From 52e7805ff31fc640b8c43bd6dac1fdd5129d1608 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 12:56:45 +0200 Subject: [PATCH 01/12] java-library to GHA --- .github/workflows/README.md | 19 +++++++++ .github/workflows/maven-release.yaml | 61 ++++++++++++++++++++++++++++ .github/workflows/maven-tests.yaml | 41 +++++++++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 .github/workflows/README.md create mode 100644 .github/workflows/maven-release.yaml create mode 100644 .github/workflows/maven-tests.yaml diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 00000000..7720b628 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,19 @@ +# Workflows + +> 🔒 **Security Notice:** As this is a public repository, all automated triggers (on push/pull request) have been disabled to prevent PR hijacking and supply-chain vulnerabilities. Workflows must be triggered manually by organization members. + +### Maven Tests +- Definition + - run `mvn clean install -B -ntp -Dua.test.integration=false` +- Trigger + - workflow_dispatch (manual trigger) via the Actions tab. Select your target branch/PR before running. + +### Maven Release +- Definition + - run `mvn release:prepare` + - run `mvn release:perform` + - push the release on gcs ua-ops-artifacts/airship-maven-artifacts +- Trigger + - workflow_dispatch (manual trigger) via the Actions tab. Select your target branch/PR before running. + +📖 For full documentation on how these workflows and configuration files work, please refer to the [urbanairship/java-env repository](https://github.com/urbanairship/java-env#github-actions-and-workflows). \ No newline at end of file diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml new file mode 100644 index 00000000..7f7854a9 --- /dev/null +++ b/.github/workflows/maven-release.yaml @@ -0,0 +1,61 @@ +name: Perform Maven Release (Standalone) + +on: + push: + branches: + - "automation-update-workflows-library-edace0f9" + #workflow_dispatch: + +permissions: + contents: write + +env: + JAVA_VERSION: '11' #(8, 11, 17, 21) + +jobs: + maven-release: + name: Maven Release + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Configure Git User + run: | + git config user.email "actions@github.com" + git config user.name "GitHub Actions" + + - name: Set up JDK & GPG / Sonatype Settings + uses: actions/setup-java@v5 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: 'temurin' + cache: 'maven' + server-id: ossrh + server-username: SONATYPE_USERNAME + server-password: SONATYPE_PASSWORD + gpg-private-key: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} + gpg-passphrase: SONATYPE_GPG_PASSPHRASE + + - name: Run Maven Release + run: | + mvn -B -ntp \ + -Darguments="-Dmaven.javadoc.skip=true -DskipTests=true -DaltReleaseDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases -DaltDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases" \ + -Dresume=false \ + -DscmCommentPrefix="[github] [skip ci] " \ + -DtagNameFormat=@{project.version} \ + -DpushChanges=false \ + -DlocalCheckout=true \ + release:prepare release:perform + env: + SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} + SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + + - name: Push Changes & Tags + if: success() + run: | + git push origin master + git push origin --tags \ No newline at end of file diff --git a/.github/workflows/maven-tests.yaml b/.github/workflows/maven-tests.yaml new file mode 100644 index 00000000..81dc4a80 --- /dev/null +++ b/.github/workflows/maven-tests.yaml @@ -0,0 +1,41 @@ +name: Maven Tests (Standalone) + +run-name: Maven Tests on branch ${{ github.ref_name }} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + +env: + JAVA_VERSION: '11' #( 8, 11, 17, 21) + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v6 + + - name: Configure Git User + run: | + git config user.email "actions@github.com" + git config user.name "GitHub Actions" + + - name: Set up JDK + uses: actions/setup-java@v5 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: 'temurin' + cache: 'maven' + +# - name: Authenticate to Google Cloud +# uses: google-github-actions/auth@v3 +# with: +# credentials_json: ${{ secrets.JAVA_BUILD_PUBLIC_SA_KEY }} + + - name: Build with Maven + run: mvn clean install -B -ntp \ No newline at end of file From 5c618a023f67fcefb3e325aa7f248e9a277c3d52 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 14:40:25 +0200 Subject: [PATCH 02/12] test maven-tests --- .github/workflows/maven-tests.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-tests.yaml b/.github/workflows/maven-tests.yaml index 81dc4a80..e0440bb1 100644 --- a/.github/workflows/maven-tests.yaml +++ b/.github/workflows/maven-tests.yaml @@ -7,7 +7,10 @@ concurrency: cancel-in-progress: true on: - workflow_dispatch: + push: + branches: + - "INFRA-8096" + #workflow_dispatch: env: JAVA_VERSION: '11' #( 8, 11, 17, 21) From 35bc8d4fb9e951b7bd095c4af98017b1d8e7aecc Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 14:44:12 +0200 Subject: [PATCH 03/12] Dgpg.skip=true --- .github/workflows/maven-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-tests.yaml b/.github/workflows/maven-tests.yaml index e0440bb1..4ab9fd23 100644 --- a/.github/workflows/maven-tests.yaml +++ b/.github/workflows/maven-tests.yaml @@ -41,4 +41,4 @@ jobs: # credentials_json: ${{ secrets.JAVA_BUILD_PUBLIC_SA_KEY }} - name: Build with Maven - run: mvn clean install -B -ntp \ No newline at end of file + run: mvn clean install -B -ntp -Dgpg.skip=true \ No newline at end of file From 55b79d4f7d5063ddce6f48667f201094aefd8208 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 16:30:10 +0200 Subject: [PATCH 04/12] test dry-run release to validate gpg + sonatype creds --- .github/workflows/maven-release.yaml | 68 ++++++++++++++++++---------- .github/workflows/maven-tests.yaml | 5 +- 2 files changed, 46 insertions(+), 27 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 7f7854a9..c1f3e7bb 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -1,9 +1,9 @@ -name: Perform Maven Release (Standalone) +name: Perform Maven Release (Standalone) - preflight check on: push: branches: - - "automation-update-workflows-library-edace0f9" + - "INFRA-8096" #workflow_dispatch: permissions: @@ -34,28 +34,50 @@ jobs: java-version: ${{ env.JAVA_VERSION }} distribution: 'temurin' cache: 'maven' - server-id: ossrh - server-username: SONATYPE_USERNAME - server-password: SONATYPE_PASSWORD + server-id: central + server-username: ${{ secrets.SONATYPE_USERNAME }} + server-password: ${{ secrets.SONATYPE_PASSWORD }} gpg-private-key: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} - gpg-passphrase: SONATYPE_GPG_PASSPHRASE + gpg-passphrase: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} - - name: Run Maven Release + - name: Check 1 Verify Sonatype Credentials (API Ping) run: | - mvn -B -ntp \ - -Darguments="-Dmaven.javadoc.skip=true -DskipTests=true -DaltReleaseDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases -DaltDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases" \ - -Dresume=false \ - -DscmCommentPrefix="[github] [skip ci] " \ - -DtagNameFormat=@{project.version} \ - -DpushChanges=false \ - -DlocalCheckout=true \ - release:prepare release:perform - env: - SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - - - name: Push Changes & Tags - if: success() + HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_PASSWORD }}" \ + https://central.sonatype.com/api/v1/publisher/deployments) + + echo "Sonatype API responded with HTTP Status: $HTTP_STATUS" + + if [ "$HTTP_STATUS" -eq 401 ]; then + echo "ERROR: Sonatype Username or Token Password from LastPass is INVALID (401 Unauthorized)." + exit 1 + else + echo "SUCCESS: Sonatype authentication is working fine!" + fi + + - name: Check 2 Verify GPG Key & Passphrase (Local Signing) run: | - git push origin master - git push origin --tags \ No newline at end of file + mvn clean verify -B -ntp \ + -DskipTests=true \ + -Dmaven.javadoc.skip=true \ + -Dgpg.passphrase=${{ secrets.SONATYPE_GPG_PASSPHRASE }}" + +# - name: Run Maven Release +# run: | +# mvn -B -ntp \ +# -Darguments="-Dmaven.javadoc.skip=true -DskipTests=true -DaltReleaseDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases -DaltDeploymentRepository=releases::default::gs://airship-maven-artifacts/releases" \ +# -Dresume=false \ +# -DscmCommentPrefix="[github] [skip ci] " \ +# -DtagNameFormat=@{project.version} \ +# -DpushChanges=false \ +# -DlocalCheckout=true \ +# release:prepare release:perform +# env: +# SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} +# SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + +# - name: Push Changes & Tags +# if: success() +# run: | +# git push origin master +# git push origin --tags \ No newline at end of file diff --git a/.github/workflows/maven-tests.yaml b/.github/workflows/maven-tests.yaml index 4ab9fd23..c50d954f 100644 --- a/.github/workflows/maven-tests.yaml +++ b/.github/workflows/maven-tests.yaml @@ -7,10 +7,7 @@ concurrency: cancel-in-progress: true on: - push: - branches: - - "INFRA-8096" - #workflow_dispatch: + workflow_dispatch: env: JAVA_VERSION: '11' #( 8, 11, 17, 21) From 749346a9e538e14f0f423613880f57d4f83f5122 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 16:31:53 +0200 Subject: [PATCH 05/12] test dry-run release to validate gpg + sonatype creds (2nd round) --- .github/workflows/maven-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index c1f3e7bb..0a973dd1 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -60,7 +60,7 @@ jobs: mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ - -Dgpg.passphrase=${{ secrets.SONATYPE_GPG_PASSPHRASE }}" + -Dgpg.passphrase="${{ secrets.SONATYPE_GPG_PASSPHRASE }}" # - name: Run Maven Release # run: | From bcd7b33d302ade04d47e933a2a82ec6d798548cb Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 16:35:49 +0200 Subject: [PATCH 06/12] test dry-run release to validate gpg + sonatype creds (3nd round) --- .github/workflows/maven-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 0a973dd1..dfd3dd8a 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -1,4 +1,4 @@ -name: Perform Maven Release (Standalone) - preflight check +name: Perform Maven Release (Standalone) on: push: From 20dbc89721ffcf80a4c50a65a0eff0683feaff37 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 16:50:07 +0200 Subject: [PATCH 07/12] test dry-run release to validate gpg + sonatype creds (4th round) --- .github/workflows/maven-release.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index dfd3dd8a..819e9884 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -57,10 +57,16 @@ jobs: - name: Check 2 Verify GPG Key & Passphrase (Local Signing) run: | + echo "=== DIAGNOSTIC : List of secrets keys imported ===" + gpg --list-secret-keys + + echo "=== Maven verification ===" mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ - -Dgpg.passphrase="${{ secrets.SONATYPE_GPG_PASSPHRASE }}" + -Dgpg.passphrase="$GPG_PASSPHRASE" + env: + GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} # - name: Run Maven Release # run: | From 253827b0cdfc49d61c7b215e23693f953ef5ec55 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 17:27:04 +0200 Subject: [PATCH 08/12] test dry-run release to validate gpg + sonatype creds (round 5) --- .github/workflows/maven-release.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 819e9884..8ea4435b 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -57,16 +57,16 @@ jobs: - name: Check 2 Verify GPG Key & Passphrase (Local Signing) run: | - echo "=== DIAGNOSTIC : List of secrets keys imported ===" - gpg --list-secret-keys + echo "=== DIAGNOSTIC ===" + gpg --list-secret-keys --keyid-format LONG + echo "=======================================================" - echo "=== Maven verification ===" mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ -Dgpg.passphrase="$GPG_PASSPHRASE" env: - GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} + GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} # - name: Run Maven Release # run: | From 29f0840c2c9ab2f45050e51c9281fe53bcd96077 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 17:40:02 +0200 Subject: [PATCH 09/12] test dry-run release to validate gpg --- .github/workflows/maven-release.yaml | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 8ea4435b..ea2eb75c 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -40,32 +40,21 @@ jobs: gpg-private-key: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} gpg-passphrase: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} - - name: Check 1 Verify Sonatype Credentials (API Ping) + - name: Verify GPG Key & Passphrase (Explicit Shell Import) run: | - HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ - -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_PASSWORD }}" \ - https://central.sonatype.com/api/v1/publisher/deployments) - - echo "Sonatype API responded with HTTP Status: $HTTP_STATUS" - - if [ "$HTTP_STATUS" -eq 401 ]; then - echo "ERROR: Sonatype Username or Token Password from LastPass is INVALID (401 Unauthorized)." - exit 1 - else - echo "SUCCESS: Sonatype authentication is working fine!" - fi - - - name: Check 2 Verify GPG Key & Passphrase (Local Signing) - run: | - echo "=== DIAGNOSTIC ===" + echo "$RAW_GPG_KEY" > private.key + + gpg --batch --import private.key + rm private.key + gpg --list-secret-keys --keyid-format LONG - echo "=======================================================" mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ -Dgpg.passphrase="$GPG_PASSPHRASE" env: + RAW_GPG_KEY: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} # - name: Run Maven Release From aeeba520d5988aa02276e7b9270e5957c2823235 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 17:42:47 +0200 Subject: [PATCH 10/12] test dry-run release to validate gpg (with keyname) --- .github/workflows/maven-release.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index ea2eb75c..52df48ea 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -43,16 +43,19 @@ jobs: - name: Verify GPG Key & Passphrase (Explicit Shell Import) run: | echo "$RAW_GPG_KEY" > private.key - gpg --batch --import private.key rm private.key - gpg --list-secret-keys --keyid-format LONG + mkdir -p ~/.gnupg + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf + echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf + gpgconf --kill gpg-agent mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ - -Dgpg.passphrase="$GPG_PASSPHRASE" + -Dgpg.passphrase="$GPG_PASSPHRASE" \ + -Dgpg.keyname="95BCB1665C76C3A6" env: RAW_GPG_KEY: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} From bd3a1f827fa8023bab7fdbd1f6c554665365c600 Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 17:46:31 +0200 Subject: [PATCH 11/12] test dry-run release to validate gpg --- .github/workflows/maven-release.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 52df48ea..8d5aef4c 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -37,20 +37,21 @@ jobs: server-id: central server-username: ${{ secrets.SONATYPE_USERNAME }} server-password: ${{ secrets.SONATYPE_PASSWORD }} - gpg-private-key: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} - gpg-passphrase: ${{ secrets.SONATYPE_GPG_PASSPHRASE }} - - name: Verify GPG Key & Passphrase (Explicit Shell Import) + - name: Verify GPG Key & Passphrase (Clean Global Import) run: | - echo "$RAW_GPG_KEY" > private.key - gpg --batch --import private.key - rm private.key - + unset GNUPGHOME mkdir -p ~/.gnupg + chmod 700 ~/.gnupg + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf gpgconf --kill gpg-agent + echo "$RAW_GPG_KEY" > private.key + gpg --batch --import private.key + rm private.key + mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ From 613dc4470f49798f34756ff038afc415df7746bd Mon Sep 17 00:00:00 2001 From: Alexis Reuge Date: Fri, 19 Jun 2026 17:52:46 +0200 Subject: [PATCH 12/12] test dry-run release to validate gpg --- .github/workflows/maven-release.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/maven-release.yaml b/.github/workflows/maven-release.yaml index 8d5aef4c..27751c8a 100644 --- a/.github/workflows/maven-release.yaml +++ b/.github/workflows/maven-release.yaml @@ -38,25 +38,25 @@ jobs: server-username: ${{ secrets.SONATYPE_USERNAME }} server-password: ${{ secrets.SONATYPE_PASSWORD }} - - name: Verify GPG Key & Passphrase (Clean Global Import) + - name: Verify GPG Key & Passphrase (Legacy Compatibility Bridge) run: | unset GNUPGHOME mkdir -p ~/.gnupg chmod 700 ~/.gnupg - echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf - echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf - gpgconf --kill gpg-agent - echo "$RAW_GPG_KEY" > private.key gpg --batch --import private.key rm private.key + gpg --batch --export-secret-keys > /home/runner/.gnupg/secring.gpg + mvn clean verify -B -ntp \ -DskipTests=true \ -Dmaven.javadoc.skip=true \ -Dgpg.passphrase="$GPG_PASSPHRASE" \ - -Dgpg.keyname="95BCB1665C76C3A6" + -Dgpg.keyname="95BCB1665C76C3A6" \ + -Dgpg.secretKeyring="/home/runner/.gnupg/secring.gpg" \ + -Dgpg.arguments="--pinentry-mode=loopback" env: RAW_GPG_KEY: ${{ secrets.SONATYPE_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.SONATYPE_GPG_PASSPHRASE }}