Release #35
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
workflow_dispatch: | |
inputs: | |
run_maven_release: | |
type: boolean | |
default: false | |
required: false | |
description: Choose whether to do maven release | |
run_github_release: | |
type: boolean | |
default: false | |
required: false | |
description: Choose whether to do Github release | |
run_s3_upload: | |
type: boolean | |
default: false | |
required: false | |
description: Choose whether to do S3 upload | |
run_lambda_publish: | |
type: boolean | |
default: false | |
required: false | |
description: Choose whether to do lambda publish | |
permissions: | |
packages: write | |
contents: write | |
id-token: write | |
env: | |
GITHUB_USERNAME: ${{ github.actor }} | |
PROD_BUCKET: ${{ secrets.PROD_BUCKET }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
jobs: | |
maven_release: | |
if: inputs.run_maven_release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
- name: Publish | |
run: ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository | |
env: | |
# The secrets are for publishing the build artifacts to the Maven Central. | |
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} | |
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }} | |
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} | |
github_release: | |
if: inputs.run_github_release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Build agent | |
run: ./gradlew clean build -x test | |
- name: Release and upload artifacts | |
run: | | |
VERSION=$(unzip -p agent/build/libs/solarwinds-apm-agent.jar META-INF/MANIFEST.MF | grep Implementation-Version | awk '{ print $2 }') | |
VERSION=$(echo $VERSION | sed 's/[^a-z0-9.-]//g') # remove illegal characters | |
echo "Current version is $VERSION" | |
response=$(curl -fs -L \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${GITHUB_TOKEN}"\ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/$GITHUB_REPOSITORY/releases \ | |
-d '{"tag_name":"v'"$VERSION"'", "name":"v'"$VERSION"'", "body":"New release: v'"$VERSION"'", "draft":false, "prerelease":false}') | |
release_id=$(echo "$response" | jq -r '.id') | |
echo "version: $VERSION" > version.txt | |
SHA256=$(sha256sum agent/build/libs/solarwinds-apm-agent.jar | awk '{print $1}') | |
echo "sha256: $SHA256" > checksum.txt | |
# Function to upload a file to GitHub release | |
upload_file_to_release() { | |
local release_id="$1" | |
local file_path="$2" | |
# Extract filename from file path | |
file_name=$(basename "$file_path") | |
# Upload file to GitHub release | |
curl -fs \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer $GITHUB_TOKEN" \ | |
-H "Content-Type: application/octet-stream" \ | |
--data-binary @"$file_path" \ | |
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/$release_id/assets?name=$file_name" | |
} | |
# Upload file to GitHub release | |
upload_file_to_release "$release_id" "version.txt" | |
upload_file_to_release "$release_id" "checksum.txt" | |
upload_file_to_release "$release_id" "agent/build/libs/solarwinds-apm-agent.jar" | |
upload_file_to_release "$release_id" "custom/shared/src/main/resources/solarwinds-apm-config.json" | |
s3-prod-upload: # this job uploads the jar and default config json to prod s3 | |
if: inputs.run_s3_upload | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Build | |
run: ./gradlew clean build -x test | |
- name: Aws setup | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_S3_ROLE_ARN_SSP_PROD }} | |
aws-region: "us-east-1" | |
- name: Set agent version | |
id: set_version | |
uses: ./.github/actions/version | |
- name: Check version doesn't exist | |
run: | | |
# make sure this version hasn't been pushed to prod yet | |
if curl -f -s "https://agent-binaries.cloud.solarwinds.com/apm/java/$AGENT_VERSION/solarwinds-apm-config.json" > /dev/null; then | |
echo "This version has been deployed to production already!" | |
exit 1 | |
fi | |
env: | |
AGENT_VERSION: ${{ steps.set_version.outputs.version }} | |
- name: Copy to S3 | |
run: | | |
aws s3 cp agent/build/libs/solarwinds-apm-agent.jar \ | |
s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-agent.jar \ | |
--acl public-read | |
aws s3 cp custom/shared/src/main/resources/solarwinds-apm-config.json \ | |
s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-config.json \ | |
--acl public-read | |
env: | |
AGENT_VERSION: ${{ steps.set_version.outputs.version }} | |
- name: Copy to S3(latest) | |
run: | | |
aws s3 cp s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-agent.jar \ | |
s3://$PROD_BUCKET/apm/java/latest/solarwinds-apm-agent.jar \ | |
--acl public-read | |
aws s3 cp s3://$PROD_BUCKET/apm/java/$AGENT_VERSION/solarwinds-apm-config.json \ | |
s3://$PROD_BUCKET/apm/java/latest/solarwinds-apm-config.json \ | |
--acl public-read | |
touch VERSION | |
echo "version: $AGENT_VERSION" >> VERSION | |
SHA256=$(sha256sum agent/build/libs/solarwinds-apm-agent.jar) | |
echo "sha256: $SHA256" >> VERSION | |
aws s3 cp VERSION \ | |
s3://$PROD_BUCKET/apm/java/latest/VERSION \ | |
--acl public-read | |
env: | |
AGENT_VERSION: ${{ steps.set_version.outputs.version }} | |
lambda-publish: | |
if: inputs.run_lambda_publish | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Aws setup | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_LAMBDA_ROLE_PROD }} | |
aws-region: "us-east-1" | |
- name: Build agent | |
run: ./gradlew clean build -x test | |
- name: Create zip | |
run: ./gradlew :agent-lambda:lambda-layer | |
- name: Set agent version | |
id: set_version | |
uses: ./.github/actions/version | |
- name: Create lambda layer | |
run: | | |
regions=( | |
"ap-northeast-1" | |
"ap-northeast-2" | |
"ap-south-1" | |
"ap-southeast-1" | |
"ap-southeast-2" | |
"ca-central-1" | |
"eu-central-1" | |
"eu-north-1" | |
"eu-west-1" | |
"eu-west-2" | |
"eu-west-3" | |
"sa-east-1" | |
"us-east-1" | |
"us-east-2" | |
"us-west-1" | |
"us-west-2") | |
VERSION=$(echo "$AGENT_VERSION" | sed 's/[.]/_/g') | |
LAYER_NAME="solarwinds-apm-java-$VERSION" | |
touch arns.txt | |
layer_size=$(stat --printf=%s agent-lambda/build/lambda-layer/layer.zip) | |
set +e | |
for region in "${regions[@]}"; do | |
status=0 | |
aws lambda publish-layer-version \ | |
--layer-name $LAYER_NAME \ | |
--compatible-runtimes "java21" "java17" "java11" "java8.al2" \ | |
--compatible-architectures "x86_64" "arm64" \ | |
--description "Solarwinds' apm java lambda instrumentation layer, version: $AGENT_VERSION" \ | |
--region "$region" \ | |
--zip-file fileb://agent-lambda/build/lambda-layer/layer.zip \ | |
--output json > output.json | |
status=$? | |
if [ "$status" != 0 ]; then | |
echo "FAILED: publish $region" | |
continue | |
fi | |
pub_versionarn=$(jq -r '.LayerVersionArn' output.json) | |
pub_arn=$(jq -r '.LayerArn' output.json) | |
pub_version=$(jq -r '.Version' output.json) | |
pub_size=$(jq -r '.Content.CodeSize' output.json) | |
echo '-- verifying published layer --' | |
if [ "$pub_size" != "$layer_size" ]; then | |
echo "FAILED: Region = $region, versonArn = $pub_versionarn published size = $pub_size, expected size = $layer_size" | |
continue | |
fi | |
aws lambda add-layer-version-permission \ | |
--region "$region" \ | |
--layer-name "$pub_arn" \ | |
--version-number "$pub_version" \ | |
--principal '*' \ | |
--action lambda:GetLayerVersion \ | |
--statement-id global-GetLayerVersion | |
status=$? | |
if [ "$status" != 0 ]; then | |
echo "FAILED: add permission region = $region, versionArn = $pub_versionarn" | |
continue | |
fi | |
echo "$pub_versionarn" >> arns.txt | |
done | |
env: | |
AGENT_VERSION: ${{ steps.set_version.outputs.version }} | |
- uses: actions/upload-artifact@v4 | |
with: | |
path: arns.txt | |
name: arns | |
sign_release: | |
needs: | |
- github_release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Build agent | |
run: ./gradlew clean build -x test | |
- name: Sign and download signed jar | |
run: | | |
response=$(curl -fs \ | |
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \ | |
-F "ProjectSlug=$SIGN_PATH_PROJECT_SLUG" \ | |
-F "ArtifactConfigurationSlug=$SIGN_PATH_ARTIFACT_SLUG" \ | |
-F "SigningPolicySlug=$SIGN_PATH_SIGNING_POLICY" \ | |
-F "Artifact=@agent/build/libs/solarwinds-apm-agent.jar" \ | |
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests) | |
SIGNING_REQUEST_ID=$(echo "$response" | jq -r '.signingRequestId') | |
state="" | |
while [[ "$state" != "true" ]] | |
do | |
response=$(curl -fsSL \ | |
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \ | |
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests/$SIGNING_REQUEST_ID) | |
state=$(echo "$response" | jq -r ".isFinalStatus") | |
status_state=$(echo "$response" | jq -r ".status") | |
echo "Status -> $status_state" | |
sleep 5 | |
done | |
curl -fs \ | |
-o agent/build/libs/solarwinds-apm-agent-signed.jar \ | |
-H "Authorization: Bearer $SIGN_PATH_API_TOKEN" \ | |
https://app.signpath.io/API/v1/$SIGN_PATH_ORG_ID/SigningRequests/$SIGNING_REQUEST_ID/SignedArtifact | |
env: | |
SIGN_PATH_API_TOKEN: ${{ secrets.SIGN_PATH_API_TOKEN }} | |
SIGN_PATH_PROJECT_SLUG: ${{ secrets.SIGN_PATH_PROJECT_SLUG }} | |
SIGN_PATH_SIGNING_POLICY: ${{ secrets.SIGN_PATH_SIGNING_POLICY }} | |
SIGN_PATH_ORG_ID: ${{ secrets.SIGN_PATH_ORG_ID }} | |
SIGN_PATH_ARTIFACT_SLUG: ${{ secrets.SIGN_PATH_ARTIFACT_SLUG }} | |
- name: Set agent version | |
id: set_version | |
uses: ./.github/actions/version | |
- name: Upload signed artifact | |
run: | | |
response=$(curl -fsL \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${GITHUB_TOKEN}"\ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/$GITHUB_REPOSITORY/releases/tags/v$VERSION) | |
release_id=$(echo "$response" | jq -r '.id') | |
# Function to upload a file to GitHub release | |
upload_file_to_release() { | |
local release_id="$1" | |
local file_path="$2" | |
# Extract filename from file path | |
file_name=$(basename "$file_path") | |
# Upload file to GitHub release | |
curl -fs \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer $GITHUB_TOKEN" \ | |
-H "Content-Type: application/octet-stream" \ | |
--data-binary @"$file_path" \ | |
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/$release_id/assets?name=$file_name" | |
} | |
# Upload file to GitHub release | |
upload_file_to_release "$release_id" "agent/build/libs/solarwinds-apm-agent-signed.jar" | |
env: | |
VERSION: ${{ steps.set_version.outputs.version }} | |
docker_hub: | |
runs-on: ubuntu-latest | |
# needs: | |
# - github_release | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Set agent version | |
id: set_version | |
uses: ./.github/actions/version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_CI_USER }} | |
password: ${{ secrets.DOCKER_HUB_CI_PASSWORD }} | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ github.repository_owner }}/autoinstrumentation-java | |
tags: | | |
type=raw,value=${{ steps.set_version.outputs.version }} | |
type=raw,value=latest | |
labels: | | |
maintainer=swo-librarians | |
org.opencontainers.image.title=apm-java | |
org.opencontainers.image.description=Solarwinds OTEL distro Java agent | |
org.opencontainers.image.vendor=SolarWinds Worldwide, LLC | |
# | |
# - name: Build and push | |
# uses: docker/build-push-action@v5 | |
# with: | |
# push: false | |
# context: agent | |
# platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
# tags: ${{ steps.meta.outputs.tags }} | |
# labels: ${{ steps.meta.outputs.labels }} | |
- name: Analyze for critical and high CVEs | |
id: docker-scout-cves | |
uses: docker/scout-action@v1 | |
with: | |
command: cves | |
image: ${{ steps.meta.outputs.tags[0] }} | |
platform: "linux/amd64" | |
ignore-base: true | |
only-package-types: maven | |
ghrc_io: | |
runs-on: ubuntu-latest | |
needs: | |
- github_release | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Set agent version | |
id: set_version | |
uses: ./.github/actions/version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GitHub Package Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push | |
uses: docker/build-push-action@v5 | |
with: | |
push: true | |
context: agent | |
platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le | |
tags: ghcr.io/${{ github.repository_owner }}/autoinstrumentation-java:${{ steps.set_version.outputs.version }},ghcr.io/${{ github.repository_owner }}/autoinstrumentation-java:latest |