-
Notifications
You must be signed in to change notification settings - Fork 366
156 lines (145 loc) · 4.99 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Publish New Release
on:
push:
tags:
- "*"
workflow_dispatch:
jobs:
validate-tag:
runs-on: ubuntu-latest
outputs:
draft_release: ${{ steps.get_tag.outputs.draft_release }}
tag: ${{ steps.get_tag.outputs.tag }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get tag, release mode
shell: bash
id: get_tag
run: |
if [[ ${GITHUB_REF##*/} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]];
then
draft_release=false
elif [[ ${GITHUB_REF##*/} =~ ^[0-9]+\.[0-9]+\.[0-9]+(-(alpha|beta|rc)(\.[0-9]+)?)?(\+[A-Za-z0-9.]+)?$ ]];
then
draft_release=true
else
echo "Exiting, github ref needs to be a tag with format x.y.z or x.y.z-(alpha|beta|rc)"
exit 1
fi
echo "draft_release=$draft_release" >> $GITHUB_OUTPUT
echo "tag=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
build:
needs:
- validate-tag
uses: ./.github/workflows/build.yml
with:
version: ${{ needs.validate-tag.outputs.tag }}
secrets: inherit
antivirus-scan-initialization:
timeout-minutes: 15
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install and Update Antivirus Software
run: |
# Install ClamAV
sudo apt-get update
sudo apt-get install -y clamav
sudo systemctl stop clamav-freshclam
sudo freshclam || exit 0
- name: Run Antivirus Scan for Source Code
run: |
clamscan --recursive --alert-broken --alert-encrypted \
--alert-encrypted-archive --alert-exceeds-max --detect-pua .
- name: Cache Antivirus Database
uses: actions/cache/save@v4
with:
path: /var/lib/clamav
key: clamav-database-${{ github.run_id }}
antivirus-scan:
needs:
- build
- antivirus-scan-initialization
timeout-minutes: 30
runs-on: ubuntu-latest
strategy:
matrix:
module: ${{fromJSON(needs.build.outputs.publish_modules)}}
steps:
- uses: actions/checkout@v4
- name: Restore assembly
uses: actions/cache/restore@v4
with:
path: ~/**/target/libs/*.jar
key: assembly-${{ matrix.module }}-${{ github.run_id }}
fail-on-cache-miss: true
- name: Install Antivirus Software
run: |
# Install ClamAV and prepare database directory to be restored
sudo apt-get update && sudo apt-get install -y clamav
sudo systemctl stop clamav-freshclam
sudo chmod 777 /var/lib/clamav
- name: Restore Antivirus Database
uses: actions/cache/restore@v4
with:
path: /var/lib/clamav
key: clamav-database-${{ github.run_id }}
- name: Run Antivirus Scan
run: |
clamscan --recursive --alert-broken --alert-encrypted \
--alert-encrypted-archive --alert-exceeds-max \
--include-pua=Unix --include-pua=Java \
--max-scansize=1000m --max-filesize=500m --max-files=100000 \
kafka-connect-${{ matrix.module }}
create-release:
runs-on: ubuntu-latest
needs:
- validate-tag
- build
- antivirus-scan
strategy:
# Avoid parallel uploads
max-parallel: 1
# GitHub will NOT cancel all in-progress and queued jobs in the matrix if any job in the matrix fails, which could create inconsistencies.
# If any matrix job fails, the job will be marked as failure
fail-fast: false
matrix:
module: ${{fromJSON(needs.build.outputs.publish_modules)}}
env:
DRAFT_RELEASE: '${{ needs.validate-tag.outputs.draft_release }}'
TAG: ${{ needs.validate-tag.outputs.tag }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'sbt'
- name: Uncache assembly
uses: actions/cache/restore@v4
with:
path: |
~/**/target/libs/*.jar
key: assembly-${{ matrix.module }}-${{ github.run_id }}
fail-on-cache-miss: true
- name: Package Connector
shell: bash
# It's BASH so we have to use find instead of globbed (**) cp for subdirs with depth >1
run: |
FOLDER=kafka-connect-${{ matrix.module }}-${{ env.TAG }}
mkdir -p $FOLDER
find . -type f -path "*/target/libs/*.jar" -exec cp "{}" $FOLDER/ \;
cp LICENSE $FOLDER/
zip -r "$FOLDER.zip" $FOLDER/
- name: Upload binaries to release
uses: svenstaro/upload-release-action@v2
with:
file: kafka-connect-${{ matrix.module }}-${{ env.TAG }}.zip
asset_name: "kafka-connect-${{ matrix.module }}-${{ env.TAG }}.zip"
release_name: 'Stream Reactor ${{ env.TAG }}'
prerelease: ${{ env.DRAFT_RELEASE }}