This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch ci in repository https://gitbox.apache.org/repos/asf/logging-parent.git
commit 40adc03d77b0dbd2c7ddc0cfd8dc15e86b9fa835 Author: Volkan Yazıcı <[email protected]> AuthorDate: Tue Apr 14 15:48:02 2026 +0200 Document that GHA workflows are moved to `gha/v0` --- .asf.yaml | 19 +- .github/dependabot.yaml | 24 +- .github/workflows/build-reusable.yaml | 214 -------------- .github/workflows/build.yaml | 11 +- .github/workflows/codeql-analysis-reusable.yaml | 74 ----- .github/workflows/codeql-analysis.yaml | 26 +- .github/workflows/deploy-release-reusable.yaml | 314 --------------------- .github/workflows/deploy-site-reusable.yaml | 189 ------------- .github/workflows/deploy-site.yaml | 6 +- .github/workflows/deploy-snapshot-reusable.yaml | 85 ------ .github/workflows/merge-dependabot-reusable.yaml | 135 --------- .github/workflows/merge-dependabot.yaml | 42 --- .../workflows/scorecards-analysis-reusable.yaml | 65 ----- .../workflows/verify-reproducibility-reusable.yaml | 115 -------- package-lock.json | 14 - src/changelog/.12.x.x/gha-branch.xml | 9 + src/site/antora/antora.tmpl.yml | 1 + src/site/antora/antora.yml | 1 + src/site/antora/modules/ROOT/examples/build.yaml | 10 +- .../antora/modules/ROOT/examples/deploy-site.yaml | 6 +- src/site/antora/modules/ROOT/nav.adoc | 1 + src/site/antora/modules/ROOT/pages/features.adoc | 2 +- src/site/antora/modules/ROOT/pages/workflows.adoc | 16 +- 23 files changed, 76 insertions(+), 1303 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 2b8d26a..450e07d 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -16,7 +16,7 @@ # # `.asf.yaml` is a branch-specific YAML configuration file for Git repositories to control features such as notifications, GitHub settings, etc. -# See its documentation for details: https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features +# See its documentation for details: https://github.com/apache/infrastructure-asfyaml # Bare minimum `notifications` to # @@ -63,6 +63,7 @@ github: # Prevent force pushes to primary branches protected_branches: + main: # All reviews must be addressed before merging required_conversation_resolution: true @@ -78,3 +79,19 @@ github: # At least one positive review must be present required_pull_request_reviews: required_approving_review_count: 1 + + gha/v0: + # All reviews must be addressed before merging + required_conversation_resolution: true + # Require checks to pass before merging + required_status_checks: + checks: + # The GitHub Actions app: 15368 + - app_id: 15368 + context: "build / build (ubuntu-latest)" + # The GitHub Advanced Security app: 57789 + - app_id: 57789 + context: "CodeQL" + # At least one positive review must be present + required_pull_request_reviews: + required_approving_review_count: 1 diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 2b0d61e..d180b2c 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -17,15 +17,10 @@ version: 2 -# Add Maven Central explicitly to work around: -# https://github.com/dependabot/dependabot-core/issues/8329 -registries: - maven-central: - type: maven-repository - url: https://repo.maven.apache.org/maven2 - updates: + # region `main` updates + - package-ecosystem: maven directory: "/" schedule: @@ -54,3 +49,18 @@ updates: dependencies: patterns: [ "*" ] target-branch: "main" + + # endregion + + # region `gha/v0` updates + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: monthly + groups: + dependencies: + patterns: [ "*" ] + target-branch: "gha/v0" + + # endregion diff --git a/.github/workflows/build-reusable.yaml b/.github/workflows/build-reusable.yaml deleted file mode 100644 index 1c96d0a..0000000 --- a/.github/workflows/build-reusable.yaml +++ /dev/null @@ -1,214 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: build-reusable - -on: - workflow_call: - inputs: - develocity-enabled: - description: Enable Develocity Build Scan publication - default: false - type: boolean - java-version: - description: The Java compiler version - default: 17 - type: string - maven-args: - description: Additional Maven arguments - type: string - ref: - description: The branch, tag or SHA to checkout - # When running on `pull_request_target` use the PR branch, not the target branch - default: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} - type: string - repository: - description: GitHub repository name with owner - default: ${{ github.repository }} - type: string - reproducibility-check-enabled: - description: Runs a reproducibility check on the build - default: true - type: boolean - site-enabled: - description: Flag indicating if Maven `site` goal should be run - default: false - type: boolean - test-report-enabled: - description: Enables the upload of test reports - default: true - type: boolean - test-report-suffix: - description: Suffix to add to the uploaded artifacts - default: '' - type: string - - secrets: - DV_ACCESS_TOKEN: - description: Access token to Gradle Enterprise - required: false - -env: - MAVEN_ARGS: ${{ inputs.maven-args }} - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - - build: - - runs-on: ${{ matrix.os }} - - strategy: - fail-fast: false - matrix: - os: [ macos-latest, ubuntu-latest, windows-latest ] - - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - with: - repository: ${{ inputs.repository }} - ref: ${{ inputs.ref }} - - - name: Set up Java - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - - - name: Set up Develocity - if: inputs.develocity-enabled - shell: bash - run: | - if [ -f .mvn/develocity.xml ]; then - DEVELOCITY_VERSION=$(./mvnw help:evaluate -q -DforceStdout -Dexpression=develocity-maven-plugin.version) - USER_DATA_VERSION=$(./mvnw help:evaluate -q -DforceStdout -Dexpression=develocity-user-data-extension.version) - cat >.mvn/extensions.xml <<EOF - <extensions> - <extension> - <groupId>com.gradle</groupId> - <artifactId>develocity-maven-extension</artifactId> - <version>$DEVELOCITY_VERSION</version> - </extension> - <extension> - <groupId>com.gradle</groupId> - <artifactId>common-custom-user-data-maven-extension</artifactId> - <version>$USER_DATA_VERSION</version> - </extension> - </extensions> - EOF - # Print file for debugging purposes - cat .mvn/extensions.xml - fi - - - name: Setup Develocity Build Scan capture - if: inputs.develocity-enabled - uses: gradle/develocity-actions/setup-maven@4a2aed82eea165ba2d5c494fc2a8730d7fdff229 # 1.4 - with: - develocity-access-key: ${{ secrets.DV_ACCESS_TOKEN }} - - # We use `install` instead of `verify`, otherwise the build website step below fails - - name: Build - id: build - shell: bash - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -DtrimStackTrace=false \ - -DinstallAtEnd=true \ - clean install - - # We upload tests results. - - name: Upload test reports - if: ${{ always() && inputs.test-report-enabled }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 - with: - name: "test-report-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}${{inputs.test-report-suffix}}" - path: | - **/target/surefire-reports - **/target/logs - - - name: Clean up Develocity - if: inputs.develocity-enabled - shell: bash - run: | - rm -f .mvn/extensions.xml - # Clean up changes introduced by gradle/develocity-actions/maven-setup - echo "MAVEN_OPTS=" >> "$GITHUB_ENV" - - # Node.js cache is needed for Antora - - name: Set up Node.js cache - if: inputs.site-enabled - id: nodejs-cache - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4 - with: - # We should be calculating the cache key using `package-lock.json` instead! - # See https://stackoverflow.com/a/48524475/1278899 - # For that, `package-lock.json` needs to be committed into the repository – right now it is `.gitignore`d. - # Once it is there, we should ideally switch from `npm i` to `npm ci`. - # For that, we need to configure `dependabot` to update hundreds of dependencies listed in `package-lock.json`. - # That translates to a never ending rain of `dependabot` PRs. - # I doubt if the wasted CPU cycles worth the gain. - key: "${{ runner.os }}-nodejs-cache-${{ hashFiles('node', 'node_modules') }}" - # `actions/cache` doesn't recommend caching `node_modules`. - # Though none of its recipes fit our bill, since we install Node.js using `frontend-maven-plugin`. - # See https://github.com/actions/cache/blob/main/examples.md#node---npm - # We settle for this quick-n-dirty solution for the time being. - path: | - node - node_modules - - - name: Build the website - if: inputs.site-enabled - shell: bash - env: - # Making Node.js cache hit visible for debugging purposes - NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }} - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - site - - # `clean verify artifact:compare` is required to generate the build reproducibility report. - # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility - - name: Verify build reproducibility - if: inputs.reproducibility-check-enabled - id: reproducibility - shell: bash - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -DskipTests=true \ - clean verify artifact:compare - - # Upload reproducibility results if the build fails. - - name: Upload reproducibility results - if: inputs.reproducibility-check-enabled && failure() && steps.reproducibility.conclusion == 'failure' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 - with: - name: reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}} - path: | - **/target/bom.xml - **/target/*.buildcompare - **/target/*.jar - **/target/*.zip - **/target/reference/** diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7a145cb..6b9e789 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -23,14 +23,9 @@ on: - "main" - "release/*" paths-ignore: - - "**.adoc" - "**.md" - "**.txt" pull_request: - paths-ignore: - - "**.adoc" - - "**.md" - - "**.txt" # If the branch is `main`, run once per commit. # If the branch is `release/*`, allow only one concurrent run. @@ -46,14 +41,14 @@ jobs: build: if: github.actor != 'dependabot[bot]' - uses: ./.github/workflows/build-reusable.yaml + uses: apache/logging-parent/.github/workflows/build-reusable.yaml@gha/v0 with: site-enabled: true deploy-snapshot: needs: build if: github.repository == 'apache/logging-parent' && github.ref_name == 'main' - uses: ./.github/workflows/deploy-snapshot-reusable.yaml + uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@gha/v0 # Secrets for deployments secrets: NEXUS_USERNAME: ${{ secrets.NEXUS_USER }} @@ -62,7 +57,7 @@ jobs: deploy-release: needs: build if: github.repository == 'apache/logging-parent' && startsWith(github.ref_name, 'release/') - uses: ./.github/workflows/deploy-release-reusable.yaml + uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@gha/v0 # Secrets for deployments secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} diff --git a/.github/workflows/codeql-analysis-reusable.yaml b/.github/workflows/codeql-analysis-reusable.yaml deleted file mode 100644 index 217d5e8..0000000 --- a/.github/workflows/codeql-analysis-reusable.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: codeql-analysis - -on: - workflow_call: - inputs: - java-version: - description: The Java compiler version - default: 17 - type: string - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'kotlin', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support - language: - description: Language used in the repository - default: java - type: string - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - - analyze: - name: Analyze - runs-on: ubuntu-latest - # Permissions required to publish Security Alerts - permissions: - security-events: write - - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0 - with: - # Also check GitHub Actions - languages: ${{ inputs.language }}, actions - - - name: Setup JDK - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - - - name: Build with Maven - shell: bash - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -DskipTests \ - clean verify - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0 diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index fa2ea73..7dc9bdb 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -21,9 +21,13 @@ name: codeql-analysis on: push: - branches: [ "main" ] + branches: + - "gha/v0" + - "main" pull_request: - branches: [ "main" ] + branches: + - "gha/v0" + - "main" schedule: - cron: '32 12 * * 5' @@ -34,21 +38,9 @@ permissions: { } jobs: analyze: - name: Analyze - runs-on: ubuntu-latest + uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@gha/v0 # Permissions required to publish Security Alerts permissions: + actions: read + contents: read security-events: write - - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - - - name: Initialize CodeQL - uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0 - with: - languages: actions - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0 diff --git a/.github/workflows/deploy-release-reusable.yaml b/.github/workflows/deploy-release-reusable.yaml deleted file mode 100644 index 03b447f..0000000 --- a/.github/workflows/deploy-release-reusable.yaml +++ /dev/null @@ -1,314 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: deploy-release-reusable - -on: - workflow_call: - inputs: - java-version: - description: The Java compiler version - default: 17 - type: string - project-id: - description: Identifier used in the distribution artifact and Subversion repository folder filenames (e.g., `logging-parent`) - required: true - type: string - outputs: - project-version: - description: The version of the project - value: ${{ jobs.deploy.outputs.project-version }} - nexus-url: - description: The URL of the Nexus repository used - value: ${{ jobs.deploy.outputs.nexus-url }} - secrets: - GPG_SECRET_KEY: - description: GPG secret key for signing artifacts - required: true - NEXUS_USERNAME: - description: Nexus staging repository username for deploying artifacts - required: true - NEXUS_PASSWORD: - description: Nexus staging repository password for deploying artifacts - required: true - SVN_USERNAME: - description: Subversion username for uploading the release distribution - required: true - SVN_PASSWORD: - description: Subversion password for uploading the release distribution - required: true - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - deploy: - runs-on: ubuntu-latest - outputs: - project-version: ${{ steps.version.outputs.project-version }} - nexus-url: ${{ steps.nexus.outputs.nexus-url }} - permissions: - # Write permissions to allow the Maven `revision` property update, changelog release, etc. - contents: write - - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - - - name: Set up Java & GPG - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 3.7.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - server-id: apache.releases.https - server-username: NEXUS_USERNAME - server-password: NEXUS_PASSWORD - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - - - name: Set up Git user - shell: bash - run: | - # Set up user name and email required for `git commit` - git config user.name "ASF Logging Services RM" - git config user.email [email protected] - - - name: Export version - id: version - shell: bash - env: - GIT_BRANCH_NAME: ${{ github.ref_name }} - run: | - [[ "$GIT_BRANCH_NAME" =~ ^release/.+$ ]] || { - echo "was expecting a \`release/\`-prefixed Git branch name, found: \`$GIT_BRANCH_NAME\`" - exit 1 - } - export PROJECT_VERSION=$(echo "$GIT_BRANCH_NAME" | sed 's/^release\///') - echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV - # Export version to calling workflow - echo "project-version=$PROJECT_VERSION" >> $GITHUB_OUTPUT - - - name: Set the Maven `revision` property - shell: bash - run: | - export REVISION=$(./mvnw \ - --non-recursive --quiet --batch-mode \ - -DforceStdout=true \ - -Dexpression=revision \ - help:evaluate \ - | tail -n 1) - if [ "$REVISION" != "$PROJECT_VERSION" ]; then - echo "Maven \`revision\` property \`$REVISION\` doesn't match with the project version \`$PROJECT_VERSION\`, updating \`pom.xml\`..." - ./mvnw \ - --non-recursive --batch-mode --errors --no-transfer-progress \ - -Dproperty=revision \ - -DnewVersion="$PROJECT_VERSION" \ - -DgenerateBackupPoms=false \ - versions:set-property - git commit -S pom.xml -m "Set version to \`$PROJECT_VERSION\`" - git push -f origin - fi - - - name: Set the Maven `project.build.outputTimestamp` property - shell: bash - run: | - export PROPERTY="project.build.outputTimestamp" - grep -qE '^[\t ]+<'$PROPERTY'>' pom.xml || { - echo "Failed to find the \`$PROPERTY\` Maven property!" - exit 1 - } - export TIMESTAMP=$(TZ=UTC0 git show --quiet --date="format-local:%Y-%m-%dT%H:%M:%SZ" --format="%cd") - sed -r 's|^([\t ]+<'$PROPERTY'>).+(</'$PROPERTY'>)$|\1'$TIMESTAMP'\2|g' -i pom.xml - if [ -n "$(git status --porcelain)" ]; then - git commit -S pom.xml -m "Update the \`$PROPERTY\` property" - git push -f origin - fi - - - name: Release changelog - shell: bash - run: | - ./mvnw \ - --non-recursive --batch-mode --errors --no-transfer-progress \ - -P changelog-release - git add src - if [ -n "$(git status --porcelain)" ]; then - git commit -S src -m "Release changelog for version \`$PROJECT_VERSION\`" - git push -f origin - fi - - - name: Upload to Nexus - id: nexus - shell: bash - env: - # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in `~/.m2/settings.xml` created by `setup-java` action - NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }} - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - # `SIGN_KEY` is used by `sign-maven-plugin` - SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }} - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -P deploy,release - export NEXUS_URL=$(awk '/^(stagingRepository.url)/ { gsub(/(^.+=|\\)/, ""); print $1 }' target/nexus-staging/staging/*.properties) - echo "NEXUS_URL=$NEXUS_URL" >> $GITHUB_ENV - # Export repository URL to calling workflow - echo "nexus-url=$NEXUS_URL" >> $GITHUB_OUTPUT - - # Node.js cache is needed for Antora - - name: Set up Node.js cache - id: nodejs-cache - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4 - with: - # We should be calculating the cache key using `package-lock.json` instead! - # See https://stackoverflow.com/a/48524475/1278899 - # For that, `package-lock.json` needs to be committed into the repository – right now it is `.gitignore`d. - # Once it is there, we should ideally switch from `npm i` to `npm ci`. - # For that, we need to configure `dependabot` to update hundreds of dependencies listed in `package-lock.json`. - # That translates to a never ending rain of `dependabot` PRs. - # I doubt if the wasted CPU cycles worth the gain. - key: "${{ runner.os }}-nodejs-cache-${{ hashFiles('node', 'node_modules') }}" - # `actions/cache` doesn't recommend caching `node_modules`. - # Though none of its recipes fit our bill, since we install Node.js using `frontend-maven-plugin`. - # See https://github.com/actions/cache/blob/main/examples.md#node---npm - # We settle for this quick-n-dirty solution for the time being. - path: | - node - node_modules - - # Website build is needed to generate the release notes - - name: Build the website - shell: bash - env: - # Making Node.js cache hit visible for debugging purposes - NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }} - run: | - export TIMESTAMP=$(./mvnw \ - --non-recursive --quiet --batch-mode \ - -DforceStdout=true \ - -Dexpression=project.build.outputTimestamp \ - help:evaluate \ - | tail -n 1) - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - site - - - name: Collect distribution attachments information - shell: bash - run: | - # Folder where the Nexus Staging Maven plugin places the staged artifacts - export ALT_DEPLOYMENT_REPO_FILEPATH="target/nexus-staging/staging" - - # This regex needs to work for both Java (`distribution` profile) and `find` (while counting attachments)! - # Hence, we don't escape dots, etc. with backslashes, which is problematic to get working in both worlds. - export DIST_ATTACHMENT_FILEPATH_PATTERN="^$ALT_DEPLOYMENT_REPO_FILEPATH/.+-$PROJECT_VERSION"'((-tests)?.jar|-cyclonedx.xml)$' - export DIST_ATTACHMENT_COUNT=$(find "$ALT_DEPLOYMENT_REPO_FILEPATH" -type f -regextype posix-extended -regex "$DIST_ATTACHMENT_FILEPATH_PATTERN" | wc -l) - - # Pass the necessary environment variables - cat >> $GITHUB_ENV << EOF - DIST_ATTACHMENT_FILEPATH_PATTERN=$DIST_ATTACHMENT_FILEPATH_PATTERN - DIST_ATTACHMENT_COUNT=$DIST_ATTACHMENT_COUNT - EOF - - - name: Create the distribution - shell: bash - env: - PROJECT_ID: ${{ inputs.project-id }} - run: | - - # Generate the distribution (i.e., `src.zip` and optional `bin.zip`) - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - --non-recursive \ - -P distribution \ - -DattachmentFilepathPattern="$DIST_ATTACHMENT_FILEPATH_PATTERN" \ - -DattachmentCount="$DIST_ATTACHMENT_COUNT" - - # Rename distribution files - export DIST_FILENAME_PREFIX="apache-${PROJECT_ID}" - export DIST_FILENAME_VERSIONED_PREFIX="${DIST_FILENAME_PREFIX}-${PROJECT_VERSION}" - export DIST_FILEPATH_PREFIX="/tmp/${DIST_FILENAME_VERSIONED_PREFIX}" - export DIST_FILEPATH_SRC="${DIST_FILEPATH_PREFIX}-src.zip" - export DIST_FILEPATH_BIN="${DIST_FILEPATH_PREFIX}-bin.zip" - mv "target/src.zip" "$DIST_FILEPATH_SRC" - test -f "target/bin.zip" && mv "$_" "$DIST_FILEPATH_BIN" - - # Create signature and checksum files - for DIST_FILEPATH in "$DIST_FILEPATH_SRC" "$DIST_FILEPATH_BIN"; do - if [ -f "$DIST_FILEPATH" ]; then - gpg --armor --detach-sign --yes --pinentry-mode error "$DIST_FILEPATH" - sha512sum "$DIST_FILEPATH" \ - | ( read CHECKSUM FILEPATH; echo $CHECKSUM" "$(basename "$FILEPATH") ) \ - > "$DIST_FILEPATH.sha512" - fi - done - - # Pass the necessary environment variables - cat >> $GITHUB_ENV << EOF - DIST_FILENAME_PREFIX=$DIST_FILENAME_PREFIX - DIST_FILENAME_VERSIONED_PREFIX=$DIST_FILENAME_VERSIONED_PREFIX - DIST_FILEPATH_PREFIX=$DIST_FILEPATH_PREFIX - EOF - - - name: Upload to Subversion - shell: bash - env: - PROJECT_ID: ${{ inputs.project-id }} - SVN_USERNAME: ${{ secrets.SVN_USERNAME }} - SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }} - run: | - - # Install Subversion - sudo apt install --assume-yes --no-install-recommends subversion - - # Find the effective Git commit ID - export COMMIT_ID=$(git rev-parse HEAD) - - # Checkout the SVN repository - export SVN_DIR="/tmp/svn-repo" - svn co \ - "https://dist.apache.org/repos/dist/dev/logging/$PROJECT_ID"; \ - "$SVN_DIR" - cd "$SVN_DIR" - - # Switch to the distribution folder - [ -d "$PROJECT_VERSION" ] || { - mkdir "$PROJECT_VERSION" - svn add "$PROJECT_VERSION" - } - cd "$PROJECT_VERSION" - - # Clean up old files - find . -name "${DIST_FILENAME_PREFIX}*" -type f -print0 | xargs -0 -r svn delete - - # Generate emails - for EMAIL_TYPE in vote announce; do - "$GITHUB_WORKSPACE/.github/generate-email.sh" \ - "$EMAIL_TYPE" "$PROJECT_VERSION" "$COMMIT_ID" "$NEXUS_URL" \ - > "${DIST_FILENAME_VERSIONED_PREFIX}-email-${EMAIL_TYPE}.txt" - done - - # Copy the distribution - cp "$DIST_FILEPATH_PREFIX"* . - - # Add & commit changes - svn add "$DIST_FILENAME_PREFIX"* - svn commit \ - --username "$SVN_USERNAME" \ - --password "$SVN_PASSWORD" \ - -m "Added \`${DIST_FILENAME_PREFIX}\` artifacts for release \`${PROJECT_VERSION}\`" diff --git a/.github/workflows/deploy-site-reusable.yaml b/.github/workflows/deploy-site-reusable.yaml deleted file mode 100644 index d48c017..0000000 --- a/.github/workflows/deploy-site-reusable.yaml +++ /dev/null @@ -1,189 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: deploy-site-reusable - -on: - workflow_call: - inputs: - asf-yaml-content: - description: The contents of the `.asf.yaml` that will be created - required: true - type: string - java-version: - description: The Java compiler version - default: 17 - type: string - install-required: - description: Flag indicating if Maven `install` goal should be run before running the `site` goal - default: false - type: boolean - target-branch: - description: The name of the branch the generated site content will be written to - required: true - type: string - target-path: - description: The directory path the generated site content will be placed under - default: "." - type: string - secrets: - GPG_SECRET_KEY: - description: GPG secret key for signing commits - required: true - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - - deploy: - runs-on: ubuntu-latest - permissions: - # Write permissions for committing the generated site - contents: write - - steps: - - - name: Checkout the source branch - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - - - name: Set up Java - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 3.7.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - - - name: Build the project - shell: bash - if: inputs.install-required - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -Dmaven.test.skip \ - install - - # Node.js cache is needed for Antora - - name: Restore Node.js cache - id: nodejs-cache-restore - uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4 - with: - # The cache is OS independent - enableCrossOsArchive: true - # The cache needs to be updated only when `logging-parent` is updated - key: "nodejs-cache-${{ hashFiles('package-lock.json') }}" - # Only the NPM modules need to be cached, since Node.js and NPM are retrieved from the Maven local repository - path: node_modules - - - name: Build the website - shell: bash - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - site - cd target/site - find . -empty -type d -delete - find . -print0 | sort --zero-terminated | xargs -0 zip -qoX "$RUNNER_TEMP/site.zip" - echo "SOURCE_COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_ENV - - - name: Set up Git user - shell: bash - run: | - # Set up user name and email required for `git commit` - git config user.name "ASF Logging Services RM" - git config user.email [email protected] - - # Checking out a new branch will delete the `node_modules` folder, - # so we need to save the cache here. - - name: Save Node.js cache - uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4 - with: - key: ${{ steps.nodejs-cache-restore.outputs.cache-primary-key }} - path: node_modules - - - name: Create the target branch - shell: bash - env: - TARGET_BRANCH: ${{ inputs.target-branch }} - run: | - git ls-remote --exit-code --heads origin "refs/heads/$TARGET_BRANCH" >/dev/null 2>&1 || { - echo "Remote branch \`$TARGET_BRANCH\` doesn't exist, creating it" - git checkout --orphan "$TARGET_BRANCH" - echo "Content for initializing an orphan branch for the website to be generated from \`$SOURCE_COMMIT_ID\`" > README.txt - git add README.txt - git commit -S README.txt -m "Initial content for the website to be generated from \`$SOURCE_COMMIT_ID\`" - git push origin "$TARGET_BRANCH" - } - - - name: Checkout the target branch - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - with: - ref: ${{ inputs.target-branch }} - - - name: Update the target path - shell: bash - env: - TARGET_PATH: ${{ inputs.target-path }} - ASF_YAML_CONTENT: ${{ inputs.asf-yaml-content }} - run: | - # Check if there already exists an `.asf.yaml` - ASF_YAML_EXISTS=$([ -f .asf.yaml ] && echo "true" || echo "false") - - # Clean up the target path - git ls-files -z -- "$TARGET_PATH" | xargs -0 git rm -rfq - - # Place the generated site - unzip -q "$RUNNER_TEMP/site.zip" -d "$TARGET_PATH" - git add "$TARGET_PATH" - - # Recover `.asf.yaml`, if there was one. - # Otherwise `git status` will always show a change even when there are no changes in the website content. - # That is because we always populate `.asf.yaml` with some random values at the end to fix an INFRA issue. - if [ "$ASF_YAML_EXISTS" = "true" ]; then - git checkout HEAD .asf.yaml - fi - - # Commit changes, if there are any - if [ -n "$(git status --porcelain)" ]; then - - # Commit & push site changes - git commit -S -a -m "Add website content generated from \`$SOURCE_COMMIT_ID\`" - git push -f origin - - # Populate `.asf.yaml` - cat >.asf.yaml <<EOF - $ASF_YAML_CONTENT - - # INFRA cannot handle change sets bigger than a certain size: https://the-asf.slack.com/archives/CBX4TSBQ8/p1709724983391709 - # This file will be used to push a small commit to help the INFRA to recover. - # - # Random values to cause a change: - # - # - Seed: $RANDOM - # - Commit ID: $SOURCE_COMMIT_ID - # - Timestamp: $(date --utc '+%Y-%m-%dT%H:%M:%SZ') - EOF - git add .asf.yaml - git commit -S .asf.yaml -m "Add \`.asf.yaml\` along with an INFRA fix for the website content generated from \`$SOURCE_COMMIT_ID\`" - - # Push changes *separately*! - # A separate small commit push necessary due to the INFRA issue explained above. - git push -f origin - - fi diff --git a/.github/workflows/deploy-site.yaml b/.github/workflows/deploy-site.yaml index c7addf4..3fac9d8 100644 --- a/.github/workflows/deploy-site.yaml +++ b/.github/workflows/deploy-site.yaml @@ -35,7 +35,7 @@ jobs: deploy-site-stg: if: github.repository == 'apache/logging-parent' && github.ref_name == 'main' - uses: ./.github/workflows/deploy-site-reusable.yaml + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0 # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} @@ -52,7 +52,7 @@ jobs: deploy-site-pro: if: github.repository == 'apache/logging-parent' && github.ref_name == 'main-site-pro' - uses: ./.github/workflows/deploy-site-reusable.yaml + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0 # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} @@ -82,7 +82,7 @@ jobs: deploy-site-rel: needs: export-version - uses: ./.github/workflows/deploy-site-reusable.yaml + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0 # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} diff --git a/.github/workflows/deploy-snapshot-reusable.yaml b/.github/workflows/deploy-snapshot-reusable.yaml deleted file mode 100644 index b868a5d..0000000 --- a/.github/workflows/deploy-snapshot-reusable.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: deploy-snapshot-reusable - -on: - workflow_call: - inputs: - java-version: - description: The Java compiler version - default: 17 - type: string - outputs: - project-version: - description: The version of the project - value: ${{ jobs.deploy.outputs.project-version }} - secrets: - NEXUS_USERNAME: - description: Nexus snapshot repository username for deploying artifacts - required: true - NEXUS_PASSWORD: - description: Nexus snapshot repository password for deploying artifacts - required: true - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - deploy: - runs-on: ubuntu-latest - outputs: - project-version: ${{ steps.version.outputs.project-version }} - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - - - name: Set up Java - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 3.7.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - server-id: apache.snapshots.https - server-username: NEXUS_USERNAME - server-password: NEXUS_PASSWORD - - - name: Export version - id: version - shell: bash - run: | - export PROJECT_VERSION=$(./mvnw \ - --quiet --batch-mode -DforceStdout=true \ - -Dexpression=project.version \ - help:evaluate \ - | tail -n 1) - echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV - # Export version to calling workflow - echo "project-version=$PROJECT_VERSION" >> $GITHUB_OUTPUT - - - name: Upload to Nexus - shell: bash - env: - # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in `~/.m2/settings.xml` created by `setup-java` action - NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }} - NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -P deploy diff --git a/.github/workflows/merge-dependabot-reusable.yaml b/.github/workflows/merge-dependabot-reusable.yaml deleted file mode 100644 index adaf403..0000000 --- a/.github/workflows/merge-dependabot-reusable.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: merge-dependabot-reusable - -on: - workflow_call: - inputs: - java-version: - description: The Java compiler version - default: 17 - type: string - maven-args: - description: Additional Maven arguments - type: string - secrets: - GPG_SECRET_KEY: - description: GPG secret key for signing commits - required: true - -env: - MAVEN_ARGS: ${{ inputs.maven-args }} - -jobs: - - merge-dependabot: - - runs-on: ubuntu-latest - - steps: - - - name: Fetch metadata - id: dependabot-metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Find dependency attributes - shell: bash - env: - DEPENDENCY_NAMES: ${{ steps.dependabot-metadata.outputs.dependency-names }} - DEPENDENCY_VERSION: ${{ steps.dependabot-metadata.outputs.new-version }} - run: | - DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAMES" | tr "," '\n' | head -n 1) - cat >> $GITHUB_ENV << EOF - DEPENDENCY_NAME=$DEPENDENCY_NAME - DEPENDENCY_VERSION=$DEPENDENCY_VERSION - EOF - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - with: - ref: ${{ steps.dependabot-metadata.outputs.target-branch }} - - - name: Download and apply patch - shell: bash - env: - PATCH_URL: ${{ github.event.pull_request.patch_url }} - run: | - wget -O- "$PATCH_URL" | git apply - - - name: Set up Java & GPG - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - cache: maven - server-id: apache.releases.https - server-username: NEXUS_USERNAME - server-password: NEXUS_PASSWORD - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - - - name: Find the release version major - shell: bash - run: | - RELEASE_VERSION_MAJOR=$(./mvnw \ - --non-recursive --quiet --batch-mode \ - -DforceStdout=true \ - -Dexpression=parsedVersion.majorVersion \ - build-helper:parse-version help:evaluate \ - | tail -n 1) - echo "RELEASE_VERSION_MAJOR=$RELEASE_VERSION_MAJOR" >> $GITHUB_ENV - - - name: Create changelog entry - shell: bash - env: - PR_URL: ${{ github.event.pull_request.html_url }} - PR_ID: ${{ github.event.pull_request.number }} - run: | - if [ -d "src/changelog" ]; then - RELEASE_CHANGELOG_FILEPATH="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x" - SAFE_DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAME" | tr "[:upper:]" "[:lower:]" | sed -r 's/[^a-z0-9]/_/g' | sed -r 's/_+/_/g') - CHANGELOG_ENTRY_FILEPATH="$RELEASE_CHANGELOG_FILEPATH/update_${SAFE_DEPENDENCY_NAME}.xml" - mkdir -p $(dirname "$CHANGELOG_ENTRY_FILEPATH") - cat > "$CHANGELOG_ENTRY_FILEPATH" << EOF - <?xml version="1.0" encoding="UTF-8"?> - <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns="https://logging.apache.org/xml/ns"; - xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; - type="updated"> - <issue id="$PR_ID" link="$PR_URL"/> - <description format="asciidoc">Update \`$DEPENDENCY_NAME\` to version \`$DEPENDENCY_VERSION\`</description> - </entry> - EOF - fi - - - name: Add & commit changes - shell: bash - env: - PR_ID: ${{ github.event.pull_request.number }} - PR_BRANCH: ${{ github.head_ref }} - run: | - git add . - git config user.name "ASF Logging Services RM" - git config user.email [email protected] - git commit -S -a -m "Update \`$DEPENDENCY_NAME\` to version \`$DEPENDENCY_VERSION\` (#$PR_ID)" - # Pushing the same commit to the Dependabot and main branch closes the PR - git push -f origin "HEAD:$PR_BRANCH" - # Allow for GitHub to realize that the PR branch changed - sleep 5 - git push origin diff --git a/.github/workflows/merge-dependabot.yaml b/.github/workflows/merge-dependabot.yaml deleted file mode 100644 index 2d611cc..0000000 --- a/.github/workflows/merge-dependabot.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: merge-dependabot - -on: - pull_request_target: - paths-ignore: - - "**.adoc" - - "**.md" - - "**.txt" - -permissions: read-all - -jobs: - - build: - if: github.repository == 'apache/logging-parent' && github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]' - uses: ./.github/workflows/build-reusable.yaml - - merge-dependabot: - needs: build - uses: ./.github/workflows/merge-dependabot-reusable.yaml - permissions: - contents: write # to push changelog commits - pull-requests: write # to close the PR - secrets: - GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} # to sign commits diff --git a/.github/workflows/scorecards-analysis-reusable.yaml b/.github/workflows/scorecards-analysis-reusable.yaml deleted file mode 100644 index 8094b6c..0000000 --- a/.github/workflows/scorecards-analysis-reusable.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: scorecards-analysis - -on: - workflow_call: - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - - analysis: - name: "Scorecards analysis" - runs-on: ubuntu-latest - # Permissions required to publish Security Alerts - permissions: - security-events: write - - steps: - - - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # 2.4.2 - with: - results_file: results.sarif - results_format: sarif - # A read-only PAT token, which is sufficient for the action to function. - # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188 - repo_token: ${{ secrets.GITHUB_TOKEN }} - # Publish the results for public repositories to enable scorecard badges. - # For more details: https://github.com/ossf/scorecard-action#publishing-results - publish_results: true - - - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0 - with: - sarif_file: results.sarif diff --git a/.github/workflows/verify-reproducibility-reusable.yaml b/.github/workflows/verify-reproducibility-reusable.yaml deleted file mode 100644 index a743210..0000000 --- a/.github/workflows/verify-reproducibility-reusable.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: verify-reproducibility-reusable - -on: - workflow_call: - inputs: - java-version: - description: The Java compiler version - default: 17 - type: string - maven-args: - description: Additional Maven arguments - type: string - nexus-url: - description: The URL of the reference Nexus repository - type: string - runs-on: - description: The type of runners to use as JSON array - default: '["ubuntu-latest"]' - type: string - -env: - MAVEN_ARGS: ${{ inputs.maven-args }} - NEXUS_URL: ${{ inputs.nexus-url }} - -# Explicitly drop all permissions inherited from the caller for security. -# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions -permissions: { } - -jobs: - - build: - - runs-on: ${{ matrix.os }} - - strategy: - matrix: - os: ${{ fromJSON(inputs.runs-on) }} - - steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 - with: - ref: ${{ github.ref }} - - - name: Set up Java - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 - with: - distribution: zulu - java-version: ${{ inputs.java-version }} - - # - # Generates a cache key prefix to enable partial cache hits. - # If there's no exact match for the full cache key, any cache with this prefix can be used as a fallback. - # To avoid unbounded cache growth, the prefix includes the current month, - # ensuring a new cache is started each month. - # - - name: Compute Cache Key Prefix - shell: bash - run: | - date +"CACHE_KEY=verify-reproducibility-%Y-%m" >> $GITHUB_ENV - - # - # Configures caching for the local Maven repository. - # Uses a custom cache key to isolate artifacts built in this workflow, - # preventing reproducibility results from being affected by cached outputs from other workflows. - # - - name: Set up Maven Cache - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4 - with: - path: ~/.m2/repository - key: "${{ env.CACHE_KEY }}-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}" - restore-keys: | - ${{ env.CACHE_KEY }}-${{ runner.os }}- - - # `clean verify artifact:compare` is required to generate the build reproducibility report. - # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility - - name: Verify build reproducibility - shell: bash - run: | - ./mvnw \ - --show-version --batch-mode --errors --no-transfer-progress \ - -DskipTests=true \ - -Dreference.repo="${NEXUS_URL}" \ - clean verify artifact:compare - - # Upload reproducibility results if the build fails. - - name: Upload reproducibility results - if: failure() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 - with: - name: reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}} - path: | - **/target/bom.xml - **/target/*.buildcompare - **/target/*.jar - **/target/*.zip - **/target/reference/** diff --git a/package-lock.json b/package-lock.json index 2437c37..b06750a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -703,20 +703,6 @@ "node": ">= 0.4" } }, - "node_modules/dunder-proto": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz";, - "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", - "license": "MIT", - "dependencies": { - "call-bind-apply-helpers": "^1.0.1", - "es-errors": "^1.3.0", - "gopd": "^1.2.0" - }, - "engines": { - "node": ">= 0.4" - } - }, "node_modules/end-of-stream": { "version": "1.4.4", "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz";, diff --git a/src/changelog/.12.x.x/gha-branch.xml b/src/changelog/.12.x.x/gha-branch.xml new file mode 100644 index 0000000..6931328 --- /dev/null +++ b/src/changelog/.12.x.x/gha-branch.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="https://logging.apache.org/xml/ns"; + xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="changed"> + <description format="asciidoc"> + Move reusable GitHub Actions workflows from `main` to the `gha/v0` branch. + </description> +</entry> diff --git a/src/site/antora/antora.tmpl.yml b/src/site/antora/antora.tmpl.yml index c6e6fba..e92c88c 100644 --- a/src/site/antora/antora.tmpl.yml +++ b/src/site/antora/antora.tmpl.yml @@ -38,6 +38,7 @@ version: ~ start_page: index.adoc asciidoc: attributes: + project-gha-version: "gha/v0" project-github-url: "${scm.url}" project-version: "${site-project.version}" project-name: Logging Parent diff --git a/src/site/antora/antora.yml b/src/site/antora/antora.yml index 63faef9..479dd80 100644 --- a/src/site/antora/antora.yml +++ b/src/site/antora/antora.yml @@ -38,6 +38,7 @@ version: ~ start_page: index.adoc asciidoc: attributes: + project-gha-version: "gha/v0" project-github-url: "https://github.com/awesome/project"; project-version: "1.2.3" project-name: Logging Parent diff --git a/src/site/antora/modules/ROOT/examples/build.yaml b/src/site/antora/modules/ROOT/examples/build.yaml index 216b006..30723ed 100644 --- a/src/site/antora/modules/ROOT/examples/build.yaml +++ b/src/site/antora/modules/ROOT/examples/build.yaml @@ -32,7 +32,7 @@ jobs: # tag::build[] build: - uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/build-reusable.yaml@{project-gha-version} secrets: DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' || secrets.DEVELOCITY_ACCESS_KEY }} with: @@ -45,7 +45,7 @@ jobs: deploy-snapshot: needs: build if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x' - uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@{project-gha-version} # Secrets for deployments secrets: NEXUS_USERNAME: ${{ secrets.NEXUS_USER }} @@ -56,7 +56,7 @@ jobs: deploy-release: needs: build if: github.repository == 'apache/logging-log4j2' && startsWith(github.ref_name, 'release/') - uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@{project-gha-version} # Secrets for deployments secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} @@ -75,7 +75,7 @@ jobs: verify-reproducibility-snapshot: needs: deploy-snapshot name: "verify-reproducibility (${{ needs.deploy-snapshot.outputs.project-version }})" - uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@{project-gha-version} with: # Reference repository nexus-url: https://repository.apache.org/content/groups/snapshots @@ -87,7 +87,7 @@ jobs: verify-reproducibility-release: needs: deploy-release name: "verify-reproducibility (${{ needs.deploy-release.outputs.project-version }})" - uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@{project-gha-version} with: # Reference repository nexus-url: ${{ needs.deploy-release.outputs.nexus-url }} diff --git a/src/site/antora/modules/ROOT/examples/deploy-site.yaml b/src/site/antora/modules/ROOT/examples/deploy-site.yaml index 42b6b82..f9c0cd0 100644 --- a/src/site/antora/modules/ROOT/examples/deploy-site.yaml +++ b/src/site/antora/modules/ROOT/examples/deploy-site.yaml @@ -36,7 +36,7 @@ jobs: # tag::snapshot[] deploy-site-stg: if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x' - uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version} # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} @@ -56,7 +56,7 @@ jobs: # tag::production[] deploy-site-pro: if: github.repository == 'apache/logging-log4j2' && github.ref_name == '2.x-site-pro' - uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.1.0 + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version} # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} @@ -87,7 +87,7 @@ jobs: deploy-site-rel: needs: export-version - uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version} # Secrets for committing the generated site secrets: GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} diff --git a/src/site/antora/modules/ROOT/nav.adoc b/src/site/antora/modules/ROOT/nav.adoc index c6a4cc1..513c689 100644 --- a/src/site/antora/modules/ROOT/nav.adoc +++ b/src/site/antora/modules/ROOT/nav.adoc @@ -17,6 +17,7 @@ * xref:features.adoc[] * xref:usage.adoc[] +* xref:workflows.adoc[] * xref:release-notes.adoc[] .Release support diff --git a/src/site/antora/modules/ROOT/pages/features.adoc b/src/site/antora/modules/ROOT/pages/features.adoc index 024e9d9..7858091 100644 --- a/src/site/antora/modules/ROOT/pages/features.adoc +++ b/src/site/antora/modules/ROOT/pages/features.adoc @@ -106,7 +106,7 @@ For example, you can use the snippet below: [source,yaml,subs="+attributes"] ---- build: - uses: apache/logging-parent/.github/workflows/build-reusable.yaml@rel/{project-version} + uses: apache/logging-parent/.github/workflows/build-reusable.yaml@{project-gha-version} secrets: DV_ACCESS_TOKEN: ${{ ! startsWith(github.refname, 'release/') && secrets.DEVELOCITY_ACCESS_KEY }} with: diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc b/src/site/antora/modules/ROOT/pages/workflows.adoc index e9ed9f9..0761bf0 100644 --- a/src/site/antora/modules/ROOT/pages/workflows.adoc +++ b/src/site/antora/modules/ROOT/pages/workflows.adoc @@ -26,11 +26,10 @@ The Logging Parent project provides the following reusable GitHub Actions workfl * <<deploy-release>> * <<deploy-site>> * <<deploy-snapshot>> -* <<merge-dependabot>> * <<verify-reproducibility>> [#build] -== {project-github-url}/blob/main/.github/workflows/build-reusable.yaml[`build-reusable.yaml`] +== {project-github-url}/blob/{project-gha-version}/.github/workflows/build-reusable.yaml[`build-reusable.yaml`] This workflow: @@ -47,7 +46,7 @@ include::example$build.yaml[tag=build,indent=0] ---- [#deploy-snapshot] -== {project-github-url}/blob/main/.github/workflows/deploy-snapshot-reusable.yaml[`deploy-snapshot-reusable.yaml`] +== {project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-snapshot-reusable.yaml[`deploy-snapshot-reusable.yaml`] This workflow deploys SNAPSHOT artifacts. @@ -61,7 +60,7 @@ include::example$build.yaml[tag=deploy-snapshot,indent=0] ---- [#deploy-release] -== {project-github-url}/blob/main/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`] +== {project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`] This workflow: @@ -81,7 +80,7 @@ include::example$build.yaml[tag=deploy-release,indent=0] ---- [#verify-reproducibility] -== {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`verify-reproducibility-reusable.yaml`] +== {project-github-url}/blob/{project-gha-version}/.github/workflows/verify-reproducibility-reusable.yaml[`verify-reproducibility-reusable.yaml`] This workflow verifies the reproducibility of a previous <<deploy-snapshot>> or <<deploy-release>> workflow. @@ -104,13 +103,8 @@ To verify the reproducibility of a release, you can use: include::example$build.yaml[tag=verify-reproducibility-release,indent=0] ---- -[#merge-dependabot] -== {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`] - -Merges Dependabot PRs along with changelog entries. - [#deploy-site] -== {project-github-url}/blob/main/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`] +== {project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`] This workflow builds and deploys the website.
