adityamparikh commented on code in PR #18: URL: https://github.com/apache/solr-mcp/pull/18#discussion_r2514334273
########## .github/workflows/release-publish.yml: ########## @@ -0,0 +1,374 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Official Release Publishing Workflow +# ===================================== +# +# Purpose: +# - Publish Docker images as convenience binaries that correspond 1:1 to a +# voted and approved source release of Apache Solr MCP. +# - NOTE: Docker images are NOT the release of record; the authoritative +# release artifacts are the signed source tarballs published to the ASF +# distribution system (dist.apache.org / mirrors). +# +# When to run: +# - AFTER the ASF voting process has completed successfully (minimum 72 hours +# and at least three +1 binding PMC votes) and the source release has been +# finalized/published. +# +# ASF Release Process (summary): +# ------------------------------ +# 1. Release Manager creates release candidate (RC) +# 2. RC is staged for voting (72-hour minimum voting period) +# 3. PMC members vote on the release +# 4. Source release is published to dist.apache.org / mirrors +# 5. After successful vote and published source, this workflow is triggered manually +# 6. Publishes Docker images to official registries as convenience binaries +# +# Prerequisites: +# -------------- +# - Release must have passed ASF voting process +# - Source release artifacts must be signed and available on dist.apache.org +# - Release Manager must have necessary credentials +# +# Manual Trigger Required: +# ------------------------ +# This workflow MUST be triggered manually by the Release Manager +# after the ASF vote passes and the source release is published. + +name: Release Publish + +# Trigger this workflow manually from the GitHub UI and capture structured inputs +# - We require the GA version (e.g., 1.0.0) and the RC tag suffix (e.g., rc1) +# - Optional inputs help document the vote thread and enable experimental signing +on: + workflow_dispatch: + inputs: + # Semantic version of the approved release (no -rc suffix) + release_version: + description: 'Release version (e.g., 1.0.0)' + required: true + type: string + # Which release candidate was approved (used to check out the exact tag) + release_candidate: + description: 'Release candidate number (e.g., rc1, rc2)' + required: true + type: string + # Link to the public ASF vote thread for traceability in the summary + vote_thread_url: + description: 'URL to the vote thread (for documentation)' + required: false + type: string + # If true, attempt to use ASF Infra code-signing (placeholder; requires coordination) + sign_with_asf_infra: + description: 'Use ASF code signing infrastructure' + required: false + type: boolean + default: false + +# Global environment settings used across jobs +# - JAVA_VERSION: version of JDK used to build the project +# - JAVA_DISTRIBUTION: OpenJDK distribution to install via actions/setup-java +env: + JAVA_VERSION: '25' + JAVA_DISTRIBUTION: 'temurin' + +jobs: + validate-release: + name: Validate Release Prerequisites + runs-on: ubuntu-latest + + outputs: + proceed: ${{ steps.validation.outputs.proceed }} + + steps: + # Step: Check out the exact RC tag that was approved (e.g., v1.0.0-rc1) + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: "v${{ inputs.release_version }}-${{ inputs.release_candidate }}" + + # Step: Validate that the supplied tag exists in the repo + # - Uses `git rev-parse` to resolve the tag; sets an output flag to gate downstream jobs + - name: Validate release tag exists + id: validation + run: | + # Check if the release tag exists + if git rev-parse "v${{ inputs.release_version }}-${{ inputs.release_candidate }}" >/dev/null 2>&1; then + echo "Release tag found: v${{ inputs.release_version }}-${{ inputs.release_candidate }}" + echo "proceed=true" >> $GITHUB_OUTPUT + else + echo "ERROR: Release tag not found: v${{ inputs.release_version }}-${{ inputs.release_candidate }}" + echo "proceed=false" >> $GITHUB_OUTPUT + exit 1 + fi + + # Optional: Document the vote approval in the Actions summary for traceability + - name: Document vote approval + if: ${{ inputs.vote_thread_url != '' }} + run: | + echo "### Release Vote Approval" >> $GITHUB_STEP_SUMMARY + echo "Release v${{ inputs.release_version }} was approved via ASF voting process." >> $GITHUB_STEP_SUMMARY + echo "Vote thread: ${{ inputs.vote_thread_url }}" >> $GITHUB_STEP_SUMMARY + + publish-docker: + name: Publish Docker Images + runs-on: ubuntu-latest + needs: validate-release + if: ${{ needs.validate-release.outputs.proceed == 'true' }} + + permissions: + contents: read + packages: write + id-token: write # For OIDC/code signing if needed + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: "v${{ inputs.release_version }}-${{ inputs.release_candidate }}" + + - name: Set up JDK ${{ env.JAVA_VERSION }} + uses: actions/setup-java@v4 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.JAVA_DISTRIBUTION }} + cache: 'gradle' + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Update version in build.gradle.kts + run: | + # Ensure the Gradle project version matches the GA version (removes any -SNAPSHOT) + # This keeps image tags and any generated artifacts consistent with the voted release + sed -i 's/version = ".*"/version = "${{ inputs.release_version }}"/' build.gradle.kts + + - name: Build project + run: ./gradlew build + + - name: Sign artifacts with ASF infrastructure + if: ${{ inputs.sign_with_asf_infra }} + run: | + # Placeholder for ASF code signing integration + # This would integrate with ASF's code signing service + # Requires coordination with ASF INFRA team + echo "Would sign artifacts with ASF code signing infrastructure" + echo "Contact INFRA for setup requirements" + + - name: Build and publish to Docker Hub (apache/solr-mcp) + run: | + # Publish official release to apache/solr-mcp + # This requires Apache PMC credentials + if [[ -n "${{ secrets.DOCKERHUB_APACHE_USERNAME }}" ]]; then + # Build and push with multiple tags + ./gradlew jib \ + -Djib.to.image=apache/solr-mcp:${{ inputs.release_version }} \ + -Djib.to.auth.username=${{ secrets.DOCKERHUB_APACHE_USERNAME }} \ + -Djib.to.auth.password=${{ secrets.DOCKERHUB_APACHE_TOKEN }} \ + -Djib.to.tags=${{ inputs.release_version }},latest + + # Also tag with major and minor versions + MAJOR_VERSION=$(echo "${{ inputs.release_version }}" | cut -d. -f1) + MINOR_VERSION=$(echo "${{ inputs.release_version }}" | cut -d. -f1-2) + + ./gradlew jib \ + -Djib.to.image=apache/solr-mcp:${MAJOR_VERSION} \ + -Djib.to.auth.username=${{ secrets.DOCKERHUB_APACHE_USERNAME }} \ + -Djib.to.auth.password=${{ secrets.DOCKERHUB_APACHE_TOKEN }} + + ./gradlew jib \ + -Djib.to.image=apache/solr-mcp:${MINOR_VERSION} \ + -Djib.to.auth.username=${{ secrets.DOCKERHUB_APACHE_USERNAME }} \ + -Djib.to.auth.password=${{ secrets.DOCKERHUB_APACHE_TOKEN }} + else + echo "WARNING: Apache Docker Hub credentials not configured" + fi + + - name: Build and publish to GitHub Container Registry + run: | + # Also publish to GitHub Container Registry + ./gradlew jib \ + -Djib.to.image=ghcr.io/${{ github.repository_owner }}/solr-mcp:${{ inputs.release_version }} \ Review Comment: If we have established process around publishing to one or the other, we can follow the same here. Publishing release gives options to make it available where the users are able to access and keeping nightly releases to only one. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
