Avoid filtering by lastSeenFile where a post process action is config… #43
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish New Java Release | |
on: | |
push: | |
tags: | |
- "*" | |
workflow_dispatch: | |
jobs: | |
validate-tag: | |
runs-on: ubuntu-latest | |
outputs: | |
draft_release: ${{ steps.get_tag.outputs.draft_release }} | |
tag: ${{ steps.get_tag.outputs.tag }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Get tag, release mode | |
shell: bash | |
id: get_tag | |
run: | | |
if [[ ${GITHUB_REF##*/} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; | |
then | |
draft_release=false | |
elif [[ ${GITHUB_REF##*/} =~ ^[0-9]+\.[0-9]+\.[0-9]+(-(alpha|beta|rc)(\.[0-9]+)?)?(\+[A-Za-z0-9.]+)?$ ]]; | |
then | |
draft_release=true | |
else | |
echo "Exiting, github ref needs to be a tag with format x.y.z or x.y.z-(alpha|beta|rc)" | |
exit 1 | |
fi | |
echo "draft_release=$draft_release" >> $GITHUB_OUTPUT | |
echo "tag=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT | |
build: | |
needs: | |
- validate-tag | |
uses: ./.github/workflows/java-build.yml | |
with: | |
version: ${{ needs.validate-tag.outputs.tag }} | |
secrets: inherit | |
antivirus-scan-initialization: | |
timeout-minutes: 15 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install and Update Antivirus Software | |
run: | | |
# Install ClamAV | |
sudo apt-get update | |
sudo apt-get install -y clamav | |
sudo systemctl stop clamav-freshclam | |
sudo freshclam || exit 0 | |
- name: Run Antivirus Scan for Source Code | |
run: | | |
clamscan --recursive --alert-broken --alert-encrypted \ | |
--alert-encrypted-archive --alert-exceeds-max --detect-pua . | |
- name: Cache Antivirus Database | |
uses: actions/cache/save@v4 | |
with: | |
path: /var/lib/clamav | |
key: clamav-database-${{ github.run_id }} | |
antivirus-scan: | |
needs: | |
- build | |
- antivirus-scan-initialization | |
timeout-minutes: 30 | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
module: ${{fromJSON(needs.build.outputs.java_modules)}} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Uncache assembly | |
uses: actions/cache/restore@v4 | |
with: | |
path: | | |
./java-connectors/release/libs/${{ matrix.module }}/*.jar | |
key: assembly-java-all-${{ github.run_id }} | |
fail-on-cache-miss: true | |
- name: Install Antivirus Software | |
run: | | |
# Install ClamAV and prepare database directory to be restored | |
sudo apt-get update && sudo apt-get install -y clamav | |
sudo systemctl stop clamav-freshclam | |
sudo chmod 777 /var/lib/clamav | |
- name: Restore Antivirus Database | |
uses: actions/cache/restore@v4 | |
with: | |
path: /var/lib/clamav | |
key: clamav-database-${{ github.run_id }} | |
- name: Run Antivirus Scan | |
run: | | |
clamscan --recursive --alert-broken --alert-encrypted \ | |
--alert-encrypted-archive --alert-exceeds-max \ | |
--include-pua=Unix --include-pua=Java \ | |
--max-scansize=1000m --max-scantime=1200000 \ | |
--max-filesize=500m --max-files=100000 \ | |
java-connectors/release/ | |
create-release: | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
attestations: write | |
needs: | |
- validate-tag | |
- build | |
- antivirus-scan | |
strategy: | |
# Avoid parallel uploads | |
max-parallel: 1 | |
# GitHub will NOT cancel all in-progress and queued jobs in the matrix if any job in the matrix fails, which could create inconsistencies. | |
# If any matrix job fails, the job will be marked as failure | |
fail-fast: false | |
matrix: | |
module: ${{fromJSON(needs.build.outputs.java_modules)}} | |
env: | |
DRAFT_RELEASE: '${{ needs.validate-tag.outputs.draft_release }}' | |
TAG: ${{ needs.validate-tag.outputs.tag }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: 'gradle' | |
- name: Uncache assembly | |
uses: actions/cache/restore@v4 | |
with: | |
path: | | |
./java-connectors/release/${{ matrix.module }}*.jar | |
key: assembly-java-${{ github.run_id }} | |
fail-on-cache-miss: true | |
- name: Generate SBOM | |
uses: anchore/sbom-action@v0 | |
with: | |
format: 'spdx-json' | |
path: java-connectors/release | |
artifact-name: '${{ matrix.module }}-${{ env.TAG }}.sbom.spdx.json' | |
output-file: ${{ github.workspace }}/${{ matrix.module }}-${{ env.TAG }}.sbom.spdx.json | |
upload-release-assets: false | |
- name: Package Connector | |
shell: bash | |
run: | | |
JAVA_RELEASE_FOLDER=java-connectors/release | |
FOLDER=${{ matrix.module }}-${{ env.TAG }} | |
mkdir -p $FOLDER | |
cp $JAVA_RELEASE_FOLDER/${{ matrix.module }}*.jar LICENSE ${{ matrix.module }}-${{ env.TAG }}.sbom.spdx.json $FOLDER/ | |
zip -r "$FOLDER.zip" $FOLDER/ | |
- name: Upload binaries to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
file: ${{ matrix.module }}-${{ env.TAG }}.zip | |
asset_name: "${{ matrix.module }}-${{ env.TAG }}.zip" | |
release_name: 'Stream Reactor ${{ env.TAG }}' | |
prerelease: ${{ env.DRAFT_RELEASE }} | |
- name: Generate SBOM attestation | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: ${{ matrix.module }}-${{ env.TAG }}.zip | |
sbom-path: '${{ matrix.module }}-${{ env.TAG }}.sbom.spdx.json' | |
- name: Generate artifact attestation | |
uses: actions/attest-build-provenance@v1 | |
with: | |
subject-path: ${{ matrix.module }}-${{ env.TAG }}.zip |