33 push :
44 pull_request_target :
55 types : [labeled]
6+
7+ env :
8+ JAVA_VERSION : 21
9+
610jobs :
711 build :
812 name : Build and Test
913 runs-on : ubuntu-latest
14+ permissions :
15+ id-token : write # Required for the attestations step
16+ attestations : write # Required for the attestations step
17+ outputs :
18+ sha256 : ${{ steps.checksums.outputs.sha256 }}
1019 steps :
1120 - uses : actions/checkout@v5
12- with :
13- fetch-depth : 0
1421 - uses : actions/setup-java@v5
1522 with :
16- java-version : 21
17- distribution : ' zulu '
23+ distribution : ' temurin '
24+ java-version : ${{ env.JAVA_VERSION }}
1825 cache : ' maven'
1926 - name : Cache SonarCloud packages
2027 uses : actions/cache@v4
@@ -24,10 +31,10 @@ jobs:
2431 restore-keys : ${{ runner.os }}-sonar
2532 - name : Ensure to use tagged version
2633 if : startsWith(github.ref, 'refs/tags/')
27- run : ./mvnw -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
34+ run : ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
2835 - name : Build and Test
2936 run : >
30- ./mvnw -B verify
37+ ./mvnw -B verify --no-transfer-progress
3138 jacoco:report
3239 org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
3340 -Pcoverage
3744env :
3845 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
3946 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
40- - uses : actions/upload-artifact@v5
41- with :
42- name : artifacts
43- path : target/*.jar
4447 - name : Calculate Checksums
4548 id : checksums
4649 run : |
@@ -49,11 +52,89 @@ jobs:
4952 shasum -a256 target/*.jar
5053 echo EOF
5154 } >> $GITHUB_OUTPUT
52- name : Create Release
55+ name : Attest
5356 if : startsWith(github.ref, 'refs/tags/')
57+ uses : actions/attest-build-provenance@v3
58+ with :
59+ subject-path : |
60+ target/*.jar
61+ target/*.pom
62+ uses : actions/upload-artifact@v5
63+ with :
64+ name : artifacts
65+ path : target/*.jar
66+
67+ deploy-central :
68+ name : Deploy to Maven Central
69+ runs-on : ubuntu-latest
70+ permissions : {}
71+ needs : [build]
72+ if : github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
73+ steps :
74+ - uses : actions/checkout@v5
75+ - uses : actions/setup-java@v5
76+ with :
77+ distribution : ' temurin'
78+ java-version : ${{ env.JAVA_VERSION }}
79+ cache : ' maven'
80+ server-id : central
81+ server-username : MAVEN_CENTRAL_USERNAME
82+ server-password : MAVEN_CENTRAL_PASSWORD
83+ - name : Verify project version matches tag
84+ if : startsWith(github.ref, 'refs/tags/')
85+ run : |
86+ PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
87+ test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
88+ name : Deploy to Maven Central
89+ run : ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
90+ env :
91+ MAVEN_CENTRAL_USERNAME : ${{ secrets.MAVEN_CENTRAL_USERNAME }}
92+ MAVEN_CENTRAL_PASSWORD : ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
93+ MAVEN_GPG_PASSPHRASE : ${{ secrets.RELEASES_GPG_PASSPHRASE }}
94+ MAVEN_GPG_KEY : ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
95+ MAVEN_GPG_KEY_FINGERPRINT : ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
96+
97+ deploy-github :
98+ name : Deploy to GitHub Packages
99+ runs-on : ubuntu-latest
100+ permissions :
101+ packages : write # Required for the deploy to GitHub Packages step
102+ needs : [build]
103+ if : github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
104+ steps :
105+ - uses : actions/checkout@v5
106+ - uses : actions/setup-java@v5
107+ with :
108+ java-version : ${{ env.JAVA_VERSION }}
109+ distribution : ' temurin'
110+ cache : ' maven'
111+ - name : Verify project version matches tag
112+ if : startsWith(github.ref, 'refs/tags/')
113+ run : |
114+ PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
115+ test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
116+ name : Deploy to GitHub Packages
117+ run : ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
118+ env :
119+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
120+ MAVEN_GPG_PASSPHRASE : ${{ secrets.RELEASES_GPG_PASSPHRASE }}
121+ MAVEN_GPG_KEY : ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
122+ MAVEN_GPG_KEY_FINGERPRINT : ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
123+
124+ release :
125+ name : Release
126+ runs-on : ubuntu-latest
127+ permissions :
128+ contents : write # Required for the release step
129+ needs : [build, deploy-central, deploy-github]
130+ if : startsWith(github.ref, 'refs/tags/')
131+ steps :
132+ - name : Create Release
54133 uses : softprops/action-gh-release@v2
55134 with :
135+ prerelease : true
56136 token : ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
137+ generate_release_notes : true
57138 body : |-
58139 ### Maven Coordinates
59140 ```xml
66147
67148 ### Artifact Checksums
68149 ```txt
69- ${{ steps.checksums .outputs.sha256 }}
150+ ${{ needs.build .outputs.sha256 }}
70151 ```
71152
72- See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build.
73- generate_release_notes : true
153+ See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build.
0 commit comments