vgi-java/.github/workflows/release.yml at main · Query-farm/vgi-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Copyright 2026 Query Farm LLC - https://query.farm
name: Release to Maven Central

# Publishes the library module (farm.query:vgi) to the Sonatype Central Portal
# when a GitHub Release is published.
#
# NOTE: the upload auto-releases (automaticRelease = true in build.gradle.kts):
# once it passes Portal validation it goes live on Maven Central with no manual
# "Publish" click. Set automaticRelease = false to re-gate on the Portal UI
# (https://central.sonatype.com/publishing/deployments).
#
# Required repository secrets:
#   MAVEN_CENTRAL_USERNAME  - Central Portal user-token username
#   MAVEN_CENTRAL_PASSWORD  - Central Portal user-token password
#   SIGNING_KEY             - ASCII-armored GPG private key (full block)
#   SIGNING_PASSWORD        - passphrase for that GPG key
#
# These live as repo-level secrets. To gate releases behind manual approval,
# create a GitHub Environment (e.g. "maven-central") with a required reviewer,
# move the secrets into it, and add `environment: maven-central` to the job.
#
# To cut a release: bump `version` in build.gradle.kts, push, then create a
# GitHub Release whose tag is the version (with or without a leading "v"),
# e.g. tag "v0.1.0" for version 0.1.0.
#
# The sibling vgi-rpc-java composite build is absent on CI, so the :vgi
# dependency on farm.query:vgirpc resolves from Maven Central (the published
# release pinned in vgi/build.gradle.kts) rather than from source.

on:
  release:
    types: [published]

permissions:
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # JDK 25 is the build toolchain (the bytecode target is release 21).
      - name: Set up JDK 25
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: '25'

      - name: Cache Gradle
        uses: actions/cache@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: gradle-${{ runner.os }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: gradle-${{ runner.os }}-

      # Fail fast if the release tag doesn't match the version in build.gradle.kts,
      # so a forgotten version bump can't publish the wrong coordinates.
      - name: Verify tag matches project version
        run: |
          PROJECT_VERSION=$(grep -oE 'version = "[^"]+"' build.gradle.kts | head -1 | cut -d'"' -f2)
          TAG="${GITHUB_REF_NAME#v}"
          echo "project version: $PROJECT_VERSION"
          echo "release tag:     $TAG"
          if [ "$PROJECT_VERSION" != "$TAG" ]; then
            echo "::error::Release tag '$TAG' does not match build.gradle.kts version '$PROJECT_VERSION'."
            exit 1
          fi

      - name: Test
        run: ./gradlew --no-daemon :vgi:test

      - name: Publish to Maven Central (auto-released after validation)
        run: ./gradlew --no-daemon :vgi:publishToMavenCentral
        env:
          ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.SIGNING_KEY }}
          ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }}