-
Notifications
You must be signed in to change notification settings - Fork 12
404 lines (323 loc) · 13 KB
/
packaging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
name: Packaging
on:
# Build packages for pull requests, to make sure there are no packaging issues
pull_request:
# Re-run packaging jobs in main, to make sure there are no issues from the merge
push:
branches:
- main
# Build packages when releases are published on GitHub
# Use the release:publish event rather than looking at all tags
# Only release events will trigger the publishing jobs
release:
types:
- published
# Allow manual triggering of the packaging jobs
# This will not publish packages, but they will be available as workflow assets
workflow_dispatch:
# Use latest supported language versions for packaging jobs
env:
JAVA_VERSION: "21"
JAVA_DISTRIBUTION: "zulu"
PYTHON_VERSION: "3.12"
NODE_VERSION: "22"
jobs:
# Java publishing is managed through Gradle, which does both build and publish
# There is no neat way to split the build / publish phases across jobs
# So, include publish to Maven as a conditional step in the build job
platform_packages:
runs-on: ubuntu-latest
# BUILD_sql_h2 is turned on by default in plugins.gradle, for easy setup using the H2 SQL driver
# However to publish packages, we do not want to include any SQL drivers by default
# Consumers of the platform must decide which SQL drivers to include as part of the installation
# Later we may create quick-start / sandbox images, in which case a default SQL driver could be included
env:
BUILD_sql_h2: false
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
# Turn on Gradle dependency caching
cache: gradle
- name: Build JARs
run: ./gradlew jar javadocJar sourcesJar -PincludeJavadoc=true -PincludeSources=true
- name: Build packages for distribution
run: ./gradlew installDist
- name: Assemble platform package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-platform-${VERSION}
for MODULE in build/modules/*/install/*; do
cp -R $MODULE build/dist/tracdap-platform-${VERSION}
done
cd build/dist
tar -czvf tracdap-platform-${VERSION}.tgz tracdap-platform-${VERSION}/*
- name: Assemble sandbox package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-sandbox-${VERSION}
for MODULE in build/modules/*/install/*; do
cp -R $MODULE/* build/dist/tracdap-sandbox-${VERSION}
done
cd build/dist
zip -r tracdap-sandbox-${VERSION}.zip tracdap-sandbox-${VERSION}
# The dist for each plugin includes all its dependency JARs
# We filter out JARs that are already included as part of the TRAC platform
# This avoids putting the same JAR on the classpath twice when a plugin is installed
# SQL Drivers plugin has special handling as it prepares its own distribution layout
- name: Assemble plugins package
run: |
VERSION=`dev/version.sh`
mkdir -p build/dist/tracdap-plugins-${VERSION}
for PLUGIN in build/plugins/*/install/*; do
PLUGIN_NAME=`basename ${PLUGIN}`
if [ "${PLUGIN_NAME}" == "sql-drivers" ]; then
cp -R ${PLUGIN} build/dist/tracdap-plugins-${VERSION}/
else
mkdir build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}
cp ${PLUGIN}/*.jar build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}/
for JAR in ${PLUGIN}/lib/*.jar; do
JAR_NAME=`basename ${JAR}`
if [ ! -f build/dist/tracdap-sandbox-${VERSION}/lib/${JAR_NAME} ]; then
cp ${JAR} build/dist/tracdap-plugins-${VERSION}/${PLUGIN_NAME}/
fi
done
fi
done
cd build/dist
zip -r tracdap-plugins-${VERSION}.zip tracdap-plugins-${VERSION}/*
- name: Save packages
uses: actions/upload-artifact@v4
with:
name: platform_packages
path: |
build/dist/*.tgz
build/dist/*.zip
retention-days: 7
# GitHub Secrets are not available in pull request builds, to prevent forked repos stealing secrets.
# Secrets are needed to build the Java artifacts, which use GPG signing
# Solution is to disable the artifact build on PRs (it will still run on merge to main)
# It is possible to work around this, but doing so would open up the secret-stealing vulnerability
- name: Build Maven artifacts
if: ${{ github.event_name != 'pull_request' }}
run: |
mkdir -p ~/.gnupg/
printf "$GPG_KEY_BASE64" | base64 --decode > ~/.gnupg/keyring.gpg
./gradlew publishToMavenLocal \
-PincludeJavadoc=true \
-PincludeSources=true \
-Psigning.secretKeyRingFile=$HOME/.gnupg/keyring.gpg \
-Psigning.keyId=$GPG_KEY_ID \
-Psigning.password=$GPG_KEY_PASSPHRASE
env:
GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_KEY_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE }}
- name: Publish to Maven Central
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
run: |
mkdir -p ~/.gnupg/
printf "$GPG_KEY_BASE64" | base64 --decode > ~/.gnupg/keyring.gpg
./gradlew \
publishToSonatype closeAndReleaseSonatypeStagingRepository \
-PincludeJavadoc=true \
-PincludeSources=true \
-PsonatypeUsername=$MAVEN_USERNAME \
-PsonatypePassword=$MAVEN_PASSWORD \
-Psigning.secretKeyRingFile=$HOME/.gnupg/keyring.gpg \
-Psigning.keyId=$GPG_KEY_ID \
-Psigning.password=$GPG_KEY_PASSPHRASE
env:
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_KEY_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE }}
python_runtime_package:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: PIP Upgrade
run: python -m pip install --upgrade pip
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build environment dependencies
run: |
pip install -r tracdap-runtime/python/requirements.txt
- name: Build runtime package
env:
TRAC_PYTHON_BUILD_ISOLATION: false
run: python tracdap-runtime/python/build_runtime.py --target dist
- name: Save artifacts
uses: actions/upload-artifact@v4
with:
name: python_runtime_package
path: tracdap-runtime/python/build/dist
retention-days: 7
web_api_package:
runs-on: ubuntu-latest
steps:
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install dependencies
run: |
cd tracdap-api/packages/web
npm install
- name: Set TRAC version
run: |
cd tracdap-api/packages/web
npm run tracVersion:posix
- name: Build API
run: |
cd tracdap-api/packages/web
npm run buildApi
- name: Create tarball
run: |
cd tracdap-api/packages/web
mkdir dist
cd dist
npm pack ..
- name: Save artifacts
uses: actions/upload-artifact@v4
with:
name: web_api_package
path: tracdap-api/packages/web/dist
retention-days: 7
publish_to_github:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- platform_packages
- python_runtime_package
- web_api_package
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT
- name: Fetch platform and sandbox packages
uses: actions/download-artifact@v4
with:
name: platform_packages
path: .
- name: Fetch Python runtime package
uses: actions/download-artifact@v4
with:
name: python_runtime_package
path: tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/python_runtime_package
- name: Fetch web API package
uses: actions/download-artifact@v4
with:
name: web_api_package
path: tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/web_api_package
- name: Build API packages zip file
run: zip -r tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}.zip tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}/
- name: Publish platform package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-platform-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
- name: Publish sandbox package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-sandbox-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
- name: Publish plugins package
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-plugins-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
- name: Publish API packages
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload $RELEASE_TAG tracdap-api-packages-${{ steps.tracdap-version.outputs.tracdap_version }}.zip
publish_to_pypi:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- python_runtime_package
steps:
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install Twine
run: |
python -m pip install --upgrade pip
pip install twine
- name: Fetch Python runtime package
uses: actions/download-artifact@v4
with:
name: python_runtime_package
path: tracdap_dist/
- name: Publish to PyPI
env:
TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
run: |
ls tracdap_dist/*
twine upload --username __token__ tracdap_dist/*
publish_to_npm:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- web_api_package
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get TRAC version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
tracdap_tag=`dev/version_tag.sh ${tracdap_version}`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_tag = ${tracdap_tag}"
echo "tracdap_tag=${tracdap_tag}" >> $GITHUB_OUTPUT
- name: Fetch web API package
uses: actions/download-artifact@v4
with:
name: web_api_package
path: tracdap_dist/
# NPM publish wants a folder in NPM layout
# So, extract the tarball and publish using the NPM package files
# Also, add an entry in .npmrc to tell NPM to use an auth token from the environment
- name: Publish to NPM
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TAG: ${{ steps.tracdap-version.outputs.tracdap_tag }}
run: |
tar -xzvf tracdap_dist/*
cd package
echo //registry.npmjs.org/:_authToken=\$\{NPM_TOKEN\} >> .npmrc
npm publish --access public --tag ${NPM_TAG}