release.yml

name: Provenance Build and Release

on:
  pull_request:
    paths:
      - "**.go"
      - "go.mod"
      - "go.sum"
      - "**.mk"
      - "Makefile"
      - "gon.json"
      - "scripts/**"
      - ".github/workflows/release.yml"
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"     # Push events to matching v*, i.e. v1.0, v20.15.10
      - "v[0-9]+.[0-9]+.[0-9]+-rc*" # Push events to matching v*, i.e. v1.0-rc1, v20.15.10-rc5

# Set concurrency for this workflow to cancel in-progress jobs if retriggered.
# The github.ref is only available when triggered by a PR so fall back to github.run_id for other cases.
# The github.run_id is unique for each run, giving each such invocation it's own unique concurrency group.
# Basically, if you push to a PR branch, jobs that are still running for that PR will be cancelled.
# But jobs started because of a merge to main or a release tag push are not cancelled.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  build_init:
    runs-on: ubuntu-latest
    name: Build Init
    steps:
      - name: Define Variables
        id: vars
        # ${GITHUB_REF##*/} removes everything before the last slash. E.g. 'refs/tags/v1.8.0' becomes 'v1.8.0'
        # ${GITHUB_SHA:0:7} gets the first 7 characters. E.g. `3e9928920f5a64c8fc4884ee085efe1983071c90` becomes `3e99289'
        run: |
          version="${GITHUB_SHA:0:7}"
          is_release='false'
          if [[ "$GITHUB_REF" =~ ^refs/tags/ ]]; then
            version=${GITHUB_REF##*/}
            is_release='true'
          fi
          prerelease=false
          if [[ "$version" =~ -rc ]]; then
            prerelease=true
          fi
          echo "Setting output: version=$version"
          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "Setting output: is_release=$is_release"
          echo "is_release=$is_release" >> "$GITHUB_OUTPUT"
          echo "Setting output: prerelease=$prerelease"
          echo "prerelease=$prerelease" >> "$GITHUB_OUTPUT"
    outputs:
      version: ${{ steps.vars.outputs.version }}
      is_release: ${{ steps.vars.outputs.is_release }}
      prerelease: ${{ steps.vars.outputs.prerelease }}

  build_osx:
    runs-on: macos-latest
    needs:
      - build_init
    name: Build OSX
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Build osx binary
        run: |
          export VERSION=${{ needs.build_init.outputs.version }}
          make build-release-zip
      - name: Provenanced version
        run: build/provenanced version --long
      - uses: actions/upload-artifact@v4
        with:
          name: osx-zip
          path: build/*.zip

  build_linux:
    runs-on: ubuntu-20.04
    needs:
      - build_init
    name: Build Linux
    env:
      LD_LIBRARY_PATH: /usr/local/lib:/usr/local/lib/x86_64-linux-gnu
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Install deps
        run: |
          sudo apt-get update
          sudo apt-get install -y libgflags-dev libsnappy-dev zlib1g-dev libbz2-dev liblz4-dev libzstd-dev
      - name: Build linux binary
        run: |
          export VERSION=${{ needs.build_init.outputs.version }}
          make build-release-zip
      - name: Provenanced version
        run: build/provenanced version --long
      - uses: actions/upload-artifact@v4
        with:
          name: linux-zip
          path: build/provenance*.zip

  buf_push:
    needs:
      - build_init
    if: needs.build_init.outputs.is_release == 'true'
    runs-on: ubuntu-latest
    name: Protobuf Push
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Buf setup action
        uses: bufbuild/buf-setup-action@v1.42.0
      - name: Buf push 'proto/'
        uses: bufbuild/buf-push-action@v1
        with:
          input: 'proto'
          buf_token: ${{ secrets.BUF_TOKEN }}

  create_release:
    needs:
      - build_init
      - build_linux
    if: needs.build_init.outputs.is_release == 'true'
    runs-on: ubuntu-latest
    name: Create Release
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Create release ${{ needs.build_init.outputs.version }}
        uses: actions/create-release@v1
        id: create_release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ github.ref }}
          draft: false
          prerelease: ${{ needs.build_init.outputs.prerelease }}
          body_path: RELEASE_CHANGELOG.md
    outputs:
      release_url: ${{ steps.create_release.outputs.upload_url }}

  update_release:
    needs:
      - build_init
      - create_release
    if: needs.build_init.outputs.is_release == 'true'
    runs-on: ubuntu-latest
    name: Attach Release Artifacts
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Download linux zip artifact
        uses: actions/download-artifact@v4
        with:
          name: linux-zip
          path: build/
      - name: Create release items
        id: create-items
        run: |
          make VERSION=${{ needs.build_init.outputs.version }} build-release-checksum build-release-plan build-release-proto
      - name: Upload linux zip artifact
        if: always() && steps.create-items.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.create_release.outputs.release_url }}
          asset_path: ./build/provenance-linux-amd64-${{ needs.build_init.outputs.version }}.zip
          asset_name: provenance-linux-amd64-${{ needs.build_init.outputs.version }}.zip
          asset_content_type: application/octet-stream
      - name: Upload release checksum
        if: always() && steps.create-items.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.create_release.outputs.release_url }}
          asset_path: ./build/sha256sum.txt
          asset_name: sha256sum.txt
          asset_content_type: application/octet-stream
      - name: Upload release plan
        if: always() && steps.create-items.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.create_release.outputs.release_url }}
          asset_path: ./build/plan-${{ needs.build_init.outputs.version }}.json
          asset_name: plan-${{ needs.build_init.outputs.version }}.json
          asset_content_type: application/octet-stream
      - name: Upload release protos
        if: always() && steps.create-items.outcome == 'success'
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.create_release.outputs.release_url }}
          asset_path: ./build/protos-${{ needs.build_init.outputs.version }}.zip
          asset_name: protos-${{ needs.build_init.outputs.version }}.zip
          asset_content_type: application/octet-stream

  java_kotlin_release:
    needs:
      - build_init
    if: needs.build_init.outputs.is_release == 'true'
    runs-on: ubuntu-latest
    name: Java/Kotlin Proto Publishing
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Java Setup
        uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: 11
          server-id: github

      - name: GPG Setup
        env:
          GPG_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
        run: |
          export GPG_TTY=$(tty)
          echo -n "$GPG_KEY" | base64 --decode | gpg --batch --import
          gpg --list-secret-keys --keyid-format LONG
          echo -n "$GPG_KEY" | base64 --decode > $GITHUB_WORKSPACE/release.gpg

      - name: Build and Publish
        env:
          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
          GPG_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
        run: |
          cd protoBindings
          ./gradlew publish closeAndReleaseSonatypeStagingRepository \
            -PartifactVersion=$(echo "${{ needs.build_init.outputs.version }}" | sed -e 's/^v//') \
            -Psigning.keyId=B7D30ABE \
            -Psigning.password="${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}" \
            -Psigning.secretKeyRingFile=$GITHUB_WORKSPACE/release.gpg \
            --info

  npm_release:
    needs:
      - build_init
    if: needs.build_init.outputs.is_release == 'true'
    runs-on: ubuntu-latest
    name: NPM Proto Publishing
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Publish
        uses: provenance-io/npm-publish-action@v1.1
        with:
          api-version: ${{ needs.build_init.outputs.version }}
          npm-token: ${{ secrets.NPM_TOKEN }}
          tag: alpha