This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-actions.git
The following commit(s) were added to refs/heads/main by this push:
new 0373712 Update maven central distribution for ntb files
0373712 is described below
commit 0373712b3e5dda707e18fd651ea7f21b127f0f0b
Author: Alastair McFarlane <[email protected]>
AuthorDate: Tue Mar 10 14:03:26 2026 +0000
Update maven central distribution for ntb files
---
.github/workflows/distribute-maven.yml | 300 +++++++++++++++++++++++++++++++++
1 file changed, 300 insertions(+)
diff --git a/.github/workflows/distribute-maven.yml
b/.github/workflows/distribute-maven.yml
new file mode 100644
index 0000000..3af16ac
--- /dev/null
+++ b/.github/workflows/distribute-maven.yml
@@ -0,0 +1,300 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Distribute from ATR to RAO Maven Staging
+run-name: "${{ inputs.atr-id }}"
+
+on:
+ workflow_dispatch:
+ inputs:
+ atr-id:
+ description: 'Run ID (from ATR)'
+ required: true
+ asf-uid:
+ description: 'Originating user ID'
+ required: true
+ project:
+ description: 'Project in ATR to pull files from'
+ required: true
+ version:
+ description: 'Version in ATR to pull files from'
+ required: true
+ phase:
+ description: 'Expected release phase in ATR'
+ required: true
+ distribution-owner-namespace:
+ description: "Owner namespace"
+ required: true
+ distribution-package:
+ description: 'Package/project name in ATR'
+ required: true
+ distribution-version:
+ description: 'Distribution version'
+ required: true
+ atr-host:
+ description: 'ATR host (for testing purposes)'
+ required: false
+ default: 'release-test.apache.org'
+ ssh-port:
+ description: 'SSH port for ATR (for testing purposes)'
+ required: false
+ default: '2222'
+
+jobs:
+ distribute:
+ permissions:
+ id-token: write
+ contents: read
+ runs-on: ubuntu-latest
+ env:
+ ATR_HOST: ${{ inputs.atr-host }}
+ SSH_PORT: ${{ inputs.ssh-port }}
+ WORKFLOW: distribute-maven-stg.yml
+ NJORD_STORE: atr-deployment-${{ inputs.distribution-package }}-${{
inputs.distribution-version }}
+ RAO_USERNAME: ${{ secrets.RAO_USERNAME }}
+ RAO_PASSWORD: ${{ secrets.RAO_PASSWORD }}
+ TAG_NAME: "${{ inputs.distribution-owner-namespace }}-${{
inputs.distribution-package }}-${{ inputs.distribution-version }}"
+ steps:
+ - name: Sleep for 5 seconds
+ run: sleep 5s
+ shell: bash
+ - name: Create settings.xml
+ run: |
+ mkdir -p ~/.m2
+ cat > ~/.m2/settings.xml << EOF
+ <?xml version="1.0" encoding="UTF-8"?>
+ <settings>
+ <pluginGroups>
+ <pluginGroup>eu.maveniverse.maven.plugins</pluginGroup>
+ </pluginGroups>
+ <servers>
+ <server>
+ <id>rao3</id>
+ <username>${RAO_USERNAME}</username>
+ <password>${RAO_PASSWORD}</password>
+ <configuration>
+ <njord.publisher>sonatype-nx3</njord.publisher>
+
<njord.publisher.sonatype-nx3.baseUrl>https://repository.apache.org:4443/</njord.publisher.sonatype-nx3.baseUrl>
+ </configuration>
+ </server>
+ </servers>
+ </settings>
+ EOF
+
+ - name: Set up JDK 17
+ uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
+ with:
+ java-version: '17'
+ distribution: 'temurin'
+ overwrite-settings: false
+ - name: Set up Maven 3.9+
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1
+ with:
+ maven-version: 3.9.12
+
+ - name: Create a GitHub OIDC JWT
+ id: create-github-jwt
+ shell: bash
+ run: |
+ set -euo pipefail
+ url="${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=atr-test-v1"
+ jwt="$(curl -sS --fail-with-body -H "Authorization: bearer
${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "$url" | jq -r .value)"
+ echo "::add-mask::$jwt"
+ echo "jwt=$jwt" >> "$GITHUB_OUTPUT"
+
+ - name: Generate an ephemeral SSH key
+ id: generate-ssh-key
+ shell: bash
+ run: |
+ set -euxo pipefail
+ ssh-keygen -t ed25519 -N "" -f "$RUNNER_TEMP/ssh_key"
+ echo "ssh_private_key_path=$RUNNER_TEMP/ssh_key" >> "$GITHUB_OUTPUT"
+ echo "ssh_public_key=$(cat "$RUNNER_TEMP/ssh_key.pub")" >>
"$GITHUB_OUTPUT"
+
+ - name: Register the ephemeral SSH key with ATR
+ shell: bash
+ run: |
+ set -euxo pipefail
+ case "${ATR_HOST}" in
+ *.apache.org) ;;
+ *) echo "atr-host must match *.apache.org"; exit 1;;
+ esac
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg key "$SSH_PUBLIC_KEY" \
+ --arg uid "$INPUTS_ASF_UID" \
+ --arg phase "$INPUTS_PHASE" \
+ --arg project_name "$INPUTS_PROJECT" \
+ --arg version "$INPUTS_VERSION" \
+ '{publisher:$publisher, jwt:$jwt, ssh_key:$key, asf_uid:$uid,
project_name:$project_name, phase:$phase, version:$version}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/ssh/register";
+ env:
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+ SSH_PUBLIC_KEY: ${{ steps.generate-ssh-key.outputs.ssh_public_key }}
+ INPUTS_PROJECT: ${{ inputs.project }}
+ INPUTS_VERSION: ${{ inputs.version }}
+ INPUTS_PHASE: ${{ inputs.phase }}
+ INPUTS_ASF_UID: ${{ inputs.asf-uid }}
+
+ - name: Report status back to ATR
+ shell: bash
+ run: |
+ set -euxo pipefail
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg workflow "$WORKFLOW" \
+ --arg run_id $RUN_ID \
+ --arg project_name "$INPUTS_PROJECT" \
+ '{publisher:$publisher, jwt:$jwt, workflow:$workflow,
run_id:$run_id, project_name:$project_name, status:"in_progress",
message:"Compiling distribution"}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/task/status";
+ env:
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+ RUN_ID: ${{ github.run_id }}
+ INPUTS_PROJECT: ${{ inputs.project }}
+
+ - name: Download from ATR using rsync
+ shell: bash
+ run: |
+ set -euxo pipefail
+ if ! [[ "${SSH_PORT}" =~ ^[0-9]+$ ]]
+ then
+ echo "::error::ssh-port must be an integer"
+ exit 1
+ fi
+ : "${INPUTS_DISTRIBUTION_PACKAGE:?package is required}"
+ : "${INPUTS_VERSION:?version is required}"
+ command -v rsync > /dev/null || { sudo apt-get update -y && sudo
apt-get install -y rsync; }
+ mkdir stg
+ rsync -av \
+ -e "ssh -p 2222 -i $SSH_PRIVATE_KEY_PATH -o
StrictHostKeyChecking=accept-new" \
+ -- \
+ "github@${ATR_HOST}:/${INPUTS_PROJECT}/${INPUTS_VERSION}/maven/"
./stg/
+ env:
+ INPUTS_PROJECT: ${{ inputs.project }}
+ INPUTS_VERSION: ${{ inputs.version }}
+ INPUTS_DISTRIBUTION_OWNER_NAMESPACE: ${{
inputs.distribution-owner-namespace }}
+ INPUTS_DISTRIBUTION_PACKAGE: ${{ inputs.distribution-package }}
+ # INPUTS_DETAILS: ${{ inputs.details }}
+ SSH_PRIVATE_KEY_PATH: ${{
steps.generate-ssh-key.outputs.ssh_private_key_path }}
+
+ - name: Get store ID and publish
+ shell: bash
+ run: |
+ set -euxo pipefail
+ echo "Importing Njord bundle"
+ NJORD_STORE=$(mvn njord:import-all -Dnjord.dir=./stg | sed -En
's/.*Imported to (.+) staged.*/\1/p')
+ echo "Validating store: $NJORD_STORE"
+ mvn njord:validate -Dnjord.store=$NJORD_STORE
-Dnjord.publisher=sonatype-cp -Dnjord.details=true -q | sed -n '/Central
Requirements/,/ArtifactStore.*failed validation/{/ArtifactStore.*failed
validation/!s/^\[ERROR\] *//p}' | tee .err
+ echo "Publishing store: $NJORD_STORE"
+ mvn njord:publish -Dnjord.store=$NJORD_STORE
+ mvn njord:drop -Dnjord.store=$NJORD_STORE
+ env:
+ INPUTS_DISTRIBUTION_OWNER_NAMESPACE: ${{
inputs.distribution-owner-namespace }}
+ INPUTS_DISTRIBUTION_PACKAGE: ${{ inputs.distribution-package }}
+ INPUTS_DISTRIBUTION_VERSION: ${{ inputs.distribution-version }}
+
+ - name: Report status back to ATR
+ shell: bash
+ run: |
+ set -euxo pipefail
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg workflow "$WORKFLOW" \
+ --arg run_id $RUN_ID \
+ --arg project_name "$INPUTS_PROJECT" \
+ '{publisher:$publisher, jwt:$jwt, workflow:$workflow,
run_id:$run_id, project_name:$project_name, status:"in_progress",
message:"Recording distribution"}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/task/status";
+ env:
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+ RUN_ID: ${{ github.run_id }}
+ INPUTS_PROJECT: ${{ inputs.project }}
+
+ - name: Record distribution on ATR
+ shell: bash
+ run: |
+ set -euxo pipefail
+ DETAILS_JSON=false
+ [ "${INPUTS_DETAILS}" = "true" ] && DETAILS_JSON=true
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg uid "$INPUTS_ASF_UID" \
+ --arg project "$INPUTS_PROJECT" \
+ --arg version "$INPUTS_VERSION" \
+ --arg phase "$INPUTS_PHASE" \
+ --arg platform "MAVEN" \
+ --arg distribution_owner_namespace
"$INPUTS_DISTRIBUTION_OWNER_NAMESPACE" \
+ --arg distribution_package "$INPUTS_DISTRIBUTION_PACKAGE" \
+ --arg distribution_version "$INPUTS_DISTRIBUTION_VERSION" \
+ --argjson details "$DETAILS_JSON" \
+ '{publisher:$publisher, jwt:$jwt, asf_uid:$uid,
project:$project, version:$version, phase:$phase, platform:$platform,
distribution_owner_namespace:$distribution_owner_namespace,
distribution_package:$distribution_package,
distribution_version:$distribution_version, staging:false, details:$details}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/record_from_workflow";
+ env:
+ INPUTS_PROJECT: ${{ inputs.project }}
+ INPUTS_VERSION: ${{ inputs.version }}
+ INPUTS_PHASE: ${{ inputs.phase }}
+ INPUTS_ASF_UID: ${{ inputs.asf-uid }}
+ INPUTS_DISTRIBUTION_OWNER_NAMESPACE: ${{
inputs.distribution-owner-namespace }}
+ INPUTS_DISTRIBUTION_PACKAGE: ${{ inputs.distribution-package }}
+ INPUTS_DISTRIBUTION_VERSION: ${{ inputs.distribution-version }}
+ INPUTS_DETAILS: "false"
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+
+ - name: Report status back to ATR
+ shell: bash
+ if: failure()
+ run: |
+ set -euxo pipefail
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg workflow "$WORKFLOW" \
+ --arg run_id $RUN_ID \
+ --arg project_name "$INPUTS_PROJECT" \
+ --arg err "$([ -f .err ] && [ -s .err ] && echo "Build failed:
$(cat .err)" || echo "Github workflow failed")" \
+ --arg status "failed" \
+ '{publisher:$publisher, jwt:$jwt, workflow:$workflow,
run_id:$run_id, project_name:$project_name, status:$status, message:$err}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/task/status";
+ env:
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+ RUN_ID: ${{ github.run_id }}
+ STATUS: ${{ job.status }}
+ INPUTS_PROJECT: ${{ inputs.project }}
+
+
+ - name: Report status back to ATR
+ shell: bash
+ if: success()
+ run: |
+ set -euxo pipefail
+ jq -n --arg publisher github \
+ --arg jwt "$JWT" \
+ --arg workflow "$WORKFLOW" \
+ --arg run_id $RUN_ID \
+ --arg project_name "$INPUTS_PROJECT" \
+ --arg status "success" \
+ '{publisher:$publisher, jwt:$jwt, workflow:$workflow,
run_id:$run_id, project_name:$project_name, status:$status, message:"GitHub
workflow succeeded"}' |
+ curl -sS --fail-with-body -X POST -H 'Content-Type:
application/json' -d @- \
+ "https://${ATR_HOST}/api/distribute/task/status";
+ env:
+ JWT: ${{ steps.create-github-jwt.outputs.jwt }}
+ RUN_ID: ${{ github.run_id }}
+ STATUS: ${{ job.status }}
+ INPUTS_PROJECT: ${{ inputs.project }}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
