diff --git a/action.yml b/action.yml index d3f52d6..bafdb09 100644 --- a/action.yml +++ b/action.yml @@ -1,6 +1,6 @@ -- name: Release Camunda Community Project on Maven Central - description: Encapsulates the release process of Camunda community extensions - inputs: +name: Release Camunda Community Project on Maven Central +description: Encapsulates the release process of Camunda community extensions +inputs: artifacts-pattern: description: Which artifacts to store. Set to empty string to disable required: false @@ -49,11 +49,11 @@ description: TODO required: false default: true - outputs: +outputs: artifacts_archive_path: description: Filename of zipfile containing all files matched by artifacts-pattern. value: ${{ steps.create-archive.outputs.filename }} - runs: +runs: using: composite steps: - name: Initialize @@ -69,65 +69,65 @@ test -z "${{ inputs.run-tests }}" && SKIP_TESTS="-DskipTests" mvn -B ${{ inputs.maven-additional-options }} ${{ inputs.maven-build-options }} package ${SKIP_TESTS} shell: bash - ########################################### - # Download and install Trivy and template # - ########################################### -- name: Download and Install Trivy - shell: bash - run: | - if [[ "${{ inputs.vulnerability-scan }}" == "true" ]]; - then - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE} - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl - ./trivy --version - ./trivy fs -t @sarif.tpl -f template -o trivy-results.sarif . + ########################################### + # Download and install Trivy and template # + ########################################### + - name: Download and Install Trivy + shell: bash + run: | + if [[ "${{ inputs.vulnerability-scan }}" == "true" ]]; + then + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE} + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl + ./trivy --version + ./trivy fs -t @sarif.tpl -f template -o trivy-results.sarif . - if [[ $(cat trivy-results.sarif | grep -E 'Severity: (HIGH|CRITICAL)' | wc -l) > 0 ]]; - then - ./trivy fs . - exit 1 - else - exit 0 - fi - fi -- name: Publish SNAPSHOT - run: |- - test -n "${{ inputs.release-version }}" && echo "::debug::Not publishing SNAPSHOT because release-version is set" && exit 0 - mvn -B ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} deploy - find . -path '**target/nexus-staging/deferred/.index' -exec sed -i 's@:camunda-nexus:.*$@:central:https://oss.sonatype.org/content/repositories/snapshots/@g' {} + - mvn -B ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} org.sonatype.plugins:nexus-staging-maven-plugin:deploy-staged - shell: bash - env: - NEXUS_USR: ${{ inputs.nexus-usr}} - NEXUS_PSW: ${{ inputs.nexus-psw }} - MAVEN_USR: ${{ inputs.maven-usr }} - MAVEN_PSW: ${{ inputs.maven-psw }} -- name: Publish Maven Release - run: |- - test -z "${{ inputs.release-version }}" && echo "::debug::Skipping Release because release-version is unset" && exit 0 - # 1. set version - mvn -B ${{ inputs.maven-additional-options }} versions:set org.codehaus.mojo:versions-maven-plugin:2.8.1:update-child-modules -DnewVersion=${{ inputs.release-version }} - # 2. perform release - mvn -B ${{ inputs.maven-additional-options }} ${RELEASE_PROFILE} ${{ inputs.maven-release-options }} -DskipTests -DnexusUrl=https://oss.sonatype.org/ -DserverId=central -Drelease-version=${{ inputs.release-version }} -Dgpg.sign initialize \ - package source:jar javadoc:jar \ - deploy org.apache.maven.plugins:maven-gpg-plugin:sign \ - nexus-staging:deploy - shell: bash - env: - NEXUS_USR: ${{ inputs.nexus-usr}} - NEXUS_PSW: ${{ inputs.nexus-psw }} - MAVEN_USR: ${{ inputs.maven-usr }} - MAVEN_PSW: ${{ inputs.maven-psw }} - MAVEN_GPG_PASSPHRASE: ${{ inputs.maven-gpg-passphrase }} -- name: Prepare next development version - run: ${{ github.action_path }}/resources/prepare-next-development-version.sh "${{ github.event.repository.default_branch }}" "${{ inputs.release-version }}" "${{ inputs.maven-additional-options }}" - shell: bash -- name: Archive artifacts - run: |- - test -z "${{ inputs.artifacts-pattern }}" && echo "::debug::Skipping archiving because artifacts-pattern is unset" && exit 0 - # Filename: [repo without org]-[version].zip - ZIPFILE=${GITHUB_REPOSITORY#*/}-${{ inputs.release-version }}.zip - zip $ZIPFILE $(find . -path ${{ inputs.artifacts-pattern }}) - echo "::set-output name=filename::${ZIPFILE}" - shell: bash - id: create-archive + if [[ $(cat trivy-results.sarif | grep -E 'Severity: (HIGH|CRITICAL)' | wc -l) > 0 ]]; + then + ./trivy fs . + exit 1 + else + exit 0 + fi + fi + - name: Publish SNAPSHOT + run: |- + test -n "${{ inputs.release-version }}" && echo "::debug::Not publishing SNAPSHOT because release-version is set" && exit 0 + mvn -B ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} deploy + find . -path '**target/nexus-staging/deferred/.index' -exec sed -i 's@:camunda-nexus:.*$@:central:https://oss.sonatype.org/content/repositories/snapshots/@g' {} + + mvn -B ${{ inputs.maven-additional-options }} -DskipTests ${{ inputs.maven-release-options }} org.sonatype.plugins:nexus-staging-maven-plugin:deploy-staged + shell: bash + env: + NEXUS_USR: ${{ inputs.nexus-usr}} + NEXUS_PSW: ${{ inputs.nexus-psw }} + MAVEN_USR: ${{ inputs.maven-usr }} + MAVEN_PSW: ${{ inputs.maven-psw }} + - name: Publish Maven Release + run: |- + test -z "${{ inputs.release-version }}" && echo "::debug::Skipping Release because release-version is unset" && exit 0 + # 1. set version + mvn -B ${{ inputs.maven-additional-options }} versions:set org.codehaus.mojo:versions-maven-plugin:2.8.1:update-child-modules -DnewVersion=${{ inputs.release-version }} + # 2. perform release + mvn -B ${{ inputs.maven-additional-options }} ${RELEASE_PROFILE} ${{ inputs.maven-release-options }} -DskipTests -DnexusUrl=https://oss.sonatype.org/ -DserverId=central -Drelease-version=${{ inputs.release-version }} -Dgpg.sign initialize \ + package source:jar javadoc:jar \ + deploy org.apache.maven.plugins:maven-gpg-plugin:sign \ + nexus-staging:deploy + shell: bash + env: + NEXUS_USR: ${{ inputs.nexus-usr}} + NEXUS_PSW: ${{ inputs.nexus-psw }} + MAVEN_USR: ${{ inputs.maven-usr }} + MAVEN_PSW: ${{ inputs.maven-psw }} + MAVEN_GPG_PASSPHRASE: ${{ inputs.maven-gpg-passphrase }} + - name: Prepare next development version + run: ${{ github.action_path }}/resources/prepare-next-development-version.sh "${{ github.event.repository.default_branch }}" "${{ inputs.release-version }}" "${{ inputs.maven-additional-options }}" + shell: bash + - name: Archive artifacts + run: |- + test -z "${{ inputs.artifacts-pattern }}" && echo "::debug::Skipping archiving because artifacts-pattern is unset" && exit 0 + # Filename: [repo without org]-[version].zip + ZIPFILE=${GITHUB_REPOSITORY#*/}-${{ inputs.release-version }}.zip + zip $ZIPFILE $(find . -path ${{ inputs.artifacts-pattern }}) + echo "::set-output name=filename::${ZIPFILE}" + shell: bash + id: create-archive