client_java/.github/workflows/release.yml at main · prometheus/client_java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
---
name: Deploy to Maven Central

on:
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag to deploy (e.g. v1.5.1)"
        required: true

permissions: {}

jobs:
  deploy:
    if: ${{ github.repository == 'prometheus/client_java' }}
    environment: release
    runs-on: ubuntu-24.04
    permissions: {}

    steps:
      - name: Verify release secrets
        env:
          MAVEN_USERNAME: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_USERNAME }}
          MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_PASSWORD }}
          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
          GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
        run: |
          fail() {
            echo "::error::$1"
            echo "::error::Fix: see '$2' in RELEASING.md"
            exit 1
          }

          # Sonatype token
          response=$(curl -s -u "${MAVEN_USERNAME}:${MAVEN_CENTRAL_TOKEN}" \
            "https://central.sonatype.com/api/v1/publisher/status?id=test")
          echo "Sonatype response: ${response}"
          if echo "${response}" | grep -q "Invalid token"; then
            fail "Sonatype Central token is invalid." \
              "If the Sonatype Central Token is Invalid"
          fi

          # GPG key import
          if ! echo "${GPG_SIGNING_KEY}" | gpg --batch --import 2>&1 | \
              tee /tmp/gpg-import.log | grep -q "secret key imported\|secret keys read"; then
            cat /tmp/gpg-import.log
            fail "GPG_SIGNING_KEY did not import a secret key." \
              "If the GPG Key Expired"
          fi

          # GPG passphrase
          key_id=$(gpg --list-secret-keys --with-colons | \
            awk -F: '/^sec:/ { print $5; exit }')
          if [ -z "${key_id}" ]; then
            fail "No secret key available after import." \
              "If the GPG Key Expired"
          fi
          if ! echo "test" | gpg --batch --pinentry-mode loopback \
              --passphrase "${GPG_SIGNING_PASSPHRASE}" \
              -u "${key_id}" --clearsign >/dev/null 2>/tmp/gpg-sign.log; then
            cat /tmp/gpg-sign.log
            fail "GPG_SIGNING_PASSPHRASE does not match GPG_SIGNING_KEY." \
              "If the GPG Key Expired"
          fi
      - name: Checkout Plugin Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.tag }}
          persist-credentials: false

      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
        with:
          version: v2026.5.18
          sha256: cfac593469d028d7ae5fe36e37bd7c59118b5238e92d8a876209578464f24a84
          cache: false

      - name: Build release version
        run: mise run build-release

      - name: Set up Apache Maven Central
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: "temurin"
          java-version: "21"
          server-id: ossrh
          server-username: MAVEN_USERNAME
          server-password: MAVEN_CENTRAL_TOKEN
          gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
          gpg-passphrase: MAVEN_GPG_PASSPHRASE

      - name: Publish to Apache Maven Central
        run: mvn deploy -P 'release,!default' -Dmaven.test.skip=true
        env:
          MAVEN_USERNAME: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_USERNAME }}
          MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_MAVEN_REPOSITORY_PASSWORD }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}