optimization/.github/workflows/publish-android.yaml at main · contentful/optimization · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Publish Android Library

permissions:
  contents: read

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag:
        description: 'Existing release tag (e.g. v1.2.3)'
        required: true
      publish:
        description: 'Actually publish'
        type: boolean
        default: false

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: Derive release version
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
            TAG='${{ github.event.release.tag_name }}'
          else
            TAG='${{ inputs.tag }}'
          fi
          echo "RELEASE_TAG=$TAG"         >> "$GITHUB_ENV"
          echo "RELEASE_VERSION=${TAG#v}" >> "$GITHUB_ENV"

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event_name == 'release' && github.event.release.tag_name || inputs.tag }}

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version-file: '.nvmrc'
          package-manager-cache: false

      - uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3

      - run: pnpm install --prefer-offline --frozen-lockfile

      - name: Build the JS bridge (stamps the version into the UMD)
        run: pnpm --filter @contentful/optimization-js-bridge build
        env:
          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}

      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin'
          java-version: '17'

      - uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1

      - name: Generate Android third-party notices
        run: pnpm notices:generate:android

      - name: Verify Maven Central credentials
        env:
          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
        run: |
          set -euo pipefail

          if [ -z "$MAVEN_CENTRAL_USERNAME" ] || [ -z "$MAVEN_CENTRAL_PASSWORD" ]; then
            echo "MAVEN_CENTRAL_USERNAME and MAVEN_CENTRAL_PASSWORD secrets must be set."
            exit 1
          fi

          TOKEN="$(printf '%s:%s' "$MAVEN_CENTRAL_USERNAME" "$MAVEN_CENTRAL_PASSWORD" | base64 | tr -d '\n')"
          CODE="$(curl -sS -o /dev/null -w '%{http_code}' \
            -H "Authorization: Bearer $TOKEN" \
            "https://central.sonatype.com/api/v1/publisher/published?namespace=com.contentful.java&name=optimization-android&version=0.0.0-probe" || printf '000')"

          case "$CODE" in
            2*|404)
              ;;
            401|403)
              echo "Central Portal rejected the Maven Central token for namespace com.contentful.java (HTTP $CODE)."
              echo "Regenerate a Central Portal user token from an account with publisher access to com.contentful.java and update the GitHub Actions secrets."
              exit 1
              ;;
            000)
              echo "Could not reach the Central Portal API."
              exit 1
              ;;
            *)
              echo "Central Portal credential preflight returned HTTP $CODE; continuing because the token was not explicitly rejected."
              ;;
          esac

      - name: Verify Maven publishing assembles
        if: github.event_name == 'workflow_dispatch' && !inputs.publish
        working-directory: packages/android/ContentfulOptimization
        env:
          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
        run: |
          ./gradlew publishToMavenLocal \
            -Pcontentful.optimization.version="$RELEASE_VERSION" \
            --no-configuration-cache --no-daemon --console=plain

      # Build the signed AAR (+ sources/javadoc/POM) and publish+release it to Maven Central via the
      # Sonatype Central Portal. vanniktech reads credentials and the in-memory GPG key from the
      # ORG_GRADLE_PROJECT_* env vars below, populated from the Actions secrets that
      # scripts/setup-maven-central-credential.sh provisions.
      - name: Publish to Maven Central
        if: github.event_name == 'release' || inputs.publish
        working-directory: packages/android/ContentfulOptimization
        env:
          ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
          ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
          ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.MAVEN_SIGNING_KEY }}
          ORG_GRADLE_PROJECT_signingInMemoryKeyId: ${{ secrets.MAVEN_SIGNING_KEY_ID }}
          ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.MAVEN_SIGNING_PASSWORD }}
          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
        run: |
          ./gradlew publishAndReleaseToMavenCentral \
            -Pcontentful.optimization.version="$RELEASE_VERSION" \
            --no-configuration-cache --no-daemon --stacktrace