This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new 9e3ceb4 Document that GHA workflows are moved to `gha/v0` (#455)
9e3ceb4 is described below
commit 9e3ceb49764393a90bb8182954329b83f3361e85
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Thu Apr 16 12:33:55 2026 +0200
Document that GHA workflows are moved to `gha/v0` (#455)
Co-authored-by: Piotr P. Karwasz <[email protected]>
---
.asf.yaml | 13 +-
.github/dependabot.yaml | 49 +++-
.github/workflows/build-reusable.yaml | 214 --------------
.github/workflows/build.yaml | 11 +-
.github/workflows/codeql-analysis-reusable.yaml | 74 -----
.github/workflows/codeql-analysis.yaml | 28 +-
.github/workflows/deploy-release-reusable.yaml | 314 ---------------------
.github/workflows/deploy-site-reusable.yaml | 189 -------------
.github/workflows/deploy-site.yaml | 6 +-
.github/workflows/deploy-snapshot-reusable.yaml | 85 ------
.github/workflows/merge-dependabot-reusable.yaml | 135 ---------
.github/workflows/merge-dependabot.yaml | 42 ---
.../workflows/scorecards-analysis-reusable.yaml | 65 -----
.../workflows/verify-reproducibility-reusable.yaml | 115 --------
pom.xml | 2 +
src/changelog/.12.x.x/gha-branch.xml | 9 +
src/site/antora/antora.tmpl.yml | 1 +
src/site/antora/antora.yml | 1 +
src/site/antora/modules/ROOT/examples/build.yaml | 10 +-
.../antora/modules/ROOT/examples/deploy-site.yaml | 6 +-
src/site/antora/modules/ROOT/nav.adoc | 1 +
src/site/antora/modules/ROOT/pages/features.adoc | 2 +-
src/site/antora/modules/ROOT/pages/workflows.adoc | 16 +-
23 files changed, 88 insertions(+), 1300 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
index 4f943dc..31588c7 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -61,9 +61,9 @@ github:
# Enforce squashing while merging PRs.
# Otherwise, the git log gets polluted severely.
enabled_merge_buttons:
- squash: true
- merge: false
- rebase: false
+ squash: true
+ merge: false
+ rebase: false
features:
issues: true
@@ -72,11 +72,16 @@ github:
protected_branches: { }
rulesets:
- - name: "Branch protection (2)"
+ # The `.asf.yaml` processor has a bug that prevents it from parsing
existing rulesets.
+ # So it can neither remove them nor modify them.
+ # Hence, we bump the counter in the name at each change.
+ # For details, see:
https://github.com/apache/infrastructure-asfyaml/pull/93
+ - name: "Branch protection (3)"
type: branch
branches:
includes:
- "~DEFAULT_BRANCH"
+ - "refs/heads/gha/*"
# All reviews must be addressed before merging
required_conversation_resolution: true
# Require checks to pass before merging
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index dcb2321..18c9ce8 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -17,33 +17,52 @@
version: 2
-# Add Maven Central explicitly to work around:
-# https://github.com/dependabot/dependabot-core/issues/8329
-registries:
- maven-central:
- type: maven-repository
- url: https://repo.maven.apache.org/maven2
-
updates:
+ # region `main` updates
+
- package-ecosystem: maven
directory: "/"
schedule:
- interval: daily
- open-pull-requests-limit: 10
- registries:
- - maven-central
+ interval: monthly
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
- package-ecosystem: github-actions
directory: "/"
schedule:
- interval: daily
+ interval: weekly
+ cooldown:
+ default-days: 7
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
- package-ecosystem: npm
directory: "/"
schedule:
interval: monthly
groups:
- all:
- patterns:
- - "*"
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
+
+ # endregion
+
+ # region `gha/v0` updates
+
+ - package-ecosystem: github-actions
+ directory: "/"
+ schedule:
+ interval: weekly
+ cooldown:
+ default-days: 7
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "gha/v0"
+
+ # endregion
diff --git a/.github/workflows/build-reusable.yaml
b/.github/workflows/build-reusable.yaml
deleted file mode 100644
index 1c96d0a..0000000
--- a/.github/workflows/build-reusable.yaml
+++ /dev/null
@@ -1,214 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: build-reusable
-
-on:
- workflow_call:
- inputs:
- develocity-enabled:
- description: Enable Develocity Build Scan publication
- default: false
- type: boolean
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- maven-args:
- description: Additional Maven arguments
- type: string
- ref:
- description: The branch, tag or SHA to checkout
- # When running on `pull_request_target` use the PR branch, not the
target branch
- default: ${{ github.event_name == 'pull_request_target' &&
github.head_ref || github.ref }}
- type: string
- repository:
- description: GitHub repository name with owner
- default: ${{ github.repository }}
- type: string
- reproducibility-check-enabled:
- description: Runs a reproducibility check on the build
- default: true
- type: boolean
- site-enabled:
- description: Flag indicating if Maven `site` goal should be run
- default: false
- type: boolean
- test-report-enabled:
- description: Enables the upload of test reports
- default: true
- type: boolean
- test-report-suffix:
- description: Suffix to add to the uploaded artifacts
- default: ''
- type: string
-
- secrets:
- DV_ACCESS_TOKEN:
- description: Access token to Gradle Enterprise
- required: false
-
-env:
- MAVEN_ARGS: ${{ inputs.maven-args }}
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- build:
-
- runs-on: ${{ matrix.os }}
-
- strategy:
- fail-fast: false
- matrix:
- os: [ macos-latest, ubuntu-latest, windows-latest ]
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
- with:
- repository: ${{ inputs.repository }}
- ref: ${{ inputs.ref }}
-
- - name: Set up Java
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
5.0.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
-
- - name: Set up Develocity
- if: inputs.develocity-enabled
- shell: bash
- run: |
- if [ -f .mvn/develocity.xml ]; then
- DEVELOCITY_VERSION=$(./mvnw help:evaluate -q -DforceStdout
-Dexpression=develocity-maven-plugin.version)
- USER_DATA_VERSION=$(./mvnw help:evaluate -q -DforceStdout
-Dexpression=develocity-user-data-extension.version)
- cat >.mvn/extensions.xml <<EOF
- <extensions>
- <extension>
- <groupId>com.gradle</groupId>
- <artifactId>develocity-maven-extension</artifactId>
- <version>$DEVELOCITY_VERSION</version>
- </extension>
- <extension>
- <groupId>com.gradle</groupId>
-
<artifactId>common-custom-user-data-maven-extension</artifactId>
- <version>$USER_DATA_VERSION</version>
- </extension>
- </extensions>
- EOF
- # Print file for debugging purposes
- cat .mvn/extensions.xml
- fi
-
- - name: Setup Develocity Build Scan capture
- if: inputs.develocity-enabled
- uses:
gradle/develocity-actions/setup-maven@4a2aed82eea165ba2d5c494fc2a8730d7fdff229
# 1.4
- with:
- develocity-access-key: ${{ secrets.DV_ACCESS_TOKEN }}
-
- # We use `install` instead of `verify`, otherwise the build website step
below fails
- - name: Build
- id: build
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DtrimStackTrace=false \
- -DinstallAtEnd=true \
- clean install
-
- # We upload tests results.
- - name: Upload test reports
- if: ${{ always() && inputs.test-report-enabled }}
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# 4.6.2
- with:
- name:
"test-report-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}${{inputs.test-report-suffix}}"
- path: |
- **/target/surefire-reports
- **/target/logs
-
- - name: Clean up Develocity
- if: inputs.develocity-enabled
- shell: bash
- run: |
- rm -f .mvn/extensions.xml
- # Clean up changes introduced by
gradle/develocity-actions/maven-setup
- echo "MAVEN_OPTS=" >> "$GITHUB_ENV"
-
- # Node.js cache is needed for Antora
- - name: Set up Node.js cache
- if: inputs.site-enabled
- id: nodejs-cache
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4
- with:
- # We should be calculating the cache key using `package-lock.json`
instead!
- # See https://stackoverflow.com/a/48524475/1278899
- # For that, `package-lock.json` needs to be committed into the
repository – right now it is `.gitignore`d.
- # Once it is there, we should ideally switch from `npm i` to `npm
ci`.
- # For that, we need to configure `dependabot` to update hundreds of
dependencies listed in `package-lock.json`.
- # That translates to a never ending rain of `dependabot` PRs.
- # I doubt if the wasted CPU cycles worth the gain.
- key: "${{ runner.os }}-nodejs-cache-${{ hashFiles('node',
'node_modules') }}"
- # `actions/cache` doesn't recommend caching `node_modules`.
- # Though none of its recipes fit our bill, since we install Node.js
using `frontend-maven-plugin`.
- # See
https://github.com/actions/cache/blob/main/examples.md#node---npm
- # We settle for this quick-n-dirty solution for the time being.
- path: |
- node
- node_modules
-
- - name: Build the website
- if: inputs.site-enabled
- shell: bash
- env:
- # Making Node.js cache hit visible for debugging purposes
- NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }}
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- site
-
- # `clean verify artifact:compare` is required to generate the build
reproducibility report.
- # For details, see:
https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
- - name: Verify build reproducibility
- if: inputs.reproducibility-check-enabled
- id: reproducibility
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DskipTests=true \
- clean verify artifact:compare
-
- # Upload reproducibility results if the build fails.
- - name: Upload reproducibility results
- if: inputs.reproducibility-check-enabled && failure() &&
steps.reproducibility.conclusion == 'failure'
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# 4.6.2
- with:
- name:
reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}
- path: |
- **/target/bom.xml
- **/target/*.buildcompare
- **/target/*.jar
- **/target/*.zip
- **/target/reference/**
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 7a145cb..6b9e789 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -23,14 +23,9 @@ on:
- "main"
- "release/*"
paths-ignore:
- - "**.adoc"
- "**.md"
- "**.txt"
pull_request:
- paths-ignore:
- - "**.adoc"
- - "**.md"
- - "**.txt"
# If the branch is `main`, run once per commit.
# If the branch is `release/*`, allow only one concurrent run.
@@ -46,14 +41,14 @@ jobs:
build:
if: github.actor != 'dependabot[bot]'
- uses: ./.github/workflows/build-reusable.yaml
+ uses: apache/logging-parent/.github/workflows/build-reusable.yaml@gha/v0
with:
site-enabled: true
deploy-snapshot:
needs: build
if: github.repository == 'apache/logging-parent' && github.ref_name ==
'main'
- uses: ./.github/workflows/deploy-snapshot-reusable.yaml
+ uses:
apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@gha/v0
# Secrets for deployments
secrets:
NEXUS_USERNAME: ${{ secrets.NEXUS_USER }}
@@ -62,7 +57,7 @@ jobs:
deploy-release:
needs: build
if: github.repository == 'apache/logging-parent' &&
startsWith(github.ref_name, 'release/')
- uses: ./.github/workflows/deploy-release-reusable.yaml
+ uses:
apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@gha/v0
# Secrets for deployments
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
diff --git a/.github/workflows/codeql-analysis-reusable.yaml
b/.github/workflows/codeql-analysis-reusable.yaml
deleted file mode 100644
index 217d5e8..0000000
--- a/.github/workflows/codeql-analysis-reusable.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: codeql-analysis
-
-on:
- workflow_call:
- inputs:
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript',
'kotlin', 'python', 'ruby' ]
- # Learn more about CodeQL language support at
https://git.io/codeql-language-support
- language:
- description: Language used in the repository
- default: java
- type: string
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- # Permissions required to publish Security Alerts
- permissions:
- security-events: write
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
-
- - name: Initialize CodeQL
- uses:
github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0
- with:
- # Also check GitHub Actions
- languages: ${{ inputs.language }}, actions
-
- - name: Setup JDK
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
5.0.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
-
- - name: Build with Maven
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DskipTests \
- clean verify
-
- - name: Perform CodeQL Analysis
- uses:
github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 #
3.29.0
diff --git a/.github/workflows/codeql-analysis.yaml
b/.github/workflows/codeql-analysis.yaml
index fa2ea73..1c71cfa 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -21,9 +21,13 @@ name: codeql-analysis
on:
push:
- branches: [ "main" ]
+ branches:
+ - "gha/v0"
+ - "main"
pull_request:
- branches: [ "main" ]
+ branches:
+ - "gha/v0"
+ - "main"
schedule:
- cron: '32 12 * * 5'
@@ -34,21 +38,11 @@ permissions: { }
jobs:
analyze:
- name: Analyze
- runs-on: ubuntu-latest
+ uses:
apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@gha/v0
+ with:
+ language: actions
# Permissions required to publish Security Alerts
permissions:
+ actions: read
+ contents: read
security-events: write
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
-
- - name: Initialize CodeQL
- uses:
github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0
- with:
- languages: actions
-
- - name: Perform CodeQL Analysis
- uses:
github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 #
3.29.0
diff --git a/.github/workflows/deploy-release-reusable.yaml
b/.github/workflows/deploy-release-reusable.yaml
deleted file mode 100644
index 03b447f..0000000
--- a/.github/workflows/deploy-release-reusable.yaml
+++ /dev/null
@@ -1,314 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: deploy-release-reusable
-
-on:
- workflow_call:
- inputs:
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- project-id:
- description: Identifier used in the distribution artifact and
Subversion repository folder filenames (e.g., `logging-parent`)
- required: true
- type: string
- outputs:
- project-version:
- description: The version of the project
- value: ${{ jobs.deploy.outputs.project-version }}
- nexus-url:
- description: The URL of the Nexus repository used
- value: ${{ jobs.deploy.outputs.nexus-url }}
- secrets:
- GPG_SECRET_KEY:
- description: GPG secret key for signing artifacts
- required: true
- NEXUS_USERNAME:
- description: Nexus staging repository username for deploying artifacts
- required: true
- NEXUS_PASSWORD:
- description: Nexus staging repository password for deploying artifacts
- required: true
- SVN_USERNAME:
- description: Subversion username for uploading the release distribution
- required: true
- SVN_PASSWORD:
- description: Subversion password for uploading the release distribution
- required: true
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
- deploy:
- runs-on: ubuntu-latest
- outputs:
- project-version: ${{ steps.version.outputs.project-version }}
- nexus-url: ${{ steps.nexus.outputs.nexus-url }}
- permissions:
- # Write permissions to allow the Maven `revision` property update,
changelog release, etc.
- contents: write
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
-
- - name: Set up Java & GPG
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
3.7.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
- server-id: apache.releases.https
- server-username: NEXUS_USERNAME
- server-password: NEXUS_PASSWORD
- gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
-
- - name: Set up Git user
- shell: bash
- run: |
- # Set up user name and email required for `git commit`
- git config user.name "ASF Logging Services RM"
- git config user.email [email protected]
-
- - name: Export version
- id: version
- shell: bash
- env:
- GIT_BRANCH_NAME: ${{ github.ref_name }}
- run: |
- [[ "$GIT_BRANCH_NAME" =~ ^release/.+$ ]] || {
- echo "was expecting a \`release/\`-prefixed Git branch name,
found: \`$GIT_BRANCH_NAME\`"
- exit 1
- }
- export PROJECT_VERSION=$(echo "$GIT_BRANCH_NAME" | sed
's/^release\///')
- echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV
- # Export version to calling workflow
- echo "project-version=$PROJECT_VERSION" >> $GITHUB_OUTPUT
-
- - name: Set the Maven `revision` property
- shell: bash
- run: |
- export REVISION=$(./mvnw \
- --non-recursive --quiet --batch-mode \
- -DforceStdout=true \
- -Dexpression=revision \
- help:evaluate \
- | tail -n 1)
- if [ "$REVISION" != "$PROJECT_VERSION" ]; then
- echo "Maven \`revision\` property \`$REVISION\` doesn't match with
the project version \`$PROJECT_VERSION\`, updating \`pom.xml\`..."
- ./mvnw \
- --non-recursive --batch-mode --errors --no-transfer-progress \
- -Dproperty=revision \
- -DnewVersion="$PROJECT_VERSION" \
- -DgenerateBackupPoms=false \
- versions:set-property
- git commit -S pom.xml -m "Set version to \`$PROJECT_VERSION\`"
- git push -f origin
- fi
-
- - name: Set the Maven `project.build.outputTimestamp` property
- shell: bash
- run: |
- export PROPERTY="project.build.outputTimestamp"
- grep -qE '^[\t ]+<'$PROPERTY'>' pom.xml || {
- echo "Failed to find the \`$PROPERTY\` Maven property!"
- exit 1
- }
- export TIMESTAMP=$(TZ=UTC0 git show --quiet
--date="format-local:%Y-%m-%dT%H:%M:%SZ" --format="%cd")
- sed -r 's|^([\t
]+<'$PROPERTY'>).+(</'$PROPERTY'>)$|\1'$TIMESTAMP'\2|g' -i pom.xml
- if [ -n "$(git status --porcelain)" ]; then
- git commit -S pom.xml -m "Update the \`$PROPERTY\` property"
- git push -f origin
- fi
-
- - name: Release changelog
- shell: bash
- run: |
- ./mvnw \
- --non-recursive --batch-mode --errors --no-transfer-progress \
- -P changelog-release
- git add src
- if [ -n "$(git status --porcelain)" ]; then
- git commit -S src -m "Release changelog for version
\`$PROJECT_VERSION\`"
- git push -f origin
- fi
-
- - name: Upload to Nexus
- id: nexus
- shell: bash
- env:
- # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in
`~/.m2/settings.xml` created by `setup-java` action
- NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
- NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
- # `SIGN_KEY` is used by `sign-maven-plugin`
- SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }}
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -P deploy,release
- export NEXUS_URL=$(awk '/^(stagingRepository.url)/ {
gsub(/(^.+=|\\)/, ""); print $1 }' target/nexus-staging/staging/*.properties)
- echo "NEXUS_URL=$NEXUS_URL" >> $GITHUB_ENV
- # Export repository URL to calling workflow
- echo "nexus-url=$NEXUS_URL" >> $GITHUB_OUTPUT
-
- # Node.js cache is needed for Antora
- - name: Set up Node.js cache
- id: nodejs-cache
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4
- with:
- # We should be calculating the cache key using `package-lock.json`
instead!
- # See https://stackoverflow.com/a/48524475/1278899
- # For that, `package-lock.json` needs to be committed into the
repository – right now it is `.gitignore`d.
- # Once it is there, we should ideally switch from `npm i` to `npm
ci`.
- # For that, we need to configure `dependabot` to update hundreds of
dependencies listed in `package-lock.json`.
- # That translates to a never ending rain of `dependabot` PRs.
- # I doubt if the wasted CPU cycles worth the gain.
- key: "${{ runner.os }}-nodejs-cache-${{ hashFiles('node',
'node_modules') }}"
- # `actions/cache` doesn't recommend caching `node_modules`.
- # Though none of its recipes fit our bill, since we install Node.js
using `frontend-maven-plugin`.
- # See
https://github.com/actions/cache/blob/main/examples.md#node---npm
- # We settle for this quick-n-dirty solution for the time being.
- path: |
- node
- node_modules
-
- # Website build is needed to generate the release notes
- - name: Build the website
- shell: bash
- env:
- # Making Node.js cache hit visible for debugging purposes
- NODEJS_CACHE_HIT: ${{ steps.nodejs-cache.outputs.cache-hit }}
- run: |
- export TIMESTAMP=$(./mvnw \
- --non-recursive --quiet --batch-mode \
- -DforceStdout=true \
- -Dexpression=project.build.outputTimestamp \
- help:evaluate \
- | tail -n 1)
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- site
-
- - name: Collect distribution attachments information
- shell: bash
- run: |
- # Folder where the Nexus Staging Maven plugin places the staged
artifacts
- export ALT_DEPLOYMENT_REPO_FILEPATH="target/nexus-staging/staging"
-
- # This regex needs to work for both Java (`distribution` profile)
and `find` (while counting attachments)!
- # Hence, we don't escape dots, etc. with backslashes, which is
problematic to get working in both worlds.
- export
DIST_ATTACHMENT_FILEPATH_PATTERN="^$ALT_DEPLOYMENT_REPO_FILEPATH/.+-$PROJECT_VERSION"'((-tests)?.jar|-cyclonedx.xml)$'
- export DIST_ATTACHMENT_COUNT=$(find "$ALT_DEPLOYMENT_REPO_FILEPATH"
-type f -regextype posix-extended -regex "$DIST_ATTACHMENT_FILEPATH_PATTERN" |
wc -l)
-
- # Pass the necessary environment variables
- cat >> $GITHUB_ENV << EOF
- DIST_ATTACHMENT_FILEPATH_PATTERN=$DIST_ATTACHMENT_FILEPATH_PATTERN
- DIST_ATTACHMENT_COUNT=$DIST_ATTACHMENT_COUNT
- EOF
-
- - name: Create the distribution
- shell: bash
- env:
- PROJECT_ID: ${{ inputs.project-id }}
- run: |
-
- # Generate the distribution (i.e., `src.zip` and optional `bin.zip`)
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- --non-recursive \
- -P distribution \
- -DattachmentFilepathPattern="$DIST_ATTACHMENT_FILEPATH_PATTERN" \
- -DattachmentCount="$DIST_ATTACHMENT_COUNT"
-
- # Rename distribution files
- export DIST_FILENAME_PREFIX="apache-${PROJECT_ID}"
- export
DIST_FILENAME_VERSIONED_PREFIX="${DIST_FILENAME_PREFIX}-${PROJECT_VERSION}"
- export DIST_FILEPATH_PREFIX="/tmp/${DIST_FILENAME_VERSIONED_PREFIX}"
- export DIST_FILEPATH_SRC="${DIST_FILEPATH_PREFIX}-src.zip"
- export DIST_FILEPATH_BIN="${DIST_FILEPATH_PREFIX}-bin.zip"
- mv "target/src.zip" "$DIST_FILEPATH_SRC"
- test -f "target/bin.zip" && mv "$_" "$DIST_FILEPATH_BIN"
-
- # Create signature and checksum files
- for DIST_FILEPATH in "$DIST_FILEPATH_SRC" "$DIST_FILEPATH_BIN"; do
- if [ -f "$DIST_FILEPATH" ]; then
- gpg --armor --detach-sign --yes --pinentry-mode error
"$DIST_FILEPATH"
- sha512sum "$DIST_FILEPATH" \
- | ( read CHECKSUM FILEPATH; echo $CHECKSUM" "$(basename
"$FILEPATH") ) \
- > "$DIST_FILEPATH.sha512"
- fi
- done
-
- # Pass the necessary environment variables
- cat >> $GITHUB_ENV << EOF
- DIST_FILENAME_PREFIX=$DIST_FILENAME_PREFIX
- DIST_FILENAME_VERSIONED_PREFIX=$DIST_FILENAME_VERSIONED_PREFIX
- DIST_FILEPATH_PREFIX=$DIST_FILEPATH_PREFIX
- EOF
-
- - name: Upload to Subversion
- shell: bash
- env:
- PROJECT_ID: ${{ inputs.project-id }}
- SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
- SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
- run: |
-
- # Install Subversion
- sudo apt install --assume-yes --no-install-recommends subversion
-
- # Find the effective Git commit ID
- export COMMIT_ID=$(git rev-parse HEAD)
-
- # Checkout the SVN repository
- export SVN_DIR="/tmp/svn-repo"
- svn co \
- "https://dist.apache.org/repos/dist/dev/logging/$PROJECT_ID"; \
- "$SVN_DIR"
- cd "$SVN_DIR"
-
- # Switch to the distribution folder
- [ -d "$PROJECT_VERSION" ] || {
- mkdir "$PROJECT_VERSION"
- svn add "$PROJECT_VERSION"
- }
- cd "$PROJECT_VERSION"
-
- # Clean up old files
- find . -name "${DIST_FILENAME_PREFIX}*" -type f -print0 | xargs -0
-r svn delete
-
- # Generate emails
- for EMAIL_TYPE in vote announce; do
- "$GITHUB_WORKSPACE/.github/generate-email.sh" \
- "$EMAIL_TYPE" "$PROJECT_VERSION" "$COMMIT_ID" "$NEXUS_URL" \
- > "${DIST_FILENAME_VERSIONED_PREFIX}-email-${EMAIL_TYPE}.txt"
- done
-
- # Copy the distribution
- cp "$DIST_FILEPATH_PREFIX"* .
-
- # Add & commit changes
- svn add "$DIST_FILENAME_PREFIX"*
- svn commit \
- --username "$SVN_USERNAME" \
- --password "$SVN_PASSWORD" \
- -m "Added \`${DIST_FILENAME_PREFIX}\` artifacts for release
\`${PROJECT_VERSION}\`"
diff --git a/.github/workflows/deploy-site-reusable.yaml
b/.github/workflows/deploy-site-reusable.yaml
deleted file mode 100644
index d48c017..0000000
--- a/.github/workflows/deploy-site-reusable.yaml
+++ /dev/null
@@ -1,189 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: deploy-site-reusable
-
-on:
- workflow_call:
- inputs:
- asf-yaml-content:
- description: The contents of the `.asf.yaml` that will be created
- required: true
- type: string
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- install-required:
- description: Flag indicating if Maven `install` goal should be run
before running the `site` goal
- default: false
- type: boolean
- target-branch:
- description: The name of the branch the generated site content will be
written to
- required: true
- type: string
- target-path:
- description: The directory path the generated site content will be
placed under
- default: "."
- type: string
- secrets:
- GPG_SECRET_KEY:
- description: GPG secret key for signing commits
- required: true
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- deploy:
- runs-on: ubuntu-latest
- permissions:
- # Write permissions for committing the generated site
- contents: write
-
- steps:
-
- - name: Checkout the source branch
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
-
- - name: Set up Java
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
3.7.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
- gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
-
- - name: Build the project
- shell: bash
- if: inputs.install-required
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -Dmaven.test.skip \
- install
-
- # Node.js cache is needed for Antora
- - name: Restore Node.js cache
- id: nodejs-cache-restore
- uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809
# 4.2.4
- with:
- # The cache is OS independent
- enableCrossOsArchive: true
- # The cache needs to be updated only when `logging-parent` is updated
- key: "nodejs-cache-${{ hashFiles('package-lock.json') }}"
- # Only the NPM modules need to be cached, since Node.js and NPM are
retrieved from the Maven local repository
- path: node_modules
-
- - name: Build the website
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- site
- cd target/site
- find . -empty -type d -delete
- find . -print0 | sort --zero-terminated | xargs -0 zip -qoX
"$RUNNER_TEMP/site.zip"
- echo "SOURCE_COMMIT_ID=$(git rev-parse HEAD)" >> $GITHUB_ENV
-
- - name: Set up Git user
- shell: bash
- run: |
- # Set up user name and email required for `git commit`
- git config user.name "ASF Logging Services RM"
- git config user.email [email protected]
-
- # Checking out a new branch will delete the `node_modules` folder,
- # so we need to save the cache here.
- - name: Save Node.js cache
- uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 #
4.2.4
- with:
- key: ${{ steps.nodejs-cache-restore.outputs.cache-primary-key }}
- path: node_modules
-
- - name: Create the target branch
- shell: bash
- env:
- TARGET_BRANCH: ${{ inputs.target-branch }}
- run: |
- git ls-remote --exit-code --heads origin "refs/heads/$TARGET_BRANCH"
>/dev/null 2>&1 || {
- echo "Remote branch \`$TARGET_BRANCH\` doesn't exist, creating it"
- git checkout --orphan "$TARGET_BRANCH"
- echo "Content for initializing an orphan branch for the website to
be generated from \`$SOURCE_COMMIT_ID\`" > README.txt
- git add README.txt
- git commit -S README.txt -m "Initial content for the website to be
generated from \`$SOURCE_COMMIT_ID\`"
- git push origin "$TARGET_BRANCH"
- }
-
- - name: Checkout the target branch
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
- with:
- ref: ${{ inputs.target-branch }}
-
- - name: Update the target path
- shell: bash
- env:
- TARGET_PATH: ${{ inputs.target-path }}
- ASF_YAML_CONTENT: ${{ inputs.asf-yaml-content }}
- run: |
- # Check if there already exists an `.asf.yaml`
- ASF_YAML_EXISTS=$([ -f .asf.yaml ] && echo "true" || echo "false")
-
- # Clean up the target path
- git ls-files -z -- "$TARGET_PATH" | xargs -0 git rm -rfq
-
- # Place the generated site
- unzip -q "$RUNNER_TEMP/site.zip" -d "$TARGET_PATH"
- git add "$TARGET_PATH"
-
- # Recover `.asf.yaml`, if there was one.
- # Otherwise `git status` will always show a change even when there
are no changes in the website content.
- # That is because we always populate `.asf.yaml` with some random
values at the end to fix an INFRA issue.
- if [ "$ASF_YAML_EXISTS" = "true" ]; then
- git checkout HEAD .asf.yaml
- fi
-
- # Commit changes, if there are any
- if [ -n "$(git status --porcelain)" ]; then
-
- # Commit & push site changes
- git commit -S -a -m "Add website content generated from
\`$SOURCE_COMMIT_ID\`"
- git push -f origin
-
- # Populate `.asf.yaml`
- cat >.asf.yaml <<EOF
- $ASF_YAML_CONTENT
-
- # INFRA cannot handle change sets bigger than a certain size:
https://the-asf.slack.com/archives/CBX4TSBQ8/p1709724983391709
- # This file will be used to push a small commit to help the INFRA to
recover.
- #
- # Random values to cause a change:
- #
- # - Seed: $RANDOM
- # - Commit ID: $SOURCE_COMMIT_ID
- # - Timestamp: $(date --utc '+%Y-%m-%dT%H:%M:%SZ')
- EOF
- git add .asf.yaml
- git commit -S .asf.yaml -m "Add \`.asf.yaml\` along with an INFRA
fix for the website content generated from \`$SOURCE_COMMIT_ID\`"
-
- # Push changes *separately*!
- # A separate small commit push necessary due to the INFRA issue
explained above.
- git push -f origin
-
- fi
diff --git a/.github/workflows/deploy-site.yaml
b/.github/workflows/deploy-site.yaml
index c7addf4..3fac9d8 100644
--- a/.github/workflows/deploy-site.yaml
+++ b/.github/workflows/deploy-site.yaml
@@ -35,7 +35,7 @@ jobs:
deploy-site-stg:
if: github.repository == 'apache/logging-parent' && github.ref_name ==
'main'
- uses: ./.github/workflows/deploy-site-reusable.yaml
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -52,7 +52,7 @@ jobs:
deploy-site-pro:
if: github.repository == 'apache/logging-parent' && github.ref_name ==
'main-site-pro'
- uses: ./.github/workflows/deploy-site-reusable.yaml
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -82,7 +82,7 @@ jobs:
deploy-site-rel:
needs: export-version
- uses: ./.github/workflows/deploy-site-reusable.yaml
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@gha/v0
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
diff --git a/.github/workflows/deploy-snapshot-reusable.yaml
b/.github/workflows/deploy-snapshot-reusable.yaml
deleted file mode 100644
index b868a5d..0000000
--- a/.github/workflows/deploy-snapshot-reusable.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: deploy-snapshot-reusable
-
-on:
- workflow_call:
- inputs:
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- outputs:
- project-version:
- description: The version of the project
- value: ${{ jobs.deploy.outputs.project-version }}
- secrets:
- NEXUS_USERNAME:
- description: Nexus snapshot repository username for deploying artifacts
- required: true
- NEXUS_PASSWORD:
- description: Nexus snapshot repository password for deploying artifacts
- required: true
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
- deploy:
- runs-on: ubuntu-latest
- outputs:
- project-version: ${{ steps.version.outputs.project-version }}
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
-
- - name: Set up Java
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
3.7.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
- server-id: apache.snapshots.https
- server-username: NEXUS_USERNAME
- server-password: NEXUS_PASSWORD
-
- - name: Export version
- id: version
- shell: bash
- run: |
- export PROJECT_VERSION=$(./mvnw \
- --quiet --batch-mode -DforceStdout=true \
- -Dexpression=project.version \
- help:evaluate \
- | tail -n 1)
- echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV
- # Export version to calling workflow
- echo "project-version=$PROJECT_VERSION" >> $GITHUB_OUTPUT
-
- - name: Upload to Nexus
- shell: bash
- env:
- # `NEXUS_USERNAME` and `NEXUS_PASSWORD` are used in
`~/.m2/settings.xml` created by `setup-java` action
- NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
- NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -P deploy
diff --git a/.github/workflows/merge-dependabot-reusable.yaml
b/.github/workflows/merge-dependabot-reusable.yaml
deleted file mode 100644
index adaf403..0000000
--- a/.github/workflows/merge-dependabot-reusable.yaml
+++ /dev/null
@@ -1,135 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: merge-dependabot-reusable
-
-on:
- workflow_call:
- inputs:
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- maven-args:
- description: Additional Maven arguments
- type: string
- secrets:
- GPG_SECRET_KEY:
- description: GPG secret key for signing commits
- required: true
-
-env:
- MAVEN_ARGS: ${{ inputs.maven-args }}
-
-jobs:
-
- merge-dependabot:
-
- runs-on: ubuntu-latest
-
- steps:
-
- - name: Fetch metadata
- id: dependabot-metadata
- uses:
dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
-
- - name: Find dependency attributes
- shell: bash
- env:
- DEPENDENCY_NAMES: ${{
steps.dependabot-metadata.outputs.dependency-names }}
- DEPENDENCY_VERSION: ${{
steps.dependabot-metadata.outputs.new-version }}
- run: |
- DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAMES" | tr "," '\n' | head -n 1)
- cat >> $GITHUB_ENV << EOF
- DEPENDENCY_NAME=$DEPENDENCY_NAME
- DEPENDENCY_VERSION=$DEPENDENCY_VERSION
- EOF
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
- with:
- ref: ${{ steps.dependabot-metadata.outputs.target-branch }}
-
- - name: Download and apply patch
- shell: bash
- env:
- PATCH_URL: ${{ github.event.pull_request.patch_url }}
- run: |
- wget -O- "$PATCH_URL" | git apply
-
- - name: Set up Java & GPG
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
5.0.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
- cache: maven
- server-id: apache.releases.https
- server-username: NEXUS_USERNAME
- server-password: NEXUS_PASSWORD
- gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
-
- - name: Find the release version major
- shell: bash
- run: |
- RELEASE_VERSION_MAJOR=$(./mvnw \
- --non-recursive --quiet --batch-mode \
- -DforceStdout=true \
- -Dexpression=parsedVersion.majorVersion \
- build-helper:parse-version help:evaluate \
- | tail -n 1)
- echo "RELEASE_VERSION_MAJOR=$RELEASE_VERSION_MAJOR" >> $GITHUB_ENV
-
- - name: Create changelog entry
- shell: bash
- env:
- PR_URL: ${{ github.event.pull_request.html_url }}
- PR_ID: ${{ github.event.pull_request.number }}
- run: |
- if [ -d "src/changelog" ]; then
-
RELEASE_CHANGELOG_FILEPATH="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x"
- SAFE_DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAME" | tr "[:upper:]"
"[:lower:]" | sed -r 's/[^a-z0-9]/_/g' | sed -r 's/_+/_/g')
-
CHANGELOG_ENTRY_FILEPATH="$RELEASE_CHANGELOG_FILEPATH/update_${SAFE_DEPENDENCY_NAME}.xml"
- mkdir -p $(dirname "$CHANGELOG_ENTRY_FILEPATH")
- cat > "$CHANGELOG_ENTRY_FILEPATH" << EOF
- <?xml version="1.0" encoding="UTF-8"?>
- <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xmlns="https://logging.apache.org/xml/ns";
- xsi:schemaLocation="https://logging.apache.org/xml/ns
https://logging.apache.org/xml/ns/log4j-changelog-0.xsd";
- type="updated">
- <issue id="$PR_ID" link="$PR_URL"/>
- <description format="asciidoc">Update \`$DEPENDENCY_NAME\` to
version \`$DEPENDENCY_VERSION\`</description>
- </entry>
- EOF
- fi
-
- - name: Add & commit changes
- shell: bash
- env:
- PR_ID: ${{ github.event.pull_request.number }}
- PR_BRANCH: ${{ github.head_ref }}
- run: |
- git add .
- git config user.name "ASF Logging Services RM"
- git config user.email [email protected]
- git commit -S -a -m "Update \`$DEPENDENCY_NAME\` to version
\`$DEPENDENCY_VERSION\` (#$PR_ID)"
- # Pushing the same commit to the Dependabot and main branch closes
the PR
- git push -f origin "HEAD:$PR_BRANCH"
- # Allow for GitHub to realize that the PR branch changed
- sleep 5
- git push origin
diff --git a/.github/workflows/merge-dependabot.yaml
b/.github/workflows/merge-dependabot.yaml
deleted file mode 100644
index 2d611cc..0000000
--- a/.github/workflows/merge-dependabot.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: merge-dependabot
-
-on:
- pull_request_target:
- paths-ignore:
- - "**.adoc"
- - "**.md"
- - "**.txt"
-
-permissions: read-all
-
-jobs:
-
- build:
- if: github.repository == 'apache/logging-parent' && github.event_name ==
'pull_request_target' && github.actor == 'dependabot[bot]'
- uses: ./.github/workflows/build-reusable.yaml
-
- merge-dependabot:
- needs: build
- uses: ./.github/workflows/merge-dependabot-reusable.yaml
- permissions:
- contents: write # to push
changelog commits
- pull-requests: write # to close
the PR
- secrets:
- GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} # to sign
commits
diff --git a/.github/workflows/scorecards-analysis-reusable.yaml
b/.github/workflows/scorecards-analysis-reusable.yaml
deleted file mode 100644
index 8094b6c..0000000
--- a/.github/workflows/scorecards-analysis-reusable.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: scorecards-analysis
-
-on:
- workflow_call:
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- analysis:
- name: "Scorecards analysis"
- runs-on: ubuntu-latest
- # Permissions required to publish Security Alerts
- permissions:
- security-events: write
-
- steps:
-
- - name: "Checkout code"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
- with:
- persist-credentials: false
-
- - name: "Run analysis"
- uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde
# 2.4.2
- with:
- results_file: results.sarif
- results_format: sarif
- # A read-only PAT token, which is sufficient for the action to
function.
- # The relevant discussion:
https://github.com/ossf/scorecard-action/issues/188
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- # Publish the results for public repositories to enable scorecard
badges.
- # For more details:
https://github.com/ossf/scorecard-action#publishing-results
- publish_results: true
-
- - name: "Upload artifact"
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# 4.6.2
- with:
- name: SARIF file
- path: results.sarif
- retention-days: 5
-
- - name: "Upload to code-scanning"
- uses:
github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 #
3.29.0
- with:
- sarif_file: results.sarif
diff --git a/.github/workflows/verify-reproducibility-reusable.yaml
b/.github/workflows/verify-reproducibility-reusable.yaml
deleted file mode 100644
index a743210..0000000
--- a/.github/workflows/verify-reproducibility-reusable.yaml
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-name: verify-reproducibility-reusable
-
-on:
- workflow_call:
- inputs:
- java-version:
- description: The Java compiler version
- default: 17
- type: string
- maven-args:
- description: Additional Maven arguments
- type: string
- nexus-url:
- description: The URL of the reference Nexus repository
- type: string
- runs-on:
- description: The type of runners to use as JSON array
- default: '["ubuntu-latest"]'
- type: string
-
-env:
- MAVEN_ARGS: ${{ inputs.maven-args }}
- NEXUS_URL: ${{ inputs.nexus-url }}
-
-# Explicitly drop all permissions inherited from the caller for security.
-# Reference:
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
-permissions: { }
-
-jobs:
-
- build:
-
- runs-on: ${{ matrix.os }}
-
- strategy:
- matrix:
- os: ${{ fromJSON(inputs.runs-on) }}
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
4.2.2
- with:
- ref: ${{ github.ref }}
-
- - name: Set up Java
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #
5.0.0
- with:
- distribution: zulu
- java-version: ${{ inputs.java-version }}
-
- #
- # Generates a cache key prefix to enable partial cache hits.
- # If there's no exact match for the full cache key, any cache with this
prefix can be used as a fallback.
- # To avoid unbounded cache growth, the prefix includes the current month,
- # ensuring a new cache is started each month.
- #
- - name: Compute Cache Key Prefix
- shell: bash
- run: |
- date +"CACHE_KEY=verify-reproducibility-%Y-%m" >> $GITHUB_ENV
-
- #
- # Configures caching for the local Maven repository.
- # Uses a custom cache key to isolate artifacts built in this workflow,
- # preventing reproducibility results from being affected by cached
outputs from other workflows.
- #
- - name: Set up Maven Cache
- uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4
- with:
- path: ~/.m2/repository
- key: "${{ env.CACHE_KEY }}-${{ runner.os }}-${{
hashFiles('**/pom.xml') }}"
- restore-keys: |
- ${{ env.CACHE_KEY }}-${{ runner.os }}-
-
- # `clean verify artifact:compare` is required to generate the build
reproducibility report.
- # For details, see:
https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
- - name: Verify build reproducibility
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DskipTests=true \
- -Dreference.repo="${NEXUS_URL}" \
- clean verify artifact:compare
-
- # Upload reproducibility results if the build fails.
- - name: Upload reproducibility results
- if: failure()
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
# 4.6.2
- with:
- name:
reproducibility-${{matrix.os}}-${{github.run_number}}-${{github.run_attempt}}
- path: |
- **/target/bom.xml
- **/target/*.buildcompare
- **/target/*.jar
- **/target/*.zip
- **/target/reference/**
diff --git a/pom.xml b/pom.xml
index 4dc0918..8c3dca4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -630,6 +630,8 @@
<!-- License headers in GitHub templates pollute the prompt
displayed to the user: -->
<exclude>.github/ISSUE_TEMPLATE/*.md</exclude>
<exclude>.github/pull_request_template.md</exclude>
+ <!-- `.logging-parent-bom-activator` activates the `bom` Maven
profile: -->
+ <exclude>.logging-parent-bom-activator</exclude>
</excludes>
</configuration>
<executions>
diff --git a/src/changelog/.12.x.x/gha-branch.xml
b/src/changelog/.12.x.x/gha-branch.xml
new file mode 100644
index 0000000..6931328
--- /dev/null
+++ b/src/changelog/.12.x.x/gha-branch.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xmlns="https://logging.apache.org/xml/ns";
+ xsi:schemaLocation="https://logging.apache.org/xml/ns
https://logging.apache.org/xml/ns/log4j-changelog-0.xsd";
+ type="changed">
+ <description format="asciidoc">
+ Move reusable GitHub Actions workflows from `main` to the `gha/v0` branch.
+ </description>
+</entry>
diff --git a/src/site/antora/antora.tmpl.yml b/src/site/antora/antora.tmpl.yml
index c6e6fba..e92c88c 100644
--- a/src/site/antora/antora.tmpl.yml
+++ b/src/site/antora/antora.tmpl.yml
@@ -38,6 +38,7 @@ version: ~
start_page: index.adoc
asciidoc:
attributes:
+ project-gha-version: "gha/v0"
project-github-url: "${scm.url}"
project-version: "${site-project.version}"
project-name: Logging Parent
diff --git a/src/site/antora/antora.yml b/src/site/antora/antora.yml
index 63faef9..479dd80 100644
--- a/src/site/antora/antora.yml
+++ b/src/site/antora/antora.yml
@@ -38,6 +38,7 @@ version: ~
start_page: index.adoc
asciidoc:
attributes:
+ project-gha-version: "gha/v0"
project-github-url: "https://github.com/awesome/project";
project-version: "1.2.3"
project-name: Logging Parent
diff --git a/src/site/antora/modules/ROOT/examples/build.yaml
b/src/site/antora/modules/ROOT/examples/build.yaml
index 216b006..30723ed 100644
--- a/src/site/antora/modules/ROOT/examples/build.yaml
+++ b/src/site/antora/modules/ROOT/examples/build.yaml
@@ -32,7 +32,7 @@ jobs:
# tag::build[]
build:
- uses:
apache/logging-parent/.github/workflows/build-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/build-reusable.yaml@{project-gha-version}
secrets:
DV_ACCESS_TOKEN: ${{ startsWith(github.ref_name, 'release/') && '' ||
secrets.DEVELOCITY_ACCESS_KEY }}
with:
@@ -45,7 +45,7 @@ jobs:
deploy-snapshot:
needs: build
if: github.repository == 'apache/logging-log4j2' && github.ref_name ==
'2.x'
- uses:
apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@{project-gha-version}
# Secrets for deployments
secrets:
NEXUS_USERNAME: ${{ secrets.NEXUS_USER }}
@@ -56,7 +56,7 @@ jobs:
deploy-release:
needs: build
if: github.repository == 'apache/logging-log4j2' &&
startsWith(github.ref_name, 'release/')
- uses:
apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@{project-gha-version}
# Secrets for deployments
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -75,7 +75,7 @@ jobs:
verify-reproducibility-snapshot:
needs: deploy-snapshot
name: "verify-reproducibility (${{
needs.deploy-snapshot.outputs.project-version }})"
- uses:
apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@{project-gha-version}
with:
# Reference repository
nexus-url: https://repository.apache.org/content/groups/snapshots
@@ -87,7 +87,7 @@ jobs:
verify-reproducibility-release:
needs: deploy-release
name: "verify-reproducibility (${{
needs.deploy-release.outputs.project-version }})"
- uses:
apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/verify-reproducibility-reusable.yaml@{project-gha-version}
with:
# Reference repository
nexus-url: ${{ needs.deploy-release.outputs.nexus-url }}
diff --git a/src/site/antora/modules/ROOT/examples/deploy-site.yaml
b/src/site/antora/modules/ROOT/examples/deploy-site.yaml
index 42b6b82..f9c0cd0 100644
--- a/src/site/antora/modules/ROOT/examples/deploy-site.yaml
+++ b/src/site/antora/modules/ROOT/examples/deploy-site.yaml
@@ -36,7 +36,7 @@ jobs:
# tag::snapshot[]
deploy-site-stg:
if: github.repository == 'apache/logging-log4j2' && github.ref_name ==
'2.x'
- uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version}
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -56,7 +56,7 @@ jobs:
# tag::production[]
deploy-site-pro:
if: github.repository == 'apache/logging-log4j2' && github.ref_name ==
'2.x-site-pro'
- uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/12.1.0
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version}
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
@@ -87,7 +87,7 @@ jobs:
deploy-site-rel:
needs: export-version
- uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/deploy-site-reusable.yaml@{project-gha-version}
# Secrets for committing the generated site
secrets:
GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }}
diff --git a/src/site/antora/modules/ROOT/nav.adoc
b/src/site/antora/modules/ROOT/nav.adoc
index c6a4cc1..513c689 100644
--- a/src/site/antora/modules/ROOT/nav.adoc
+++ b/src/site/antora/modules/ROOT/nav.adoc
@@ -17,6 +17,7 @@
* xref:features.adoc[]
* xref:usage.adoc[]
+* xref:workflows.adoc[]
* xref:release-notes.adoc[]
.Release support
diff --git a/src/site/antora/modules/ROOT/pages/features.adoc
b/src/site/antora/modules/ROOT/pages/features.adoc
index 024e9d9..7858091 100644
--- a/src/site/antora/modules/ROOT/pages/features.adoc
+++ b/src/site/antora/modules/ROOT/pages/features.adoc
@@ -106,7 +106,7 @@ For example, you can use the snippet below:
[source,yaml,subs="+attributes"]
----
build:
- uses:
apache/logging-parent/.github/workflows/build-reusable.yaml@rel/{project-version}
+ uses:
apache/logging-parent/.github/workflows/build-reusable.yaml@{project-gha-version}
secrets:
DV_ACCESS_TOKEN: ${{ ! startsWith(github.refname, 'release/') &&
secrets.DEVELOCITY_ACCESS_KEY }}
with:
diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc
b/src/site/antora/modules/ROOT/pages/workflows.adoc
index e9ed9f9..0761bf0 100644
--- a/src/site/antora/modules/ROOT/pages/workflows.adoc
+++ b/src/site/antora/modules/ROOT/pages/workflows.adoc
@@ -26,11 +26,10 @@ The Logging Parent project provides the following reusable
GitHub Actions workfl
* <<deploy-release>>
* <<deploy-site>>
* <<deploy-snapshot>>
-* <<merge-dependabot>>
* <<verify-reproducibility>>
[#build]
-==
{project-github-url}/blob/main/.github/workflows/build-reusable.yaml[`build-reusable.yaml`]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/build-reusable.yaml[`build-reusable.yaml`]
This workflow:
@@ -47,7 +46,7 @@ include::example$build.yaml[tag=build,indent=0]
----
[#deploy-snapshot]
-==
{project-github-url}/blob/main/.github/workflows/deploy-snapshot-reusable.yaml[`deploy-snapshot-reusable.yaml`]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-snapshot-reusable.yaml[`deploy-snapshot-reusable.yaml`]
This workflow deploys SNAPSHOT artifacts.
@@ -61,7 +60,7 @@ include::example$build.yaml[tag=deploy-snapshot,indent=0]
----
[#deploy-release]
-==
{project-github-url}/blob/main/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-release-reusable.yaml[`deploy-release-reusable.yaml`]
This workflow:
@@ -81,7 +80,7 @@ include::example$build.yaml[tag=deploy-release,indent=0]
----
[#verify-reproducibility]
-==
{project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`verify-reproducibility-reusable.yaml`]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/verify-reproducibility-reusable.yaml[`verify-reproducibility-reusable.yaml`]
This workflow verifies the reproducibility of a previous <<deploy-snapshot>>
or <<deploy-release>> workflow.
@@ -104,13 +103,8 @@ To verify the reproducibility of a release, you can use:
include::example$build.yaml[tag=verify-reproducibility-release,indent=0]
----
-[#merge-dependabot]
-==
{project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`]
-
-Merges Dependabot PRs along with changelog entries.
-
[#deploy-site]
-==
{project-github-url}/blob/main/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`]
This workflow builds and deploys the website.
