From 2a4b55965543820bfd64102dd37b80b7cc04d0e0 Mon Sep 17 00:00:00 2001 From: Komal Yadav Date: Wed, 11 Feb 2026 15:56:35 +0000 Subject: [PATCH 1/4] Implemented exit gate --- .github/workflows/cloudbuild.yaml | 60 +++++++++++++++++++++++++++++++ .github/workflows/tag-release.yml | 18 +++++----- pom.xml | 20 +++++++++++ 3 files changed, 89 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/cloudbuild.yaml diff --git a/.github/workflows/cloudbuild.yaml b/.github/workflows/cloudbuild.yaml new file mode 100644 index 000000000..22612d897 --- /dev/null +++ b/.github/workflows/cloudbuild.yaml @@ -0,0 +1,60 @@ +# Copyright © 2025 Cask Data, Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +steps: + - name: 'gcr.io/cloud-builders/mvn:3.8-jdk-8' + id: maven-package + entrypoint: 'mvn' + args: + - -B + - -V + - -DskipTests + - -P + - oss-exit-gate + - -Dgpg.passphrase=$GPG_PASSPHRASE + - Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30 + +# - name: 'bash' +# id: create-exit-gate-manifest +# entrypoint: 'bash' +# args: +# - '-c' +# - | +# set -e +# MANIFEST_FILE="/workspace/exit_gate_manifest.textproto" +# echo '# -*- protobuffer -*-' > "$${MANIFEST_FILE}" +# echo '# proto-file: security/opensource/exit_gate_v1/onboarded/proto/publishing_manifest.proto' >> "$${MANIFEST_FILE}" +# echo '# proto-message: PublishingManifest' >> "$${MANIFEST_FILE}" +# echo '' >> "$${MANIFEST_FILE}" +# echo 'publish_all: true' >> "$${MANIFEST_FILE}" +# echo "Created manifest file: $${MANIFEST_FILE}" +# waitFor: ['maven-package'] +# +# - name: 'gcr.io/cloud-builders/gsutil' +# id: upload-exit-gate-manifest +# entrypoint: 'bash' +# args: +# - '-c' +# - | +# set -e +# MANIFEST_FILE="/workspace/exit_gate_manifest.textproto" +# # Use a timestamp to create a unique manifest filename for each release +# MANIFEST_FILENAME="release_$(date -u +%Y%m%d%H%M%S).textproto" +# echo "Uploading manifest to $${SECURE_PUBLISH_BUCKET}$${MANIFEST_FILENAME}" +# gsutil cp "$${MANIFEST_FILE}" "$${SECURE_PUBLISH_BUCKET}$${MANIFEST_FILENAME}" +# echo "Manifest uploaded successfully. OSS Exit Gate process should now be triggered." +# waitFor: ['create-exit-gate-manifest'] + +options: + requestedVerifyOption: VERIFIED + machineType: 'E2_HIGHCPU_32' + + diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 8d0c747e2..38277d3fd 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -26,10 +26,9 @@ jobs: uses: 'google-github-actions/get-secretmanager-secrets@v0' with: secrets: |- - CDAP_OSSRH_USERNAME:cdapio-github-builds/CDAP_OSSRH_USERNAME - CDAP_OSSRH_PASSWORD:cdapio-github-builds/CDAP_OSSRH_PASSWORD CDAP_GPG_PASSPHRASE:cdapio-github-builds/CDAP_GPG_PASSPHRASE CDAP_GPG_PRIVATE_KEY:cdapio-github-builds/CDAP_GPG_PRIVATE_KEY + SECURE_PUBLISH_BUCKET:cdapio-github-builds/publish_bucket - name: Checkout Repository uses: actions/checkout@v4 @@ -59,10 +58,11 @@ jobs: - name: Run tests run: mvn clean test -fae -T 2 -B -V -DcloudBuild -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30 - - name: Publish to Maven Central - run: mvn clean -B -V -DskipTests deploy -P release -Dgpg.passphrase=$CDAP_GPG_PASSPHRASE -Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30 - env: - CDAP_OSSRH_USERNAME: ${{ steps.secrets.outputs.CDAP_OSSRH_USERNAME }} - CDAP_OSSRH_PASSWORD: ${{ steps.secrets.outputs.CDAP_OSSRH_PASSWORD }} - CDAP_GPG_PASSPHRASE: ${{ steps.secrets.outputs.CDAP_GPG_PASSPHRASE }} - MAVEN_OPTS: '-Xmx3200m' \ No newline at end of file + - name: Submit Build to GCB + id: gcb + working-directory: google-cloud + run: | + gcloud builds submit . \ + --config=cloudbuild-release.yaml \ + --project='cdapio-github-builds' \ + --substitutions="_SECURE_PUBLISH_BUCKET_NAME=${{ SECURE_PUBLISH_BUCKET }}, GPG_PASSPHRASE=${{CDAP_GPG_PASSPHRASE}}) \ No newline at end of file diff --git a/pom.xml b/pom.xml index 70a4f0b37..e1675ec3b 100644 --- a/pom.xml +++ b/pom.xml @@ -1057,6 +1057,26 @@ + + oss-exit-gate + + + artifact-registry + + artifactregistry://us-central1-maven.pkg.dev/komalyd-dev/my-test-maven-repo + + + + + + artifact-registry + artifactregistry://us-maven.pkg.dev/komalyd-dev/my-test-maven-repo + + true + + + + release From 05bb8dab427885d24265bb16717558537889fd82 Mon Sep 17 00:00:00 2001 From: Komal Yadav Date: Wed, 11 Feb 2026 15:59:10 +0000 Subject: [PATCH 2/4] updated --- pom.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/pom.xml b/pom.xml index e1675ec3b..bbea761ce 100644 --- a/pom.xml +++ b/pom.xml @@ -1059,6 +1059,26 @@ oss-exit-gate + + + + org.apache.maven.plugins + maven-gpg-plugin + 1.5 + + ${gpg.passphrase} + ${gpg.useagent} + + + + + sign + + + + + + artifact-registry From df0f13943fd3e79fd559c16906a27e49a3396d4a Mon Sep 17 00:00:00 2001 From: Komal Yadav Date: Wed, 11 Feb 2026 16:08:24 +0000 Subject: [PATCH 3/4] updated --- .github/workflows/cloudbuild.yaml | 5 ++++- .github/workflows/tag-release.yml | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cloudbuild.yaml b/.github/workflows/cloudbuild.yaml index 22612d897..08fad4ab4 100644 --- a/.github/workflows/cloudbuild.yaml +++ b/.github/workflows/cloudbuild.yaml @@ -19,7 +19,7 @@ steps: - -DskipTests - -P - oss-exit-gate - - -Dgpg.passphrase=$GPG_PASSPHRASE + - -Dgpg.passphrase=$_GPG_PASSPHRASE - Dmaven.wagon.http.retryHandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=30 # - name: 'bash' @@ -57,4 +57,7 @@ options: requestedVerifyOption: VERIFIED machineType: 'E2_HIGHCPU_32' +substitutions: + _GPG_PASSPHRASE: cdapio-github-builds/CDAP_GPG_PASSPHRASE + diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 38277d3fd..0a53ebfe9 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -28,7 +28,7 @@ jobs: secrets: |- CDAP_GPG_PASSPHRASE:cdapio-github-builds/CDAP_GPG_PASSPHRASE CDAP_GPG_PRIVATE_KEY:cdapio-github-builds/CDAP_GPG_PRIVATE_KEY - SECURE_PUBLISH_BUCKET:cdapio-github-builds/publish_bucket + SECURE_PUBLISH_BUCKET:cdapio-github-builds/publish_bucket - name: Checkout Repository uses: actions/checkout@v4 @@ -65,4 +65,4 @@ jobs: gcloud builds submit . \ --config=cloudbuild-release.yaml \ --project='cdapio-github-builds' \ - --substitutions="_SECURE_PUBLISH_BUCKET_NAME=${{ SECURE_PUBLISH_BUCKET }}, GPG_PASSPHRASE=${{CDAP_GPG_PASSPHRASE}}) \ No newline at end of file + --substitutions="_GPG_PASSPHRASE=${{CDAP_GPG_PASSPHRASE}}" \ No newline at end of file From 568e78fe866cbdaa509e421c6beb31c86507eaaf Mon Sep 17 00:00:00 2001 From: Komal Yadav Date: Wed, 11 Feb 2026 16:12:59 +0000 Subject: [PATCH 4/4] updated --- .github/workflows/tag-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 0a53ebfe9..460e45e86 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -65,4 +65,4 @@ jobs: gcloud builds submit . \ --config=cloudbuild-release.yaml \ --project='cdapio-github-builds' \ - --substitutions="_GPG_PASSPHRASE=${{CDAP_GPG_PASSPHRASE}}" \ No newline at end of file + --substitutions="_GPG_PASSPHRASE=${{ steps.secrets.outputs.CDAP_GPG_PASSPHRASE }}" \ No newline at end of file