update publish steps for maven central (#2755)

* update publish steps for maven central
* remove screwdriver references

---------

Signed-off-by: Henry Avetisyan <[email protected]>

Author: havetisyan

.github/workflows/ossrh-publish.yaml

@@ -0,0 +1,87 @@
+name: Publish Athenz packages to Maven Central
+
+on:
+  push:
+    tags:
+      - 'v1.12.*'
+
+env:
+  GOLANG_VERSION: 1.22
+  NODEJS_VERSION: 18
+  JAVA_VERSION_SERVER_BUILD: 17
+  JAVA_VERSION_CLIENT_BUILD: 11
+  JAVA_DISTRO: temurin
+  JAVA_ARCH: x64
+
+jobs:
+  server-publish:
+    runs-on: ubuntu-latest-4-cores
+    steps:
+      - name: Checkout repository
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Golang
+        id: setup-go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Setup Node
+        id: setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Setup Java
+        id: setup-java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION_SERVER_BUILD }}
+          distribution: ${{ env.JAVA_DISTRO }}
+          architecture: ${{ env.JAVA_ARCH }}
+          server-id: ossrh
+          server-username: OSSRH_USERNAME
+          server-password: OSSRH_TOKEN
+          gpg-private-key: ${{ secrets.MAVEN_GPG_SIGNING_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Build and Publish Server Modules
+        run: actions/scripts/publish.sh server
+        env:
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_TOKEN_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}
+
+  client-publish:
+    runs-on: ubuntu-latest-4-cores
+    steps:
+      - name: Checkout repository
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Golang
+        id: setup-go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Setup Java
+        id: setup-java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION_CLIENT_BUILD }}
+          distribution: ${{ env.JAVA_DISTRO }}
+          architecture: ${{ env.JAVA_ARCH }}
+          server-id: ossrh
+          server-username: OSSRH_USERNAME
+          server-password: OSSRH_TOKEN
+          gpg-private-key: ${{ secrets.MAVEN_GPG_SIGNING_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Build and Publish Client Modules
+        run: actions/scripts/publish.sh client
+        env:
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_TOKEN_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}

.github/workflows/pull-request.yaml

@@ -3,7 +3,7 @@ name: Pull Requests
 on:
   pull_request:
     branches:
-      - '1.12.x-jetty12'
+      - 'master'
 
 env:
   GOLANG_VERSION: 1.22
@@ -69,4 +69,4 @@ jobs:
           architecture: ${{ env.JAVA_ARCH }}
 
       - name: Build Athenz Clients
-        run: mvn -B -pl rdl/rdl-gen-athenz-java-model,rdl/rdl-gen-athenz-java-client,core/zms,core/zts,core/msd,libs/java/auth_core,libs/java/client_common,libs/java/cert_refresher,clients/java/zms,clients/java/zts,clients/java/zpe,clients/java/msd,libs/java/gcp_zts_creds install 
+        run: mvn -B -pl core/zms,core/zts,core/msd,libs/java/auth_core,libs/java/client_common,libs/java/cert_refresher,clients/java/zms,clients/java/zts,clients/java/zpe,clients/java/msd,libs/java/gcp_zts_creds install

README.md

@@ -2,17 +2,10 @@
 
 # Athenz
 
-[![Pipeline Status][status-image]][status-url]
-[![Publish Status][publish-status-image]][status-url]
 [![SourceSpy Dashboard](https://sourcespy.com/shield.svg)](https://sourcespy.com/github/athenzathenz/)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4681/badge)](https://bestpractices.coreinfrastructure.org/projects/4681)
 [![Licenses](https://app.fossa.io/api/projects/git%2Bhttps%3A%2F%2Fgithub.com%2FAthenZ%2Fathenz.svg?type=shield)](https://app.fossa.io/projects/git%2Bhttps%3A%2F%2Fgithub.com%2FAthenZ%2Fathenz?ref=badge_shield)
 
-[status-image]: https://cd.screwdriver.cd/pipelines/6606/badge
-[publish-status-image]: https://cd.screwdriver.cd/pipelines/6606/publish/badge
-[status-url]: https://cd.screwdriver.cd/pipelines/6606
-
-
 > Athenz is an open source platform for X.509 certificate based service authentication and fine-grained
 > access control in dynamic infrastructures. It supports provisioning and configuration (centralized
 > authorization) use cases as well as serving/runtime (decentralized authorization) use cases. Athenz
@@ -35,7 +28,7 @@ support for the following three major functional areas.
 
 ### Service Authentication
 
-Athenz provides secure identity in the form of short lived X.509 certificate
+Athenz provides secure identity in the form of short-lived X.509 certificate
 for every workload or service deployed in private (e.g. Openstack, K8S, Screwdriver)
 or public cloud (e.g. AWS EC2, ECS, Fargate, Lambda). Using these X.509 certificates
 clients and services establish secure connections and through mutual TLS authentication verify

actions/scripts/publish.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+MODULE_TYPE=$1
+
+function deployProject ()
+{
+    max_retry=3
+    counter=0
+    echo "Publishing package $1..."
+
+    # before publishing we need to make sure that the package
+    # is not being asked to be skipped since it was already
+    # published in a previous build
+
+    if [[ $PUBLISH_SKIP_PACKAGES == *"$1"* ]]
+    then
+      echo "Package $1 already published. Skipping..."
+    else
+      until mvn -B deploy -P ossrh -Dmaven.test.skip=true --projects $1
+      do
+        [[ counter -eq $max_retry ]] && echo "Failed to deploy package $1" && exit 1
+        counter=$(( $counter + 1 ))
+        sleep 30
+        echo "Re-trying to publish package (attempt #$counter)"
+      done
+    fi
+}
+
+if [[ "$MODULE_TYPE" = "client" ]];
+then
+  deployProject "com.yahoo.athenz:athenz"
+  deployProject "com.yahoo.athenz:athenz-zms-core"
+  deployProject "com.yahoo.athenz:athenz-zts-core"
+  deployProject "com.yahoo.athenz:athenz-msd-core"
+  deployProject "com.yahoo.athenz:athenz-auth-core"
+  deployProject "com.yahoo.athenz:athenz-client-common"
+  deployProject "com.yahoo.athenz:athenz-cert-refresher"
+  deployProject "com.yahoo.athenz:athenz-zms-java-client"
+  deployProject "com.yahoo.athenz:athenz-zts-java-client"
+  deployProject "com.yahoo.athenz:athenz-zpe-java-client"
+  deployProject "com.yahoo.athenz:athenz-msd-java-client"
+  deployProject "com.yahoo.athenz:athenz-gcp-zts-creds"
+else
+  mvn -B --projects core/zms -Dmaven.test.skip=true install
+  mvn -B --projects core/zts -Dmaven.test.skip=true install
+  mvn -B --projects libs/java/auth_core -Dmaven.test.skip=true install
+  mvn -B --projects libs/java/client_common -Dmaven.test.skip=true install
+  mvn -B --projects libs/java/cert_refresher -Dmaven.test.skip=true install
+  mvn -B --projects clients/java/zms -Dmaven.test.skip=true install
+  mvn -B --projects clients/java/zts -Dmaven.test.skip=true install
+  deployProject "com.yahoo.athenz:athenz-server-common"
+  deployProject "com.yahoo.athenz:athenz-server-k8s-common"
+  deployProject "com.yahoo.athenz:athenz-server-aws-common"
+  deployProject "com.yahoo.athenz:athenz-instance-provider"
+  deployProject "com.yahoo.athenz:athenz-syncer-common"
+fi

clients/go/msd/Makefile

@@ -16,7 +16,7 @@ export GOPATH ?= /tmp/go
 # we're not going to generate our code during our automated builds since
 # builds must be done based on files already checked-in into git
 
-CICD := $(or ${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
+CICD := $(or ${GITHUB_ACTIONS},${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
 
 ifdef CICD
 

clients/go/zms/Makefile

@@ -16,7 +16,7 @@ export GOPATH ?= /tmp/go
 # we're not going to generate our code during our automated builds since
 # builds must be done based on files already checked-in into git
 
-CICD := $(or ${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
+CICD := $(or ${GITHUB_ACTIONS},${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
 
 ifdef CICD
 

clients/go/zts/Makefile

@@ -16,7 +16,7 @@ export GOPATH ?= /tmp/go
 # we're not going to generate our code during our automated builds since
 # builds must be done based on files already checked-in into git
 
-CICD := $(or ${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
+CICD := $(or ${GITHUB_ACTIONS},${SCREWDRIVER},${TRAVIS_PULL_REQUEST},${TRAVIS_TAG})
 
 ifdef CICD
 

clients/java/msd/scripts/make_stubs.sh

@@ -8,7 +8,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

clients/java/zms/scripts/make_stubs.sh

@@ -5,7 +5,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

clients/java/zts/scripts/make_stubs.sh

@@ -5,7 +5,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

core/msd/scripts/make_stubs.sh

@@ -7,7 +7,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

core/zms/scripts/make_stubs.sh

@@ -5,7 +5,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

core/zts/scripts/make_stubs.sh

@@ -5,7 +5,7 @@
 # however, we're not going to run this utility during our automated builds since
 # builds must be done based on files already checked-in into git
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

docker/util/Dockerfile

@@ -5,6 +5,7 @@ ARG BUILD_DATE
 ARG VCS_REF
 
 ENV SCREWDRIVER true
+ENV GITHUB_ACTIONS true
 
 LABEL org.label-schema.schema-version="1.0"
 LABEL org.label-schema.build-date=$BUILD_DATE

docker/util/athenz-builder/Dockerfile

@@ -5,6 +5,7 @@ ARG BUILD_DATE
 ARG VCS_REF 
 
 ENV SCREWDRIVER true
+ENV GITHUB_ACTIONS true
 
 LABEL org.label-schema.schema-version="1.0"
 LABEL org.label-schema.build-date=$BUILD_DATE

pom.xml

@@ -115,11 +115,12 @@
     <maven-checkstyle-plugin.version>3.4.0</maven-checkstyle-plugin.version>
     <maven-dependency-plugin.version>3.7.1</maven-dependency-plugin.version>
     <maven-exec-plugin.version>3.3.0</maven-exec-plugin.version>
-    <maven-gpg-plugin.version>3.2.4</maven-gpg-plugin.version>
+    <maven-gpg-plugin.version>3.2.7</maven-gpg-plugin.version>
     <maven-install-plugin.version>3.1.2</maven-install-plugin.version>
     <maven-jacoco-plugin.version>0.8.12</maven-jacoco-plugin.version>
     <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
     <maven-javadoc-plugin.version>3.7.0</maven-javadoc-plugin.version>
+    <maven-nexus-plugin.version>1.7.0</maven-nexus-plugin.version>
     <maven-release-plugin.version>3.1.1</maven-release-plugin.version>
     <maven-shade-plugin.version>3.6.0</maven-shade-plugin.version>
     <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
@@ -437,18 +438,6 @@
   <profiles>
     <profile>
       <id>ossrh</id>
-      <properties>
-        <gpg.executable>gpg</gpg.executable>
-        <!--suppress UnresolvedMavenProperty -->
-        <gpg.keyname>${env.GPG_KEYNAME}</gpg.keyname>
-        <!--suppress UnresolvedMavenProperty -->
-        <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
-        <gpg.defaultKeyring>false</gpg.defaultKeyring>
-        <!--suppress UnresolvedMavenProperty -->
-        <gpg.homedir>${env.SD_SOURCE_DIR}/screwdriver/deploy</gpg.homedir>
-        <gpg.publickeyring>pubring.gpg</gpg.publickeyring>
-        <gpg.secretkeyring>secring.gpg</gpg.secretkeyring>
-      </properties>
       <activation>
         <property>
           <name>performRelease</name>
@@ -458,7 +447,6 @@
       <build>
         <plugins>
           <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-gpg-plugin</artifactId>
             <version>${maven-gpg-plugin.version}</version>
             <executions>
@@ -469,18 +457,15 @@
                   <goal>sign</goal>
                 </goals>
                 <configuration>
-                  <gpgArguments>
-                    <arg>--pinentry-mode</arg>
-                    <arg>loopback</arg>
-                  </gpgArguments>
+                  <signer>bc</signer>
                 </configuration>
               </execution>
             </executions>
           </plugin>
           <plugin>
             <groupId>org.sonatype.plugins</groupId>
             <artifactId>nexus-staging-maven-plugin</artifactId>
-            <version>1.6.8</version>
+            <version>${maven-nexus-plugin.version}</version>
             <extensions>true</extensions>
             <configuration>
               <stagingProgressTimeoutMinutes>60</stagingProgressTimeoutMinutes>

rdl/rdl-gen-athenz-go-client/make_generator.sh

@@ -6,7 +6,7 @@
 # generated. Otherwise, the client has all the auto-generated code already
 # checked-in into git.
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

rdl/rdl-gen-athenz-go-model/make_generator.sh

@@ -6,7 +6,7 @@
 # generated. Otherwise, the client has all the auto-generated code already
 # checked-in into git.
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

rdl/rdl-gen-athenz-java-client/make_generator.sh

@@ -6,7 +6,7 @@
 # generated. Otherwise, the client has all the auto-generated code already
 # checked-in into git.
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

rdl/rdl-gen-athenz-java-model/make_generator.sh

@@ -6,7 +6,7 @@
 # generated. Otherwise, the client has all the auto-generated code already
 # checked-in into git.
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";

rdl/rdl-gen-athenz-server/make_generator.sh

@@ -6,7 +6,7 @@
 # generated. Otherwise, the server has all the auto-generated code already
 # checked-in into git.
 
-if [ ! -z "${SCREWDRIVER}" ] || [ ! -z "${TRAVIS_PULL_REQUEST}" ] || [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${GITHUB_ACTIONS}" ]; then
     echo >&2 "------------------------------------------------------------------------";
     echo >&2 "SOURCE NOTICE";
     echo >&2 "------------------------------------------------------------------------";