release-publish.yml

# Copyright (C) 2020 Dremio
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Publishes all Nessie release artifacts and creates a Nessie release in GitHub.
#
# Triggered when a `nessie-*` tag is being pushed.
#
# GitHub environment name: release
#
# This workflow uses separate GH workflow jobs intentionally to be able to re-run
# failed "release targets" (Maven Central, Swaggerhub, GHCR, Helm) and not let
# the whole release fail (and force a completely new release).
#
# Jobs:
#    Prepare -->--+
#                 |
#                 +-->-- Publish to Maven Central -->--+
#                 |                                    |
#                 +-->-- Publish OpenAPI ----------->--+
#                 |                                    |
#                 +-->-- Publish Docker images ----->--+
#                 |                                    |
#                 +-->-- Publish Helm Chart -------->--+
#                                                      |
#                                                      +-->-- GitHub Release notes
#

name: Publish release

on:
  push:
    tags:
      - nessie-*

  workflow_dispatch:
    inputs:
      releaseTag:
        description: 'Release tag name to re-release'
        required: true

jobs:
  prepare:
    name: Prepare
    outputs:
      release-version: ${{ steps.get_version.outputs.release-version }}
      git-tag: ${{ steps.get_version.outputs.git-tag }}
    runs-on: ubuntu-22.04
    environment: release
    timeout-minutes: 10
    steps:
      # GH doesn't provide just the tag name, so this step strips `/refs/tags/nessie-` from `GITHUB_REF`
      # and provides the outputs for the Git tag and the release-version derived from it, in case of a manual run,
      # uses the input `releaseTag` as the input tag name.
      - name: Get release version
        id: get_version
        run: |
          if [[ "${{ github.event_name }}" == "push" ]] ; then
            V="${GITHUB_REF/refs\/tags\/}"
          else
            V="${{ github.event.inputs.releaseTag }}"
          fi
          # check if tag matches patterns like nessie-0.5, nessie-0.10.4.3-alpha1, etc
          if [[ ${V} =~ ^nessie-[0-9]+[.][0-9.]*[0-9](-[a-zA-Z0-9]+)?$ ]]; then
            echo "release-version=${V/nessie-}" >> ${GITHUB_OUTPUT}
            echo "git-tag=${V}" >> ${GITHUB_OUTPUT}
          else
            echo "Tag must start with nessie- followed by a valid version (got tag ${V}, ref is ${GITHUB_REF} )"
            exit 1
          fi

  publish-maven-central:
    name: Publish to Maven Central
    runs-on: ubuntu-22.04
    environment: release
    timeout-minutes: 240
    needs:
      - prepare
    env:
      RELEASE_VERSION: ${{needs.prepare.outputs.release-version}}
      ARTIFACTS: build-artifacts
    steps:
      ### BEGIN runner setup
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'push' }}
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'workflow_dispatch' }}
        with:
          ref: refs/tags/${{ github.event.inputs.releaseTag }}
      - name: Setup runner
        uses: ./.github/actions/setup-runner
      - name: Setup Java, Gradle
        uses: ./.github/actions/dev-tool-java
        with:
          gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
      ### END runner setup

      - name: Prepare artifacts directory
        run: rm -rf "${ARTIFACTS}" ; mkdir -p "${ARTIFACTS}"

      - name: Gradle build
        run: |
          # 2 Retries - due to Gradle's old and unfixed CME bug
          ./gradlew --no-scan compileAll jar || ./gradlew --no-scan compileAll jar || ./gradlew --no-scan compileAll jar

      - name: Check Licenses
        run: ./gradlew --no-scan aggregatedLicenseReportsZip

      # Deploys Maven artifacts. Build and test steps were already ran in previous steps.
      # Not running tests, because the environment contains secrets.
      - name: Publish Maven artifacts for release
        env:
          # To release with Gradle
          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.OSSRH_ACCESS_ID }}
          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.OSSRH_TOKEN }}
          # To release commits that used Maven to build
          MAVEN_USERNAME: ${{ secrets.OSSRH_ACCESS_ID }}
          MAVEN_OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
        run: |
          # 2 Retries - to mitigate "HTTP/502 Bad Gateway" issues
          ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository -Prelease -Puber-jar --no-scan --stacktrace || \
            ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository -Prelease -Puber-jar --no-scan --stacktrace || \
            ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository -Prelease -Puber-jar --no-scan --stacktrace

      - name: Generate changelog
        run: ./gradlew --no-scan --quiet --console=plain getChangelog --no-header --no-links > "${ARTIFACTS}/nessie-changelog-${RELEASE_VERSION}.md"

      - name: Collect artifacts
        run: |
          mv servers/quarkus-server/build/nessie-quarkus-${RELEASE_VERSION}-runner.jar "${ARTIFACTS}"
          mv cli/cli/build/libs/nessie-cli-${RELEASE_VERSION}.jar "${ARTIFACTS}"
          mv tools/server-admin/build/nessie-server-admin-tool-${RELEASE_VERSION}-runner.jar "${ARTIFACTS}"
          mv gc/gc-tool/build/executable/nessie-gc.jar "${ARTIFACTS}/nessie-gc-${RELEASE_VERSION}.jar"
          cp tools/aggregated-license-report/build/distributions/nessie-aggregated-license-report-${RELEASE_VERSION}.zip "${ARTIFACTS}"

      - name: Archive release artifacts
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
        with:
          name: nessie-release-artifacts
          path: build-artifacts
          if-no-files-found: error


  publish-images:
    name: Publish images
    runs-on: ubuntu-22.04
    environment: release
    timeout-minutes: 60
    needs:
      - prepare
    steps:
      ### BEGIN runner setup
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'push' }}
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'workflow_dispatch' }}
        with:
          ref: refs/tags/${{ github.event.inputs.releaseTag }}
      - name: Setup runner
        uses: ./.github/actions/setup-runner
      - name: Setup Java, Gradle
        uses: ./.github/actions/dev-tool-java
      ### END runner setup

      - name: Gradle build
        run: |
          # 2 Retries - due to Gradle's old and unfixed CME bug
          ./gradlew --no-scan compileAll jar || ./gradlew --no-scan compileAll jar || ./gradlew --no-scan compileAll jar

      - name: Docker login
        run: |
          echo '${{ secrets.GITHUB_TOKEN }}' | docker login ghcr.io -u $ --password-stdin 

      - name: Publish Nessie Server
        run: |
          tools/dockerbuild/build-push-images.sh \
            -g ":nessie-quarkus" \
            -p "servers/quarkus-server" \
            -d "Dockerfile-server" \
            ghcr.io/projectnessie/nessie

      - name: Publish Nessie GC
        run: |
          tools/dockerbuild/build-push-images.sh \
            -g ":nessie-gc-tool" \
            -p "gc/gc-tool" \
            -d "Dockerfile-gctool" \
            ghcr.io/projectnessie/nessie-gc

      - name: Publish Nessie Server Admin Tool
        run: |
          tools/dockerbuild/build-push-images.sh \
            -g ":nessie-server-admin-tool" \
            -p "tools/server-admin" \
            -d "Dockerfile-admintool" \
            ghcr.io/projectnessie/nessie-server-admin

      - name: Publish Nessie CLI
        run: |
          tools/dockerbuild/build-push-images.sh \
            -g ":nessie-cli" \
            -p "cli/cli" \
            -d "Dockerfile-cli" \
            ghcr.io/projectnessie/nessie-cli

      # NOTE: GH container registry behaves a bit weird when new images are added.
      # The first push/publication of a _new_ image (package) fails with a HTTP/403,
      # but the next one works.
      # See also the note in .github/docker-sync/regsync.yml about quay.io.
      #
      # Also make sure to add the new image to the site, currently in:
      #   site/docs/downloads/index.md
      #   site/in-dev/index.md
      #   site/in-dev/index-release.md

  publish-helm:
    name: Publish Helm Chart
    runs-on: ubuntu-22.04
    environment: release
    timeout-minutes: 60
    needs:
      - prepare
      - publish-images
    env:
      RELEASE_VERSION: ${{needs.prepare.outputs.release-version}}
    steps:
      ### BEGIN runner setup
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'push' }}
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'workflow_dispatch' }}
        with:
          ref: refs/tags/${{ github.event.inputs.releaseTag }}
      - name: Install Helm
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
        with:
          version: v3.6.3
      ### END runner setup

      - name: Package Nessie Helm chart
        run: |
          helm package helm/nessie --version ${RELEASE_VERSION}
          mv nessie-${RELEASE_VERSION}.tgz nessie-helm-${RELEASE_VERSION}.tgz

      - name: Publish Nessie Helm chart to Helm Repo
        run: |
          wget https://raw.githubusercontent.com/projectnessie/charts.projectnessie.org/main/index.yaml
          helm repo index . --merge index.yaml --url https://github.com/projectnessie/nessie/releases/download/nessie-${RELEASE_VERSION}
          echo ${{ secrets.CI_REPORTS_TOKEN }} | gh auth login --with-token
          index_sha=$(gh api -X GET /repos/projectnessie/charts.projectnessie.org/contents/index.yaml --jq '.sha')
          gh api -X PUT /repos/projectnessie/charts.projectnessie.org/contents/index.yaml -f message="Publishing Nessie Helm chart ${RELEASE_VERSION}" -f content=$(base64 -w0 index.yaml) -f sha=${index_sha} || true

      - name: Archive Helm chart artifact
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
        with:
          name: nessie-release-helm
          path: ./nessie-helm-*.tgz
          if-no-files-found: error


  publish-openapi:
    runs-on: ubuntu-22.04
    timeout-minutes: 60
    environment: release
    needs:
      - prepare
    env:
      RELEASE_VERSION: ${{needs.prepare.outputs.release-version}}
    steps:
      ### BEGIN runner setup
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'push' }}
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'workflow_dispatch' }}
        with:
          ref: refs/tags/${{ github.event.inputs.releaseTag }}
      - name: Setup runner
        uses: ./.github/actions/setup-runner
      - name: Setup Java, Gradle
        uses: ./.github/actions/dev-tool-java
      ### END runner setup

      - name: Gradle build
        run: |
          # 2 Retries - due to Gradle's old and unfixed CME bug
          ./gradlew --no-scan :nessie-model:jar || ./gradlew --no-scan :nessie-model:jar || ./gradlew --no-scan :nessie-model:jar

      - name: Copy OpenAPI yaml
        run: cp api/model/build/generated/openapi/META-INF/openapi/openapi.yaml ./nessie-openapi-${RELEASE_VERSION}.yaml

      - name: Archive OpenAPI artifact
        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
        with:
          name: nessie-release-openapi
          path: ./nessie-openapi-*.yaml
          if-no-files-found: error

      # Try to create the API on SwaggerHub. This step will fail, if the version already exists.
      # To make this job idempotent, we allow the "api:create" to fail but have another step to
      # update an existing version.

      - name: Create on SwaggerHub
        uses: smartbear/swaggerhub-cli@20e5eaf4866bbbc44d72e9eb8a48a942c0d9e43b # v0.9.0
        continue-on-error: true
        env:
          XDG_CONFIG_HOME: "/tmp"
          SWAGGERHUB_API_KEY: ${{ secrets.SWAGGERHUB_API_KEY }}
          SWAGGERHUB_URL: "https://api.swaggerhub.com"
        with:
          args: api:create projectnessie/nessie -f ./nessie-openapi-${{ env.RELEASE_VERSION }}.yaml --visibility=public

      - name: Unpublish on SwaggerHub
        uses: smartbear/swaggerhub-cli@20e5eaf4866bbbc44d72e9eb8a48a942c0d9e43b # v0.9.0
        continue-on-error: true
        env:
          XDG_CONFIG_HOME: "/tmp"
          SWAGGERHUB_API_KEY: ${{ secrets.SWAGGERHUB_API_KEY }}
          SWAGGERHUB_URL: "https://api.swaggerhub.com"
        with:
          args: api:unpublish projectnessie/nessie/${{ env.RELEASE_VERSION }}.yaml

      - name: Update SwaggerHub
        uses: smartbear/swaggerhub-cli@20e5eaf4866bbbc44d72e9eb8a48a942c0d9e43b # v0.9.0
        env:
          XDG_CONFIG_HOME: "/tmp"
          SWAGGERHUB_API_KEY: ${{ secrets.SWAGGERHUB_API_KEY }}
          SWAGGERHUB_URL: "https://api.swaggerhub.com"
        with:
          args: api:update projectnessie/nessie -f ./nessie-openapi-${{ env.RELEASE_VERSION }}.yaml --published=publish --setdefault --visibility=public


  create-github-release:
    runs-on: ubuntu-22.04
    timeout-minutes: 60
    environment: release
    needs:
      - prepare
      - publish-maven-central
      - publish-images
      - publish-helm
      - publish-openapi
    env:
      RELEASE_VERSION: ${{needs.prepare.outputs.release-version}}
      GIT_TAG: ${{needs.prepare.outputs.git-tag}}
      NOTES_FILE: current-release-notes.md
    steps:
      ### BEGIN runner setup
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'push' }}
        with:
          fetch-depth: 0
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        if: ${{ github.event_name == 'workflow_dispatch' }}
        with:
          fetch-depth: 0
          ref: refs/tags/${{ github.event.inputs.releaseTag }}
      ### END runner setup

      - name: Create dir
        run: mkdir current-release-artifacts

      - name: Get release + OpenAPI + Helm chart artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          path: current-release-artifacts
          merge-multiple: true

      - name: Create release notes file for GitHub release
        run: |
          LAST_TAG=$(git describe --abbrev=0 --tags "--match=nessie-*" ${GIT_TAG}^1)

          tools/releases/create-gh-release-notes.sh \
            -n ${NOTES_FILE} \
            -l ${LAST_TAG} \
            -t ${GIT_TAG} \
            -r ${RELEASE_VERSION} \
            -c current-release-artifacts/nessie-changelog-${RELEASE_VERSION}.md

          rm current-release-artifacts/nessie-changelog-${RELEASE_VERSION}.md

          cat "${NOTES_FILE}" >> $GITHUB_STEP_SUMMARY

      - name: GitHub login
        run: echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token

      - name: Create Nessie release in GitHub
        run: gh release create ${GIT_TAG} --notes-file ${NOTES_FILE} --title "Nessie ${RELEASE_VERSION}" current-release-artifacts/*