HHH-18912 - ORM release process

https://hibernate.atlassian.net/browse/HHH-18912
2025-02-07 11:48:18 +00:00 · 2024-12-12 12:18:31 -06:00 · 2024-12-12 12:18:31 -06:00 · b4d32260dc
commit b4d32260dc
parent 73e53d72c5
5 changed files with 148 additions and 248 deletions
--- a/build.gradle
+++ b/build.gradle
@ -43,81 +43,30 @@ apply from: file( 'gradle/module.gradle' )
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Release Task
-task release {
+tasks.register('release') {
 	description = "The task performed when we are performing a release build.  Relies on " +
 			"the fact that subprojects will appropriately define a release task " +
 			"themselves if they have any release-related activities to perform"
 	doFirst {
 		def javaVersionsInUse = jdkVersions.allVersions
-		if ( javaVersionsInUse != [JavaLanguageVersion.of( 11 )].toSet() ) {
+		if (javaVersionsInUse != [JavaLanguageVersion.of(17)].toSet()) {
-			throw new IllegalStateException( "Please use JDK 11 to perform the release. Currently using: ${javaVersionsInUse}" )
+			throw new IllegalStateException("Please use JDK 17 to perform the release. Currently using: ${javaVersionsInUse}")
 		}
 	}
 }
 task publish {
 	description = "The task performed when we want to just publish maven artifacts.  Relies on " +
 			"the fact that subprojects will appropriately define a release task " +
 			"themselves if they have any publish-related activities to perform"
 }
 def ossrhUsername = extractPropertyOrSetting( "OSSRH_USER" )
 def ossrhPassword = extractPropertyOrSetting( "OSSRH_PASSWORD" )
 String extractPropertyOrSetting(String name) {
 	if ( project.hasProperty( name) ) {
 		return project.property( name )
 	}
 	def sysProp = System.getProperty( name )
 	if ( sysProp != null ) {
 		return sysProp
 	}
 	def envProp = System.getenv( name )
 	if ( envProp != null ) {
 		return envProp
 	}
 	return null
 }
 nexusPublishing {
 	repositories {
-		sonatype {
+		sonatype()
 			username = ossrhUsername
 			password = ossrhPassword
 	}
 }
 }
 gradle.taskGraph.addTaskExecutionGraphListener(
 		new TaskExecutionGraphListener() {
 			@Override
 			void graphPopulated(TaskExecutionGraph graph) {
 				for ( final def task in graph.allTasks ) {
 					if ( task instanceof PublishToMavenRepository ) {
 						if ( ossrhUsername == null ) {
 							throw new RuntimeException( "OSSRH username not specified, but publishing was requested" )
 						}
 						if ( ossrhPassword == null ) {
 							throw new RuntimeException( "OSSRH password not specified, but publishing was requested" )
 						}
 						break
 					}
 				}
 			}
 		}
 )
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // CI Build Task
-task ciBuild {
+tasks.register('ciBuild') {
 	description = "The task performed when one of the 'main' jobs are triggered on the " +
 			"CI server.  Just as above, relies on the fact that subprojects will " +
 			"appropriately define a release task themselves if they have any tasks " +
--- a/ci/release/Jenkinsfile
+++ b/ci/release/Jenkinsfile
@ -53,8 +53,6 @@ def checkoutReleaseScripts() {
 	}
 }
 File findReleaseNotes() {
 }
 // --------------------------------------------
 // Pipeline
@ -95,6 +93,10 @@ pipeline {
 		stage('Release check') {
 			steps {
 				script {
 					print "INFO: params.RELEASE_VERSION = ${params.RELEASE_VERSION}"
 					print "INFO: params.DEVELOPMENT_VERSION = ${params.DEVELOPMENT_VERSION}"
 					print "INFO: params.RELEASE_DRY_RUN? = ${params.RELEASE_DRY_RUN}"
 					checkoutReleaseScripts()
 					def currentVersion = Version.parseDevelopmentVersion( sh(
@ -110,7 +112,9 @@ pipeline {
 						echo "Release was requested manually"
 						if ( !params.RELEASE_VERSION ) {
-						        throw new IllegalArgumentException( 'Missing value for parameter RELEASE_VERSION. This parameter must be set explicitly to prevent mistakes.' )
+							throw new IllegalArgumentException(
 									'Missing value for parameter RELEASE_VERSION. This parameter must be set explicitly to prevent mistakes.'
 							)
 						}
 						releaseVersion = Version.parseReleaseVersion( params.RELEASE_VERSION )
@ -168,12 +172,6 @@ pipeline {
 					configFileProvider([
 							configFile(fileId: 'release.config.ssh', targetLocation: "${env.HOME}/.ssh/config"),
 							configFile(fileId: 'release.config.ssh.knownhosts', targetLocation: "${env.HOME}/.ssh/known_hosts")
 					]) {
 						withCredentials([
 							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
 							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
 							file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
 							string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE')
 					]) {
 						sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
 							// set release version
@ -193,7 +191,6 @@ pipeline {
 				}
 			}
 		}
 		}
 		stage('Publish release') {
 			steps {
 				script {
@ -204,10 +201,12 @@ pipeline {
 							configFile(fileId: 'release.config.ssh.knownhosts', targetLocation: "${env.HOME}/.ssh/known_hosts")
 					]) {
 						withCredentials([
-							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
+							// https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
-							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
+							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername'),
-							file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
+							// https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
-							string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE'),
+							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'GRADLE_PUBLISH_SECRET', usernameVariable: 'GRADLE_PUBLISH_KEY'),
 							file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
 							string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
 							gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
 						]) {
 							sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
@ -216,7 +215,7 @@ pipeline {
 								withEnv([
 										"DISABLE_REMOTE_GRADLE_CACHE=true"
 								]) {
-									sh ".release/scripts/publish.sh ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION} ${env.GIT_BRANCH} ${env.SCRIPT_OPTIONS}"
+									sh ".release/scripts/publish.sh ${env.SCRIPT_OPTIONS} ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION} ${env.GIT_BRANCH}"
 								}
 							}
 						}
@ -243,7 +242,7 @@ pipeline {
 											extensions: [],
 											userRemoteConfigs: [[credentialsId: 'ed25519.Hibernate-CI.github.com', url: 'https://github.com/hibernate/hibernate.org.git']]
 									)
-									sh "../scripts/website-release.sh ${env.PROJECT} ${env.RELEASE_VERSION} ${env.SCRIPT_OPTIONS} "
+									sh "../scripts/website-release.sh ${env.SCRIPT_OPTIONS} ${env.PROJECT} ${env.RELEASE_VERSION}"
 								}
 							}
 						}
--- a/ci/snapshot-publish.Jenkinsfile
+++ b/ci/snapshot-publish.Jenkinsfile
@ -31,23 +31,18 @@ pipeline {
 		stage('Publish') {
 			steps {
                withCredentials([
 					usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
 					usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
 					file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
 					string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE'),
                    // https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
                    usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername'),
                    // https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
                    usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'GRADLE_PUBLISH_SECRET', usernameVariable: 'GRADLE_PUBLISH_KEY'),
                    file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
                    string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
                    gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
                ]) {
 					withEnv([
 							"DISABLE_REMOTE_GRADLE_CACHE=true"
 					]) {
-						sh '''./gradlew clean publish -x test \
+						sh './gradlew clean publish -x test --no-scan --no-daemon --no-build-cache --stacktrace'
 						--no-scan --no-daemon --no-build-cache --stacktrace
 						'''
 					}
 				}
 			}
--- a/gradle/published-java-module.gradle
+++ b/gradle/published-java-module.gradle
@ -24,162 +24,114 @@ dependencies {
 	javadocSources sourceSets.main.allJava
 }
 java {
 	// Configure the Java "software component" to include javadoc and sources jars in addition to the classes jar.
 	// Ultimately, this component is what makes up the publication for this project.
 	withJavadocJar()
 	withSourcesJar()
 }
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Publishing
-publishing {
+var publishingExtension = project.getExtensions().getByType(PublishingExtension) as PublishingExtension
-	publications {
+publishingExtension.publications {
 	// main publication
 	publishedArtifacts {
 		// Add the Java component to the main publication
 		from components.java
 	}
 }
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Signing
 def signPublicationsTask = tasks.register('signPublications') {
 	description "Grouping task which executes all Sign tasks"
 	dependsOn tasks.withType( Sign )
 }
-java {
+tasks.named( "publishPublishedArtifactsPublicationToSonatypeRepository" ) {
-	// include javadoc and sources jar in the Java component
+	// publishing depends on signing
-	// 		- classes jar included by default
+	dependsOn signPublicationsTask
 	withJavadocJar()
 	withSourcesJar()
 }
 tasks.register('sign') {
 	description "Pseudonym for :signPublications"
 	dependsOn signPublicationsTask
 }
 var signingExtension = project.getExtensions().getByType(SigningExtension) as SigningExtension
 signingExtension.sign publishing.publications.publishedArtifacts
 gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
 	boolean wasSigningRequested = false
 	boolean wasPublishingRequested = false
 	graph.allTasks.each {task ->
 		if ( task instanceof Sign ) {
 			wasSigningRequested = true
 		}
 		else if ( task instanceof PublishToMavenRepository ) {
 			wasPublishingRequested = true
 		}
 	}
 	if ( wasPublishingRequested ) {
 		def ossrhUser = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypeUsername" )
 		def ossrhPass = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypePassword" )
 		if ( ossrhUser == null || ossrhPass == null ) {
 			throw new RuntimeException( "Cannot perform publishing to OSSRH without credentials." )
 		}
 		logger.lifecycle "Publishing {} : {} : {}", project.group, project.name, project.version
 	}
 	if ( wasSigningRequested || wasPublishingRequested ) {
 		// signing was explicitly requested and/or we are publishing to Sonatype OSSRH
 		// 		- we need the signing to happen
 		signingExtension.required = true
 		var signingKey = resolveSigningKey()
-var signingPassword = findSigningProperty( "RELEASE_GPG_PASSPHRASE" )
+		var signingPassword = resolveSigningPassphrase()
-
+		signingExtension.useInMemoryPgpKeys( signingKey, signingPassword )
-signing {
+	}
-	useInMemoryPgpKeys( signingKey, signingPassword )
+	else {
-
+		// signing was not explicitly requested and we are not publishing to OSSRH,
-	sign publishing.publications.publishedArtifacts
+		// 		- disable all Sign tasks
 		tasks.withType( Sign ).each { t-> t.enabled = false }
 	}
 }
-String resolveSigningKey() {
+static String resolveSigningKey() {
-	var key = findSigningProperty( "RELEASE_GPG_PRIVATE_KEY" )
+	var key = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY" )
 	if ( key != null ) {
 		return key
 	}
-	var keyFile = findSigningProperty( "RELEASE_GPG_PRIVATE_KEY_PATH" )
+	var keyFile = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY_PATH" )
 	if ( keyFile != null ) {
 		return new File( keyFile ).text
 	}
-	return null
+	throw new RuntimeException( "Cannot perform signing without GPG details." )
 }
 String findSigningProperty(String propName) {
 	def sysProp = System.getProperty(propName)
 	if ( sysProp != null ) {
 		logger.debug "Found `{}` as a system property", propName
 		return sysProp
 	}
 	def envVar = System.getenv().get(propName)
 	if ( envVar != null ) {
 		logger.debug "Found `{}` as an env-var property", propName
 		return envVar
 	}
 	def projectProp = project.hasProperty(propName)
 	if (projectProp) {
 		logger.debug "Found `{}` as a project property", propName
 		return projectProp
 	}
 	logger.debug "Did not find `{}`", propName
 	return null
 }
 var signingTask = project.tasks.getByName( "signPublishedArtifactsPublication" ) as Sign
 var signingExtension = project.getExtensions().getByType(SigningExtension) as SigningExtension
 task sign {
 	dependsOn "signPublications"
 }
 task signPublications { t ->
 	tasks.withType( Sign ).all { s ->
 		t.dependsOn s
 	}
 }
 signingTask.doFirst {
 	if ( signingKey == null || signingPassword == null ) {
 		throw new GradleException(
 				"Cannot perform signing without GPG details.  Please set the `signingKey` and `signingKeyFile` properties"
 		)
 	}
 }
 boolean wasSigningExplicitlyRequested() {
 	// check whether signing task was explicitly requested when running the build
 	//
 	// NOTE: due to https://discuss.gradle.org/t/how-to-tell-if-a-task-was-explicitly-asked-for-on-the-command-line/42853/3
 	// we cannot definitively know whether the task was requested.  Gradle really just does not expose this information.
 	// so we make a convention - we check the "start parameters" object to see which task-names were requested;
 	// the problem is that these are the raw names directly from the command line.  e.g. it is perfectly legal to
 	// say `gradlew signPubArtPub` in place of `gradlew signPublishedArtifactsPublication` - Gradle will simply
 	// "expand" the name it finds.  However, it does not make that available.
 	//
 	// so the convention is that we will check for the following task names
 	//
 	// for each of:
 	//		1. `sign`
 	//		2. `signPublications`
 	//		3. `signPublishedArtifactsPublication`
 	//
 	// and we check both forms:
 	//		1. "${taskName}"
 	//		2. project.path + ":${taskName}"
 	//
 	// we need to check both again because of the "start parameters" discussion
 	def signingTaskNames = ["sign", "signPublications", "signPublishedArtifactsPublication"]
 	for ( String taskName : signingTaskNames ) {
 		if ( gradle.startParameter.taskNames.contains( taskName )
 				|| gradle.startParameter.taskNames.contains( "${project.path}:${taskName}" ) ) {
 			return true
 		}
 	}
 	return false
 }
 if ( wasSigningExplicitlyRequested() ) {
 	// signing was explicitly requested
 	signingExtension.required = true
 }
 else {
 	gradle.taskGraph.whenReady { graph ->
 		if ( graph.hasTask( signingTask ) ) {
 			// signing is scheduled to happen.
 			//
 			// we know, from above if-check, that it was not explicitly requested -
 			// so it is triggered via task dependency. make sure we want it to happen
 			var publishingTask = project.tasks.getByName( "publishPublishedArtifactsPublicationToSonatypeRepository" ) as PublishToMavenRepository
 			if ( graph.hasTask( publishingTask ) ) {
 				// we are publishing to Sonatype OSSRH - we need the signing to happen
 				signingExtension.required = true
 			}
 			else {
 				// signing was not explicitly requested and we are not publishing to OSSRH,
 				// so do not sign.
 				signingTask.enabled = false
 			}
 }
 static String resolveSigningPassphrase() {
 	var passphrase = System.getenv().get( "SIGNING_GPG_PASSPHRASE" )
 	if ( passphrase == null ) {
 		throw new RuntimeException( "Cannot perform signing without GPG details." )
 	}
 	return passphrase
 }
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Release / publishing tasks
-task ciBuild {
+tasks.register('ciBuild') {
 	dependsOn test, tasks.publishToSonatype
 }
@ -195,7 +147,7 @@ tasks.publishToSonatype.mustRunAfter test
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Ancillary tasks
-task showPublications {
+tasks.register('showPublications') {
 	doFirst {
 		project.publishing.publications.each { publication ->
 			println "Publication (${publication.name}): ${publication.groupId}:${publication.artifactId}:${publication.version}"
--- a/tooling/hibernate-gradle-plugin/hibernate-gradle-plugin.gradle
+++ b/tooling/hibernate-gradle-plugin/hibernate-gradle-plugin.gradle
@ -63,7 +63,7 @@ tasks.withType(AbstractArchiveTask).configureEach {
 test {
 	useJUnitPlatform()
 	if ( project.hasProperty( 'excludeTests' ) ) {
-		exclude project.property( 'excludeTests' )
+		exclude project.property( 'excludeTests' ) as String
 	}
 }
@ -107,12 +107,12 @@ processResources {
 	filter( ReplaceTokens, tokens: [ 'hibernateVersion': getVersion() ] )
 }
-tasks.withType( JavaCompile ) {
+tasks.withType(JavaCompile).configureEach {
 	options.encoding = 'UTF-8'
 }
 if ( !jdkVersions.explicit ) {
-	tasks.withType( GroovyCompile ) {
+	tasks.withType(GroovyCompile).configureEach {
 		sourceCompatibility = JavaVersion.toVersion(jdkVersions.baseline)
 		targetCompatibility = JavaVersion.toVersion(jdkVersions.baseline)
 	}
@ -133,20 +133,25 @@ tasks.publish.enabled !project.ormVersion.isSnapshot
 tasks.publishPlugins.enabled !project.ormVersion.isSnapshot
 gradle.taskGraph.whenReady { tg ->
-	if ( tg.hasTask( project.tasks.publishPlugins ) && project.tasks.publishPlugins.enabled  ) {
+	// verify credentials for publishing the plugin up front to avoid any work (only if we are publishing)
-		// look for sys-prop or env-var overrides of the tokens used for publishing
+	if ( tg.hasTask( ":publishPlugins" ) && project.tasks.publishPlugins.enabled  ) {
-		if ( project.properties.containsKey( 'gradle.publish.key' )
+		// we are publishing the plugin - make sure there is a credentials pair
-				|| project.properties.containsKey( 'gradle.publish.secret' ) ) {
+		//
-			// nothing to do - already explicitly set
+		// first, check the `GRADLE_PUBLISH_KEY` / `GRADLE_PUBLISH_SECRET` combo (env vars)
 		// and then the `gradle.publish.key` / `gradle.publish.secret` combo (project prop)
 		//		- see https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
 		if ( System.getenv().get("GRADLE_PUBLISH_KEY") != null ) {
 			if ( System.getenv().get("GRADLE_PUBLISH_SECRET") != null ) {
 				throw new RuntimeException( "`GRADLE_PUBLISH_KEY` specified, but not `GRADLE_PUBLISH_SECRET` for publishing Gradle plugin" )
 			}
 		}
 		else if ( project.findProperty( 'gradle.publish.key' ) != null ) {
 			if ( project.findProperty( 'gradle.publish.secret' ) != null ) {
 				throw new RuntimeException( "`gradle.publish.key` specified, but not `gradle.publish.secret` for publishing Gradle plugin" )
 			}
 		}
 		else {
-			// use the values from the credentials provider, if any
+			throw new RuntimeException( "No credentials specified for publishing Gradle plugin" )
 			if ( project.property( 'gradle.publish.key' ) == null ) {
 				throw new RuntimeException( "`-Pgradle.publish.key=...` not found" )
 			}
 			if ( project.property( 'gradle.publish.secret' ) == null ) {
 				throw new RuntimeException( "`-Pgradle.publish.secret=...` not found" )
 			}
 		}
 	}
 }