keys:
+
+gpg --export-secret-subkeys pcampbell@kemitix.net > subkeys
+
+Remove master keys:
+
+gpg --delete-secret-key pcampbell@kemitix.net
+
+Import sub-keys and clean up:
+
+gpg --import subkeys
+
+shred --remove subkeys
+
+Delete any encryption subkeys:
+
+gpg --edit-key pcampbell@kemitix.net
+
+2
+delkey
+save
+
+Change passphrase:
+
+gpg --edit-key pcampbell@kemitix.net
+passwd
+save
+
+Export keys:
+
+gpg --export --armor pcampbell@kemitix.net > codesigning.asc
+gpg --export-secret-keys --armor pcampbell@kemitix.net >> codesigning.asc
+
+Encrypt keys:
+
+gpg --symmetric --cipher-algo AES256 codesigning.asc
+
+shred codesigning.asc
--- a/.github/codesigning.asc.gpg
+++ b/.github/codesigning.asc.gpg
--- a/.github/deploy.sh
+++ b/.github/deploy.sh
@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Decrypts the signing key in .github/codesigning.asc.enc
+# Imports that key
+# Uses .github/settings.xml and the release profile to deploy
+
+echo "deploy.sh: Starting..."
+
+(
+    cd .github
+
+    echo "Retrieving GPG Private KEY"
+    gpg --quiet \
+        --batch \
+        --yes \
+        --decrypt \
+        --passphrase="${GPG_PASSPHRASE}" \
+        --output codesigning.asc \
+        codesigning.asc.gpg
+
+    echo "Loading signing key"
+    gpg --batch \
+        --fast-import codesigning.asc
+)
+
+echo "Releasing..."
+mvn --settings .github/settings.xml \
+    -Dskip-Tests=true \
+    -P release \
+    -B \
+    deploy
+
+echo "deploy.sh: Done."
--- a/.github/settings.xml
+++ b/.github/settings.xml
@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0">
+    <servers>
+        <server>
+            <id>sonatype-nexus-snapshots</id>
+            <username>${env.NEXUS_USERNAME}</username>
+            <password>${env.NEXUS_PASSWORD}</password>
+        </server>
+        <server>
+            <id>sonatype-nexus-staging</id>
+            <username>${env.NEXUS_USERNAME}</username>
+            <password>${env.NEXUS_PASSWORD}</password>
+        </server>
+    </servers>
+    <profiles>
+        <profile>
+            <id>gpg-sign</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <gpg.executable>gpg</gpg.executable>
+                <gpg.keyname>${env.GPG_KEYNAME}</gpg.keyname>
+                <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
+            </properties>
+        </profile>
+    </profiles>
+</settings>
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@ -0,0 +1,25 @@
+# This workflow will build a Java project with Maven
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
+
+name: Java CI with Maven
+
+on:
+  push:
+    branches: '*'
+  pull_request:
+    branches: '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ 8, 11, 13 ]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+      - name: Build with Maven
+        run: mvn -B install
--- a/.github/workflows/sonatype-deploy.yml
+++ b/.github/workflows/sonatype-deploy.yml
@ -0,0 +1,24 @@
+name: Deploy to Sonatype Nexus
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 1.8
+        uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+      - name: Build with Maven
+        run: mvn -B install
+      - name: Nexus Repo Publish
+        run: sh .github/deploy.sh
+        env:
+          NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
+          NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+          GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
--- a/CHANGELOG.org
+++ b/CHANGELOG.org
@ -6,9 +6,15 @@
  Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to
  [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

-** 1.0.0 - 2018-11-11
+* 1.1.0

-*** Removed
+** Changed
+
+  - Replace Jenkins with Github Actions
+
+* 1.0.0 - 2018-11-11
+
+** Removed

    The following rules are marked as deprecated in PMD and will be removed in
    PMD 7.0:
@ -19,33 +25,33 @@
   * IfStmtsMustUseBraces
   * WhileLoopsMustUseBraces

-*** Dependencies
+** Dependencies

    * Bump kemitix-parent from 5.1.1 to 5.2.0

-** 0.4.0
+* 0.4.0

-   * Requires PMD 6.7.0
-   * The new Java rule FieldNamingConventions (java-codestyle)
-   * The new Java rule LinguisticNaming (java-codestyle)
-   * Remove deprecated rule VariableNamingConventions
-   * Remove deprecated rule SuspiciousConstantFieldName
+  * Requires PMD 6.7.0
+  * The new Java rule FieldNamingConventions (java-codestyle)
+  * The new Java rule LinguisticNaming (java-codestyle)
+  * Remove deprecated rule VariableNamingConventions
+  * Remove deprecated rule SuspiciousConstantFieldName

-** 0.3.0
+* 0.3.0

-   * Upgrade `kemitix-parent` to 5.1.1
-   * Remove unused tiles
-   * Disable PMD check `LawOfDemeter` due to Java Streams giving false positives
+  * Upgrade `kemitix-parent` to 5.1.1
+  * Remove unused tiles
+  * Disable PMD check `LawOfDemeter` due to Java Streams giving false positives

-** 0.2.1
+* 0.2.1

-   * Upgrade `kemitix-parent` to 5.1.0
+  * Upgrade `kemitix-parent` to 5.1.0

-** 0.2.0
+* 0.2.0

-   * Disable `CommentSize` - didn't agree with MIT License headers
-   * Relaxed `AvoidDuplicateLiterals.maxDuplicateLiterals` - value is when to fail, not the max allowed
+  * Disable `CommentSize` - didn't agree with MIT License headers
+  * Relaxed `AvoidDuplicateLiterals.maxDuplicateLiterals` - value is when to fail, not the max allowed

-** 0.1.0
+* 0.1.0

-   * Initial release
+  * Initial release
--- a/Jenkinsfile.groovy
+++ b/Jenkinsfile.groovy
@ -1,49 +0,0 @@
-final String publicRepo = 'https://github.com/kemitix/'
-final String mvn = "mvn --batch-mode --update-snapshots --errors"
-
-pipeline {
-    agent any
-    stages {
-        stage('Install') {
-            steps {
-                withMaven(maven: 'maven', jdk: 'JDK 1.8') {
-                    sh "${mvn} -DskipTests install"
-                }
-            }
-        }
-        stage('Deploy (published release branch)') {
-            when {
-                expression {
-                    (isReleaseBranch() &&
-                            isPublished(publicRepo) &&
-                            notSnapshot())
-                }
-            }
-            steps {
-                withMaven(maven: 'maven', jdk: 'JDK 1.8') {
-                    sh "${mvn} --activate-profiles release deploy"
-                }
-            }
-        }
-    }
-}
-
-private boolean isReleaseBranch() {
-    return branchStartsWith('release/')
-}
-
-private boolean branchStartsWith(final String branchName) {
-    startsWith(env.GIT_BRANCH, branchName)
-}
-
-private boolean isPublished(final String repo) {
-    startsWith(env.GIT_URL, repo)
-}
-
-private static boolean startsWith(final String value, final String match) {
-    value != null && value.startsWith(match)
-}
-
-private boolean notSnapshot() {
-    return !(readMavenPom(file: 'pom.xml').version).contains("SNAPSHOT")
-}