Skip to content

Release

Release #35

Workflow file for this run

name: Release
on:
workflow_dispatch:
inputs:
run_maven_release:
type: boolean
default: false
required: false
description: Choose whether to do maven release
run_github_release:
type: boolean
default: false
required: false
description: Choose whether to do Github release
run_s3_upload:
type: boolean
default: false
required: false
description: Choose whether to do S3 upload
run_lambda_publish:
type: boolean
default: false
required: false
description: Choose whether to do lambda publish
permissions:
packages: write
contents: write
id-token: write
env:
GITHUB_USERNAME: ${{ github.actor }}
PROD_BUCKET: ${{ secrets.PROD_BUCKET }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
maven_release:
if: inputs.run_maven_release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
- name: Publish
run: ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
env:
# The secrets are for publishing the build artifacts to the Maven Central.
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
github_release:
if: inputs.run_github_release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Build agent
run: ./gradlew clean build -x test
- name: Release and upload artifacts
run: |
VERSION=$(unzip -p agent/build/libs/solarwinds-apm-agent.jar META-INF/MANIFEST.MF | grep Implementation-Version | awk '{ print $2 }')
VERSION=$(echo $VERSION | sed 's/[^a-z0-9.-]//g') # remove illegal characters
echo "Current version is $VERSION"
response=$(curl -fs -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GITHUB_TOKEN}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/$GITHUB_REPOSITORY/releases \
-d '{"tag_name":"v'"$VERSION"'", "name":"v'"$VERSION"'", "body":"New release: v'"$VERSION"'", "draft":false, "prerelease":false}')
release_id=$(echo "$response" | jq -r '.id')
echo "version: $VERSION" > version.txt
SHA256=$(sha256sum agent/build/libs/solarwinds-apm-agent.jar | awk '{print $1}')
echo "sha256: $SHA256" > checksum.txt
# Function to upload a file to GitHub release
upload_file_to_release() {
local release_id="$1"
local file_path="$2"
# Extract filename from file path
file_name=$(basename "$file_path")
# Upload file to GitHub release
curl -fs \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$file_path" \
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/$release_id/assets?name=$file_name"
}
# Upload file to GitHub release
upload_file_to_release "$release_id" "version.txt"
upload_file_to_release "$release_id" "checksum.txt"
upload_file_to_release "$release_id" "agent/build/libs/solarwinds-apm-agent.jar"
upload_file_to_release "$release_id" "custom/shared/src/main/resources/solarwinds-apm-config.json"
s3-prod-upload: # this job uploads the jar and default config json to prod s3
if: inputs.run_s3_upload
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Build
run: ./gradlew clean build -x test
- name: Aws setup
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_S3_ROLE_ARN_SSP_PROD }}
aws-region: "us-east-1"
- name: Set agent version
id: set_version
uses: ./.github/actions/version
- name: Check version doesn't exist
run: |
# make sure this version hasn't been pushed to prod yet
if curl -f -s "https://agent-binaries.cloud.solarwinds.com/apm/java/$AGENT_VERSION/solarwinds-apm-config.json" > /dev/null; then
echo "This version has been deployed to production already!"
exit 1
fi
env:
AGENT_VERSION: ${{ steps.set_version.outputs.version }}
- name: Copy to S3
run: |
aws s3 cp agent/build/libs/solarwinds-apm-agent.jar \
s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-agent.jar \
--acl public-read
aws s3 cp custom/shared/src/main/resources/solarwinds-apm-config.json \
s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-config.json \
--acl public-read
env:
AGENT_VERSION: ${{ steps.set_version.outputs.version }}
- name: Copy to S3(latest)
run: |
aws s3 cp s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-agent.jar \
s3://$PROD_BUCKET/apm/java/latest/solarwinds-apm-agent.jar \
--acl public-read
aws s3 cp s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-config.json \
s3://$PROD_BUCKET/apm/java/latest/solarwinds-apm-config.json \
--acl public-read
touch VERSION
echo "version: $AGENT_VERSION" >> VERSION
SHA256=$(sha256sum agent/build/libs/solarwinds-apm-agent.jar)
echo "sha256: $SHA256" >> VERSION
aws s3 cp VERSION \
s3://$PROD_BUCKET/apm/java/latest/VERSION \
--acl public-read
env:
AGENT_VERSION: ${{ steps.set_version.outputs.version }}
lambda-publish:
if: inputs.run_lambda_publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Aws setup
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_LAMBDA_ROLE_PROD }}
aws-region: "us-east-1"
- name: Build agent
run: ./gradlew clean build -x test
- name: Create zip
run: ./gradlew :agent-lambda:lambda-layer
- name: Set agent version
id: set_version
uses: ./.github/actions/version
- name: Create lambda layer
run: |
regions=(
"ap-northeast-1"
"ap-northeast-2"
"ap-south-1"
"ap-southeast-1"
"ap-southeast-2"
"ca-central-1"
"eu-central-1"
"eu-north-1"
"eu-west-1"
"eu-west-2"
"eu-west-3"
"sa-east-1"
"us-east-1"
"us-east-2"
"us-west-1"
"us-west-2")
VERSION=$(echo "$AGENT_VERSION" | sed 's/[.]/_/g')
LAYER_NAME="solarwinds-apm-java-$VERSION"
touch arns.txt
layer_size=$(stat --printf=%s agent-lambda/build/lambda-layer/layer.zip)
set +e
for region in "${regions[@]}"; do
status=0
aws lambda publish-layer-version \
--layer-name $LAYER_NAME \
--compatible-runtimes "java21" "java17" "java11" "java8.al2" \
--compatible-architectures "x86_64" "arm64" \
--description "Solarwinds' apm java lambda instrumentation layer, version: $AGENT_VERSION" \
--region "$region" \
--zip-file fileb://agent-lambda/build/lambda-layer/layer.zip \
--output json > output.json
status=$?
if [ "$status" != 0 ]; then
echo "FAILED: publish $region"
continue
fi
pub_versionarn=$(jq -r '.LayerVersionArn' output.json)
pub_arn=$(jq -r '.LayerArn' output.json)
pub_version=$(jq -r '.Version' output.json)
pub_size=$(jq -r '.Content.CodeSize' output.json)
echo '-- verifying published layer --'
if [ "$pub_size" != "$layer_size" ]; then
echo "FAILED: Region = $region, versonArn = $pub_versionarn published size = $pub_size, expected size = $layer_size"
continue
fi
aws lambda add-layer-version-permission \
--region "$region" \
--layer-name "$pub_arn" \
--version-number "$pub_version" \
--principal '*' \
--action lambda:GetLayerVersion \
--statement-id global-GetLayerVersion
status=$?
if [ "$status" != 0 ]; then
echo "FAILED: add permission region = $region, versionArn = $pub_versionarn"
continue
fi
echo "$pub_versionarn" >> arns.txt
done
env:
AGENT_VERSION: ${{ steps.set_version.outputs.version }}
- uses: actions/upload-artifact@v4
with:
path: arns.txt
name: arns
sign_release:
needs:
- github_release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Build agent
run: ./gradlew clean build -x test
- name: Sign and download signed jar
run: |
response=$(curl -fs \
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \
-F "ProjectSlug=$SIGN_PATH_PROJECT_SLUG" \
-F "ArtifactConfigurationSlug=$SIGN_PATH_ARTIFACT_SLUG" \
-F "SigningPolicySlug=$SIGN_PATH_SIGNING_POLICY" \
-F "Artifact=@agent/build/libs/solarwinds-apm-agent.jar" \
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests)
SIGNING_REQUEST_ID=$(echo "$response" | jq -r '.signingRequestId')
state=""
while [[ "$state" != "true" ]]
do
response=$(curl -fsSL \
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests/$SIGNING_REQUEST_ID)
state=$(echo "$response" | jq -r ".isFinalStatus")
status_state=$(echo "$response" | jq -r ".status")
echo "Status -> $status_state"
sleep 5
done
curl -fs \
-o agent/build/libs/solarwinds-apm-agent-signed.jar \
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests/$SIGNING_REQUEST_ID/SignedArtifact
env:
SIGN_PATH_API_TOKEN: ${{ secrets.SIGN_PATH_API_TOKEN }}
SIGN_PATH_PROJECT_SLUG: ${{ secrets.SIGN_PATH_PROJECT_SLUG }}
SIGN_PATH_SIGNING_POLICY: ${{ secrets.SIGN_PATH_SIGNING_POLICY }}
SIGN_PATH_ORG_ID: ${{ secrets.SIGN_PATH_ORG_ID }}
SIGN_PATH_ARTIFACT_SLUG: ${{ secrets.SIGN_PATH_ARTIFACT_SLUG }}
- name: Set agent version
id: set_version
uses: ./.github/actions/version
- name: Upload signed artifact
run: |
response=$(curl -fsL \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GITHUB_TOKEN}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/$GITHUB_REPOSITORY/releases/tags/v$VERSION)
release_id=$(echo "$response" | jq -r '.id')
# Function to upload a file to GitHub release
upload_file_to_release() {
local release_id="$1"
local file_path="$2"
# Extract filename from file path
file_name=$(basename "$file_path")
# Upload file to GitHub release
curl -fs \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$file_path" \
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/$release_id/assets?name=$file_name"
}
# Upload file to GitHub release
upload_file_to_release "$release_id" "agent/build/libs/solarwinds-apm-agent-signed.jar"
env:
VERSION: ${{ steps.set_version.outputs.version }}
docker_hub:
runs-on: ubuntu-latest
# needs:
# - github_release
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Set agent version
id: set_version
uses: ./.github/actions/version
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_CI_USER }}
password: ${{ secrets.DOCKER_HUB_CI_PASSWORD }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ github.repository_owner }}/autoinstrumentation-java
tags: |
type=raw,value=${{ steps.set_version.outputs.version }}
type=raw,value=latest
labels: |
maintainer=swo-librarians
org.opencontainers.image.title=apm-java
org.opencontainers.image.description=Solarwinds OTEL distro Java agent
org.opencontainers.image.vendor=SolarWinds Worldwide, LLC
#
# - name: Build and push
# uses: docker/build-push-action@v5
# with:
# push: false
# context: agent
# platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
- name: Analyze for critical and high CVEs
id: docker-scout-cves
uses: docker/scout-action@v1
with:
command: cves
image: ${{ steps.meta.outputs.tags[0] }}
platform: "linux/amd64"
ignore-base: true
only-package-types: maven
ghrc_io:
runs-on: ubuntu-latest
needs:
- github_release
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Set agent version
id: set_version
uses: ./.github/actions/version
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Package Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
push: true
context: agent
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
tags: ghcr.io/${{ github.repository_owner }}/autoinstrumentation-java:${{ steps.set_version.outputs.version }},ghcr.io/${{ github.repository_owner }}/autoinstrumentation-java:latest