-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
snapshot-pipeline.yml
92 lines (80 loc) · 3.55 KB
/
snapshot-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# This is manually run to deploy SNAPSHOT versions of HAPI to oss.sonaypte.org
# We don't need to trigger on any pull request or branch change, so we disable such behavior
pr: none
trigger: none
# We'll run the process on the latest version of unbuntu because they tend to be the fastest
pool:
vmImage: 'ubuntu-latest'
# We cannot store things like gpg passwords and sonatype credentials as plain text within the
# pipeline's yaml file, so we've created variable groups in our library to store sensitive variables.
# Pipelines do not load these groups by default, and we need to define which groups to load before
# running any steps.
variables:
- group: GPG_VARIABLE_GROUP
- group: SONATYPE_VARIABLE_GROUP
container: maven:3.8-openjdk-17
steps:
# We need a valid signing key to sign our builds for deployment to sonatype. We have uploaded
# both our private and public keys to Azure as 'secure files' that we load into individual pipelines.
# 1. Load the public key file
- task: DownloadSecureFile@1
displayName: 'Load public key from secure files.'
inputs:
secureFile: public.key
# 2. Load the private key file
- task: DownloadSecureFile@1
displayName: 'Load private key from secure files.'
inputs:
secureFile: private.key
# Although we have imported the key files into our workspace, GPG has no knowledge that these keys exist.
# We use a bash script to import both the private and puablic keys into gpg for future signing.
# 3. Import keys into gpg
- bash: |
gpg --import --no-tty --batch --yes $(Agent.TempDirectory)/public.key
gpg --import --no-tty --batch --yes $(Agent.TempDirectory)/private.key
gpg --list-keys --keyid-format LONG
gpg --list-secret-keys --keyid-format LONG
displayName: 'Import signing keys into gpg.'
# For creating a snapshot release with maven, we need to build a fake settings.xml file locally where
# we can set our credentials for both sonatype and gpg. Then maven can read
# for it to read from. This is done for the master branch merges only.
# 4. Create local settings.xml file
- bash: |
cat >$(System.DefaultWorkingDirectory)/settings.xml <<EOL
<settings xmlns="https://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://maven.apache.org/SETTINGS/1.0.0
https://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>ossrh</id>
<username>$(SONATYPE_USERNAME)</username>
<password>$(SONATYPE_PASSWORD)</password>
</server>
</servers>
<profiles>
<profile>
<id>SIGN_ARTIFACTS</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.passphrase>$(GPG_PASSPHRASE)</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>
EOL
displayName: 'Create .mvn/settings.xml'
# With our settings.xml created locally, we can now run maven (pointing to our created settings.xml file) to deploy
# the HAPI SNAPSHOT build.
# 5. Deploy SNAPSHOT build to sonatype
- task: Maven@3
env:
JAVA_HOME_11_X64: /usr/java/openjdk-17
displayName: 'Deploy to Sonatype staging'
inputs:
mavenPomFile: '$(System.DefaultWorkingDirectory)/pom.xml'
goals: deploy
options: '--settings $(System.DefaultWorkingDirectory)/settings.xml -P DIST -DskipTests'
publishJUnitResults: false