From b8bcf099dcd9c5cf9836bd793f241d7cd8ad7754 Mon Sep 17 00:00:00 2001
From: ErikUggeldahl <hello@rive.app>
Date: Fri, 22 Nov 2024 23:46:23 +0000
Subject: [PATCH] Fix issues with re-release script

- Checkout from the workflow
  - Without this, composite actions aren't accessible
- Add bash shell specifier to runners
- Pass secrets as inputs
  - Composite actions can't access secrets, so we pass them as inputs

Diffs=
73977611cb Fix issues with re-release script (#8633)

Co-authored-by: Erik <erik@rive.app>
---
 .github/actions/build/action.yml        |  1 +
 .github/actions/deploy/action.yml       | 43 ++++++++++++++++++++-----
 .github/actions/prepare/action.yml      | 30 ++++++++++-------
 .github/actions/version-bump/action.yml | 14 ++++++--
 .github/workflows/re-release.yml        | 19 +++++++++++
 .rive_head                              |  2 +-
 6 files changed, 86 insertions(+), 23 deletions(-)

diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
index 98110525..aa8d6531 100644
--- a/.github/actions/build/action.yml
+++ b/.github/actions/build/action.yml
@@ -7,6 +7,7 @@ runs:
   using: "composite"
   steps:
     - name: Build Android
+      shell: bash
       env:
         # ANDROID_SDK_ROOT has been in the env by 'setup-android' action in prepare.yml
         #   and is => /usr/local/lib/android/sdk
diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml
index a72d5783..ba7a3b16 100644
--- a/.github/actions/deploy/action.yml
+++ b/.github/actions/deploy/action.yml
@@ -3,19 +3,46 @@
 name: Deploy
 description: Deploy the Android library artifacts to Maven Central
 
+inputs:
+  OSSRH-username:
+    description: "The OSS Repository Hosting username"
+    required: true
+  OSSRH-password:
+    description: "The OSS Repository Hosting password"
+    required: true
+  UAT-OSSRH-username:
+    description: "The UAT OSS Repository Hosting username"
+    required: true
+  UAT-OSSRH-password:
+    description: "The UAT OSS Repository Hosting password"
+    required: true
+  signing-key-id:
+    description: "The signing key ID"
+    required: true
+  signing-password:
+    description: "The signing password"
+    required: true
+  signing-secret-key-ring-file:
+    description: "The path to the secret key ring file"
+    required: true
+  Sonatype-staging-profile-id:
+    description: "The Sonatype staging profile ID"
+    required: true
+
 runs:
   using: "composite"
   steps:
     - name: Publish to MavenCentral
+      shell: bash
       run: ./gradlew publishAllPublicationsToSonatypeRepository --max-workers 1 closeAndReleaseSonatypeStagingRepository
       env:
-        UAT_OSSRH_USERNAME: ${{ secrets.UAT_OSSRH_USERNAME }}
-        UAT_OSSRH_PASSWORD: ${{ secrets.UAT_OSSRH_PASSWORD }}
+        UAT_OSSRH_USERNAME: ${{ inputs.UAT-OSSRH-username }}
+        UAT_OSSRH_PASSWORD: ${{ inputs.UAT-OSSRH-password }}
         # TODO: remove these after UAT is confirmed working
-        OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-        OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        OSSRH_USERNAME: ${{ inputs.OSSRH-username }}
+        OSSRH_PASSWORD: ${{ inputs.OSSRH-password }}
         # ====
-        SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
-        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
-        SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
-        SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
+        SIGNING_KEY_ID: ${{ inputs.signing-key-id }}
+        SIGNING_PASSWORD: ${{ inputs.signing-password }}
+        SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
+        SONATYPE_STAGING_PROFILE_ID: ${{ inputs.Sonatype-staging-profile-id }}
diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
index 269efab3..24f44dd7 100644
--- a/.github/actions/prepare/action.yml
+++ b/.github/actions/prepare/action.yml
@@ -1,6 +1,5 @@
 # This is a GitHub Composite Action that prepares the Android environment for the build.
 # This includes:
-# - Checking out the code
 # - Configuring AWS credentials
 # - Updating Java
 # - Setting up the Android SDK
@@ -12,22 +11,27 @@
 name: Prepare
 description: Prepare the Android environment for the build
 
+inputs:
+  actions-role:
+    description: "The role to assume for AWS actions"
+    required: true
+  GPG-key-contents:
+    description: "The GPG key contents"
+    required: true
+  signing-secret-key-ring-file:
+    description: "The path to the secret key ring file"
+    required: true
+
 runs:
   using: "composite"
   steps:
-    - name: Check out code
-      uses: actions/checkout@v4
-      with:
-        submodules: true
-        token: ${{ secrets.PAT_GITHUB }}
-
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v2
       with:
         aws-region: us-west-2
-        role-to-assume: ${{ secrets.ACTIONS_ROLE }}
+        role-to-assume: ${{ inputs.actions-role }}
 
-    - name: Update Java
+    - name: Install Java
       uses: actions/setup-java@v4
       with:
         distribution: "zulu"
@@ -37,6 +41,7 @@ runs:
       uses: android-actions/setup-android@v3
 
     - name: Install NDK & tools
+      shell: bash
       # Starts from: pwd => /home/runner/work/rive/rive
       # ANDROID_HOME => /usr/local/lib/android/sdk
       run: |
@@ -48,12 +53,14 @@ runs:
         echo "y" | sdkmanager --install 'cmake;3.22.1' --channel=0 --sdk_root=${ANDROID_SDK_ROOT}
 
     - name: Configure venv
+      shell: bash
       run: |
         python3 -m venv .venv
         source .venv/bin/activate
         echo PATH=$PATH >> $GITHUB_ENV
 
     - name: Installing pre-requisites
+      shell: bash
       run: |
         set -x
         # Install some dependencies & premake5
@@ -64,9 +71,10 @@ runs:
 
     # Base64 decodes and pipes the GPG key content into the secret file
     - name: Prepare environment
+      shell: bash
       env:
-        GPG_KEY_CONTENTS: ${{ secrets.GPG_KEY_CONTENTS }}
-        SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
+        GPG_KEY_CONTENTS: ${{ inputs.GPG-key-contents }}
+        SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
       run: |
         git fetch --unshallow
         sudo bash -c "echo '$GPG_KEY_CONTENTS' | base64 -d > '$SIGNING_SECRET_KEY_RING_FILE'"
diff --git a/.github/actions/version-bump/action.yml b/.github/actions/version-bump/action.yml
index 363e7cd4..c21546b3 100644
--- a/.github/actions/version-bump/action.yml
+++ b/.github/actions/version-bump/action.yml
@@ -17,33 +17,41 @@ inputs:
     description: "Minor"
     type: boolean
     default: false
+  Rive-repo-PAT:
+    description: "The GitHub Personal Access Token for the Rive repository"
+    required: true
 
 runs:
   using: "composite"
   steps:
     - name: Install dependencies
+      shell: bash
       run: npm ci
       working-directory: ./.github/scripts/release
     - name: Git config
+      shell: bash
       run: |
         git config --local user.email 'hello@rive.app'
         git config --local user.name ${{ github.actor }}
 
     - if: ${{ inputs.major == true }}
       name: Major Release - Bump version number, update changelog, push and tag
+      shell: bash
       run: npm run release -- major --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
     - if: ${{inputs.major == false && inputs.minor == true}}
       name: Minor release - Bump version number, update changelog, push and tag
+      shell: bash
       run: npm run release -- minor --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
     - if: ${{inputs.major == false && inputs.minor == false}}
       name: Build release - Bump version number, update changelog, push and tag
+      shell: bash
       run: npm run release -- --ci
       working-directory: ./.github/scripts/release
       env:
-        GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
+        GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
diff --git a/.github/workflows/re-release.yml b/.github/workflows/re-release.yml
index dab39463..89260234 100644
--- a/.github/workflows/re-release.yml
+++ b/.github/workflows/re-release.yml
@@ -4,6 +4,7 @@
 # Note: We may want to consider GitHub Reusable Workflows instead of Composite Actions in the future.
 # See https://docs.github.com/en/actions/sharing-automations/avoiding-duplication for the differences.
 # Notably the logging visibility may improve by switching.
+# Reusable workflows can also view secrets rather than requiring them as inputs.
 
 name: Re-Release
 
@@ -18,9 +19,27 @@ jobs:
       id-token: write
       contents: read
     steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+          token: ${{ secrets.PAT_GITHUB }}
       - name: Prepare
         uses: ./.github/actions/prepare
+        with:
+          actions-role: ${{ secrets.ACTIONS_ROLE }}
+          GPG-key-contents: ${{ secrets.GPG_KEY_CONTENTS }}
+          signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
       - name: Build
         uses: ./.github/actions/build
       - name: Deploy
         uses: ./.github/actions/deploy
+        with:
+          OSSRH-username: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH-password: ${{ secrets.OSSRH_PASSWORD }}
+          UAT-OSSRH-username: ${{ secrets.UAT_OSSRH_USERNAME }}
+          UAT-OSSRH-password: ${{ secrets.UAT_OSSRH_PASSWORD }}
+          signing-key-id: ${{ secrets.SIGNING_KEY_ID }}
+          signing-password: ${{ secrets.SIGNING_PASSWORD }}
+          signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
+          Sonatype-staging-profile-id: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
diff --git a/.rive_head b/.rive_head
index e1d36928..34ccab08 100644
--- a/.rive_head
+++ b/.rive_head
@@ -1 +1 @@
-28582ea0fda2be47d7a0f00eea28ee318a469111
+73977611cb80960092a765fc3a0ffdbb2c3d50b5