Skip to content

Feature / Move gateway authentication to a separate service (#477) #1553

Feature / Move gateway authentication to a separate service (#477)

Feature / Move gateway authentication to a separate service (#477) #1553

Workflow file for this run

name: Packaging
on:
# Build packages for pull requests, to make sure there are no packaging issues
pull_request:
# Re-run packaging jobs in main, to make sure there are no issues from the merge
push:
branches:
- main
# Build packages when releases are published on GitHub
# Use the release:publish event rather than looking at all tags
# Only release events will trigger the publishing jobs
release:
types:
- published
# Allow manual triggering of the packaging jobs
# This will not publish packages, but they will be available as workflow assets
workflow_dispatch:
# Use latest supported language versions for packaging jobs
env:
JAVA_VERSION: "21"
JAVA_DISTRIBUTION: "zulu"
PYTHON_VERSION: "3.12"
NODE_VERSION: "22"
jobs:
# Java publishing is managed through Gradle, which does both build and publish
# There is no neat way to split the build / publish phases across jobs
# So, include publish to Maven as a conditional step in the build job
platform_packages:
runs-on: ubuntu-latest
# BUILD_sql_h2 is turned on by default in plugins.gradle, for easy setup using the H2 SQL driver
# However to publish packages, we do not want to include any SQL drivers by default
# Consumers of the platform must decide which SQL drivers to include as part of the installation
# Later we may create quick-start / sandbox images, in which case a default SQL driver could be included
env:
BUILD_sql_h2: false
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
# Turn on Gradle dependency caching
cache: gradle
- name: Build JARs
run: ./gradlew jar javadocJar sourcesJar -PincludeJavadoc=true -PincludeSources=true
- name: Build packages for distribution
run: ./gradlew installDist
- name: Assemble platform package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-platform-${VERSION}
for MODULE in build/modules/*/install/*; do
cp -R $MODULE build/dist/tracdap-platform-${VERSION}
done
cd build/dist
tar -czvf tracdap-platform-${VERSION}.tgz tracdap-platform-${VERSION}/*
- name: Assemble sandbox package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-sandbox-${VERSION}
for MODULE in build/modules/*/install/*; do
cp -R $MODULE/* build/dist/tracdap-sandbox-${VERSION}
done
cd build/dist
zip -r tracdap-sandbox-${VERSION}.zip tracdap-sandbox-${VERSION}
# The dist for each plugin includes all its dependency JARs
# We filter out JARs that are already included as part of the TRAC platform
# This avoids putting the same JAR on the classpath twice when a plugin is installed
# SQL Drivers plugin has special handling as it prepares its own distribution layout
- name: Assemble plugins package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-plugins-${VERSION}
for PLUGIN in build/plugins/*/install/*; do
PLUGIN_NAME=`basename ${PLUGIN}`
if [ "${PLUGIN_NAME}" == "sql-drivers" ]; then
cp -R ${PLUGIN} build/dist/tracdap-plugins-${VERSION}/
else
mkdir build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}
cp ${PLUGIN}/*.jar build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}/
for JAR in ${PLUGIN}/lib/*.jar; do
JAR_NAME=`basename ${JAR}`
if [ ! -f build/dist/tracdap-sandbox-${VERSION}/lib/${JAR_NAME} ]; then
cp ${JAR} build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}/
fi
done
fi
done
cd build/dist
zip -r tracdap-plugins-${VERSION}.zip tracdap-plugins-${VERSION}/*
- name: Save packages
uses: actions/upload-artifact@v4
with:
name: platform_packages
path: |
build/dist/*.tgz
build/dist/*.zip
retention-days: 7
# GitHub Secrets are not available in pull request builds, to prevent forked repos stealing secrets.
# Secrets are needed to build the Java artifacts, which use GPG signing
# Solution is to disable the artifact build on PRs (it will still run on merge to main)
# It is possible to work around this, but doing so would open up the secret-stealing vulnerability
- name: Build Maven artifacts
if: ${{ github.event_name != 'pull_request' }}
run: |
mkdir -p ~/.gnupg/
printf "$GPG_KEY_BASE64" | base64 --decode > ~/.gnupg/keyring.gpg
./gradlew publishToMavenLocal \
-PincludeJavadoc=true \
-PincludeSources=true \
-Psigning.secretKeyRingFile=$HOME/.gnupg/keyring.gpg \
-Psigning.keyId=$GPG_KEY_ID \
-Psigning.password=$GPG_KEY_PASSPHRASE
env:
GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_KEY_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE }}
- name: Publish to Maven Central
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
run: |
mkdir -p ~/.gnupg/
printf "$GPG_KEY_BASE64" | base64 --decode > ~/.gnupg/keyring.gpg
./gradlew \
publishToSonatype closeAndReleaseSonatypeStagingRepository \
-PincludeJavadoc=true \
-PincludeSources=true \
-PsonatypeUsername=$MAVEN_USERNAME \
-PsonatypePassword=$MAVEN_PASSWORD \
-Psigning.secretKeyRingFile=$HOME/.gnupg/keyring.gpg \
-Psigning.keyId=$GPG_KEY_ID \
-Psigning.password=$GPG_KEY_PASSPHRASE
env:
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_KEY_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE }}
python_runtime_package:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: PIP Upgrade
run: python -m pip install --upgrade pip
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build environment dependencies
run: |
pip install -r tracdap-runtime/python/requirements.txt
- name: Build runtime package
run: python tracdap-runtime/python/build_runtime.py --target dist
- name: Save artifacts
uses: actions/upload-artifact@v4
with:
name: python_runtime_package
path: tracdap-runtime/python/build/dist
retention-days: 7
web_api_package:
runs-on: ubuntu-latest
steps:
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install dependencies
run: |
cd tracdap-api/packages/web
npm install
- name: Set TRAC version
run: |
cd tracdap-api/packages/web
npm run tracVersion:posix
- name: Build API
run: |
cd tracdap-api/packages/web
npm run buildApi
- name: Create tarball
run: |
cd tracdap-api/packages/web
mkdir dist
cd dist
npm pack ..
- name: Save artifacts
uses: actions/upload-artifact@v4
with:
name: web_api_package
path: tracdap-api/packages/web/dist
retention-days: 7
publish_to_github:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- platform_packages
- python_runtime_package
- web_api_package
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT
- name: Fetch platform and sandbox packages
uses: actions/download-artifact@v4
with:
name: platform_packages
path: .
- name: Fetch Python runtime package
uses: actions/download-artifact@v4
with:
name: python_runtime_package
path: tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/python_runtime_package
- name: Fetch web API package
uses: actions/download-artifact@v4
with:
name: web_api_package
path: tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/web_api_package
- name: Build API packages zip file
run: zip -r tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}.zip tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/
- name: Publish platform package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-platform-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
- name: Publish sandbox package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-sandbox-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
- name: Publish plugins package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-plugins-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
- name: Publish API packages
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
publish_to_pypi:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- python_runtime_package
steps:
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install Twine
run: |
python -m pip install --upgrade pip
pip install twine
- name: Fetch Python runtime package
uses: actions/download-artifact@v4
with:
name: python_runtime_package
path: tracdap_dist/
- name: Publish to PyPI
env:
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: |
ls tracdap_dist/*
twine upload --username __token__ tracdap_dist/*
publish_to_npm:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- web_api_package
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
tracdap_tag=`dev/version_tag.sh ${tracdap_version}`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_tag = ${tracdap_tag}"
echo "tracdap_tag=${tracdap_tag}" >> $GITHUB_OUTPUT
- name: Fetch web API package
uses: actions/download-artifact@v4
with:
name: web_api_package
path: tracdap_dist/
# NPM publish wants a folder in NPM layout
# So, extract the tarball and publish using the NPM package files
# Also, add an entry in .npmrc to tell NPM to use an auth token from the environment
- name: Publish to NPM
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TAG: ${{ steps.tracdap-version.outputs.tracdap_tag }}
run: |
tar -xzvf tracdap_dist/*
cd package
echo //registry.npmjs.org/:_authToken=\$\{NPM_TOKEN\} >> .npmrc
npm publish --access public --tag ${NPM_TAG}