build: Introduce GA/EA Release Types in GitHub Actions

Author: p-marcin

.github/actions/prepare/action.yml

@@ -17,6 +17,10 @@ inputs:
     description: "Enables or disables 'Install UPX' step"
     required: false
     default: "false"
+  release-type:
+    description: "Release type"
+    required: false
+    default: "EA"
 
 runs:
   using: composite
@@ -36,6 +40,7 @@ runs:
           *) echo "Unsupported RUNNER_ARCH: $RUNNER_ARCH"; exit 1 ;;
         esac
         echo "ARCH=${ARCH}" >> "$GITHUB_ENV"
+        echo "PROJECT_VERSION=$(yq -r '.project.version' "jreleaser.yml" | sed "s/-.*//")" >> ${GITHUB_ENV}
         echo "JDK_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:graalvm-jdk.version" "pom.xml")" >> ${GITHUB_ENV}
         echo "SYFT_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:syft.version" "pom.xml")" >> ${GITHUB_ENV}
         echo "SYFT_SHA256=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:syft.sha256.linux-${ARCH}" "pom.xml")" >> ${GITHUB_ENV}
@@ -80,6 +85,17 @@ runs:
         restore-keys: |
           ${{ runner.os }}-${{ inputs.maven-repo-cache-key }}-
 
+    - name: "Set Project Version in JReleaser"
+      if: ${{ inputs.release-type == 'GA' }}
+      uses: mikefarah/yq@v4
+      with:
+        cmd: yq -i '.project.version = strenv(PROJECT_VERSION)' "jreleaser.yml"
+
+    - name: "Set Project Version in Maven"
+      if: ${{ inputs.release-type == 'GA' }}
+      shell: bash
+      run: ./mvnw versions:set -DnewVersion="${PROJECT_VERSION}" -DgenerateBackupPoms=false
+
     - name: "Generate Workflow Stats"
       if: ${{ inputs.generate-workflow-stats == 'true' }}
       shell: bash

.github/workflows/call-project-version-bump.yml

@@ -0,0 +1,94 @@
+name: "Call: Project Version Bump"
+
+on:
+  workflow_call:
+    secrets:
+      JDHEIM_ACTIONS_BOT_CLIENT_ID:
+        required: true
+      JDHEIM_ACTIONS_BOT_PRIVATE_KEY:
+        required: true
+    inputs:
+      project-version-bump-type:
+        description: "Part of the project version to bump: MAJOR, MINOR, or PATCH"
+        required: true
+        type: string
+      draft-release:
+        description: "Create draft release"
+        required: true
+        type: string
+
+jobs:
+  project-version-bump:
+    name: "Project Version Bump"
+    timeout-minutes: 15
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate Token of jdheim-actions[bot]"
+        id: jdheim-actions-bot-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.JDHEIM_ACTIONS_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.JDHEIM_ACTIONS_BOT_PRIVATE_KEY }}
+
+      - name: "Checkout"
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.jdheim-actions-bot-token.outputs.token }}
+
+      - name: "Get Project Version"
+        id: get-project-version
+        uses: mikefarah/yq@v4
+        with:
+          cmd: yq '.project.version' "jreleaser.yml"
+
+      - name: "Bump Project Version"
+        env:
+          PROJECT_VERSION: ${{ steps.get-project-version.outputs.result }}
+          PROJECT_VERSION_BUMP_TYPE: ${{ inputs.project-version-bump-type }}
+        shell: bash
+        run: |
+          if [[ -z "${PROJECT_VERSION}" || "${PROJECT_VERSION}" == "null" ]]; then
+            echo "Project Version Bump failed as it could not be resolved"
+            exit 1
+          else
+            IFS='.' read -r major minor patch <<< "${PROJECT_VERSION%%-*}"
+            case "${PROJECT_VERSION_BUMP_TYPE}" in
+              MAJOR) major=$((major + 1)); minor=0; patch=0 ;;
+              MINOR) minor=$((minor + 1)); patch=0 ;;
+              PATCH) patch=$((patch + 1)) ;;
+              *) echo "Invalid project-version-bump-type: ${PROJECT_VERSION_BUMP_TYPE}"
+                echo "Allowed values: MAJOR, MINOR, PATCH"
+                exit 1 ;;
+            esac
+            BUMPED_PROJECT_VERSION="${major}.${minor}.${patch}-SNAPSHOT"
+          fi
+          echo "BUMPED_PROJECT_VERSION=${BUMPED_PROJECT_VERSION}" >> "$GITHUB_ENV"
+
+      - name: "Set Project Version in JReleaser"
+        uses: mikefarah/yq@v4
+        with:
+          cmd: yq -i '.project.version = strenv(BUMPED_PROJECT_VERSION)' "jreleaser.yml"
+
+      - name: "Set Project Version in Maven"
+        shell: bash
+        run: ./mvnw versions:set -DnewVersion="${BUMPED_PROJECT_VERSION}" -DgenerateBackupPoms=false
+
+      - name: "Verify changes"
+        shell: bash
+        run: |
+          if [[ -z "$(git status --porcelain)" ]]; then
+            echo "No changes to commit. Project Version Bump failed"
+            exit 1
+          fi
+
+      - name: "Commit and Push"
+        uses: IAreKyleW00t/verified-bot-commit@v2
+        if: ${{ inputs.draft-release != 'true' }}
+        with:
+          message: "chore: Bump Project Version to ${{ env.BUMPED_PROJECT_VERSION }}"
+          ref: ${{ github.ref_name }}
+          token: ${{ steps.jdheim-actions-bot-token.outputs.token }}
+          files: |
+            **

.github/workflows/call-release.yml

@@ -10,6 +10,10 @@ on:
       JDHEIM_GPG_PASSPHRASE:
         required: true
     inputs:
+      release-type:
+        description: "Release type"
+        required: true
+        type: string
       draft-release:
         description: "Create draft release"
         required: true
@@ -46,7 +50,8 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "release-m2-repo"
+          maven-repo-cache-key: release-m2-repo
+          release-type: ${{ inputs.release-type }}
 
       - name: "Download ToolFetch Archives"
         uses: actions/download-artifact@v8

.github/workflows/call-scan-owasp.yml

@@ -22,7 +22,7 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "owasp-scan-m2-repo"
+          maven-repo-cache-key: owasp-scan-m2-repo
 
       # https://dependency-check.github.io/DependencyCheck/analyzers/assembly-analyzer.html
       - name: "Install .NET SDK required by AssemblyAnalyzer"

.github/workflows/call-scan.yml

@@ -35,7 +35,7 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.scan.id }}"
+          maven-repo-cache-key: ${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.scan.id }}
 
       - name: "Scan"
         working-directory: scripts

.github/workflows/call-test-native.yml

@@ -31,7 +31,7 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.job.runner }}"
+          maven-repo-cache-key: ${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.job.runner }}
 
       - name: "Download ToolFetch Binary"
         uses: actions/download-artifact@v8

.github/workflows/call-toolfetch-archive.yml

@@ -2,6 +2,12 @@ name: "Call: Assemble ToolFetch Archive"
 
 on:
   workflow_call:
+    inputs:
+      release-type:
+        description: "Release type"
+        required: false
+        type: string
+        default: "EA"
 
 jobs:
   toolfetch-archive:
@@ -25,7 +31,8 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "toolfetch-archive-${{ matrix.job.runner }}-m2-repo"
+          maven-repo-cache-key: toolfetch-archive-${{ matrix.job.runner }}-m2-repo
+          release-type: ${{ inputs.release-type }}
 
       - name: "Prepare Native Build"
         working-directory: scripts

.github/workflows/call-toolfetch-binary.yml

@@ -8,6 +8,11 @@ on:
         required: false
         type: string
         default: "toolfetch-binary-m2-repo"
+      release-type:
+        description: "Release type"
+        required: false
+        type: string
+        default: "EA"
 
 jobs:
   toolfetch-binary:
@@ -31,9 +36,10 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.job.runner }}"
-          install-syft: "true"
-          install-upx: "true"
+          maven-repo-cache-key: ${{ inputs.maven-repo-cache-key-prefix }}-${{ matrix.job.runner }}
+          install-syft: true
+          install-upx: true
+          release-type: ${{ inputs.release-type }}
 
       - name: "Prepare Native Build"
         working-directory: scripts

.github/workflows/call-toolfetch-sboms.yml

@@ -2,6 +2,12 @@ name: "Call: Assemble ToolFetch SBOMs"
 
 on:
   workflow_call:
+    inputs:
+      release-type:
+        description: "Release type"
+        required: false
+        type: string
+        default: "EA"
 
 jobs:
   toolfetch-sboms:
@@ -19,7 +25,8 @@ jobs:
       - name: "Prepare"
         uses: ./.github/actions/prepare
         with:
-          maven-repo-cache-key: "toolfetch-sboms-m2-repo"
+          maven-repo-cache-key: toolfetch-sboms-m2-repo
+          release-type: ${{ inputs.release-type }}
 
       - name: "Prepare Native Build"
         working-directory: scripts