Automate release workflow

.github/actions/get-prerelease/action.yml

@@ -0,0 +1,30 @@
+name: Return a boolean indicating if the version contains prerelease identifiers
+
+#
+# Returns a simple true/false boolean indicating whether the version indicates it's a prerelease or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  version:
+    required: true
+
+outputs:
+  prerelease:
+    value: ${{ steps.get_prerelease.outputs.PRERELEASE }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_prerelease
+      shell: bash
+      run: |
+        if [[ "${VERSION}" == *"beta"* || "${VERSION}" == *"alpha"* ]]; then
+          echo "PRERELEASE=true" >> $GITHUB_OUTPUT
+        else
+          echo "PRERELEASE=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        VERSION: ${{ inputs.version }}

.github/actions/get-release-notes/action.yml

@@ -0,0 +1,42 @@
+name: Return the release notes extracted from the body of the PR associated with the release.
+
+#
+# Returns the release notes from the content of a pull request linked to a release branch. It expects the branch name to be in the format release/vX.Y.Z, release/X.Y.Z, release/vX.Y.Z-beta.N. etc.
+#
+# TODO: Remove once the common repo is public.
+#
+inputs:
+  version:
+    required: true
+  repo_name:
+    required: false
+  repo_owner:
+    required: true
+  token:
+    required: true
+
+outputs:
+  release-notes:
+    value: ${{ steps.get_release_notes.outputs.RELEASE_NOTES }}
+
+runs:
+  using: composite
+
+  steps:
+    - uses: actions/github-script@v7
+      id: get_release_notes
+      with:
+        result-encoding: string
+        script: |
+          const { data: pulls } = await github.rest.pulls.list({
+            owner: process.env.REPO_OWNER,
+            repo: process.env.REPO_NAME,
+            state: 'all',
+            head: `${process.env.REPO_OWNER}:release/${process.env.VERSION}`,
+          });
+          core.setOutput('RELEASE_NOTES', pulls[0].body);
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        REPO_OWNER: ${{ inputs.repo_owner }}
+        REPO_NAME: ${{ inputs.repo_name }}
+        VERSION: ${{ inputs.version }}

.github/actions/get-version/action.yml

@@ -0,0 +1,21 @@
+name: Return the version extracted from the branch name
+
+#
+# Returns the version from the .version file.
+#
+# TODO: Remove once the common repo is public.
+#
+
+outputs:
+  version:
+    value: ${{ steps.get_version.outputs.VERSION }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: get_version
+      shell: bash
+      run: |
+        VERSION=$(head -1 .version)
+        echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT

.github/actions/maven-publish/action.yml

@@ -0,0 +1,44 @@
+name: Publish release to Java
+
+inputs:
+  ossr-username:
+    required: true
+  ossr-password:
+    required: true
+  signing-key:
+    required: true
+  signing-password:
+    required: true
+  java-version:
+    required: true
+  is-android:
+    required: true
+  version:
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Java
+      shell: bash
+      run: |
+        curl -s "https://get.sdkman.io" | bash
+        source "/home/runner/.sdkman/bin/sdkman-init.sh"
+        sdk list java
+        sdk install java ${{ inputs.java-version }} && sdk default java ${{ inputs.java-version }}
+
+    - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # pin@1.1.0
+
+    - name: Publish Java
+      shell: bash
+      if: inputs.is-android == 'false'
+      run: ./gradlew clean assemble sign publishMavenJavaPublicationToMavenRepository -PisSnapshot=false -Pversion="${{ inputs.version }}" -PossrhUsername="${{ inputs.ossr-username }}" -PossrhPassword="${{ inputs.ossr-password }}" -PsigningKey="${{ inputs.signing-key }}" -PsigningPassword="${{ inputs.signing-password }}"
+
+    - name: Publish Android
+      shell: bash
+      if: inputs.is-android == 'true'
+      run: ./gradlew clean assemble sign publishAndroidLibraryPublicationToMavenRepository -PisSnapshot=false -Pversion="${{ inputs.version }}" -PossrhUsername="${{ inputs.ossr-username }}" -PossrhPassword="${{ inputs.ossr-password }}" -PsigningKey="${{ inputs.signing-key }}" -PsigningPassword="${{ inputs.signing-password }}"

.github/actions/release-create/action.yml

@@ -0,0 +1,47 @@
+name: Create a GitHub release
+
+#
+# Creates a GitHub release with the given version.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  files:
+    required: false
+  name:
+    required: true
+  body:
+    required: true
+  tag:
+    required: true
+  commit:
+    required: true
+  draft:
+    default: false
+    required: false
+  prerelease:
+    default: false
+    required: false
+  fail_on_unmatched_files:
+    default: true
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
+      with:
+        body: ${{ inputs.body }}
+        name: ${{ inputs.name }}
+        tag_name: ${{ inputs.tag }}
+        target_commitish: ${{ inputs.commit }}
+        draft: ${{ inputs.draft }}
+        prerelease: ${{ inputs.prerelease }}
+        fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }}
+        files: ${{ inputs.files }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}

.github/actions/tag-exists/action.yml

@@ -0,0 +1,36 @@
+name: Return a boolean indicating if a tag already exists for the repository
+
+#
+# Returns a simple true/false boolean indicating whether the tag exists or not.
+#
+# TODO: Remove once the common repo is public.
+#
+
+inputs:
+  token:
+    required: true
+  tag:
+    required: true
+
+outputs:
+  exists:
+    description: 'Whether the tag exists or not'
+    value: ${{ steps.tag-exists.outputs.EXISTS }}
+
+runs:
+  using: composite
+
+  steps:
+    - id: tag-exists
+      shell: bash
+      run: |
+        GET_API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/git/ref/tags/${TAG_NAME}"
+        http_status_code=$(curl -LI $GET_API_URL -o /dev/null -w '%{http_code}\n' -s -H "Authorization: token ${GITHUB_TOKEN}")
+        if [ "$http_status_code" -ne "404" ] ; then
+          echo "EXISTS=true" >> $GITHUB_OUTPUT
+        else
+          echo "EXISTS=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        TAG_NAME: ${{ inputs.tag }}
+        GITHUB_TOKEN: ${{ inputs.token }}

.github/workflows/java-release.yml

@@ -0,0 +1,88 @@
+name: Create Java and GitHub Release
+
+on:
+  workflow_call:
+    inputs:
+      java-version:
+        required: true
+        type: string
+      is-android:
+        required: true
+        type: string
+    secrets:
+      ossr-username:
+        required: true
+      ossr-password:
+        required: true
+      signing-key:
+        required: true
+      signing-password:
+        required: true
+      github-token:
+        required: true
+
+### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
+### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
+
+jobs:
+  release:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      # Checkout the code
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Get the version from the branch name
+      - id: get_version
+        uses: ./.github/actions/get-version
+
+      # Get the prerelease flag from the branch name
+      - id: get_prerelease
+        uses: ./.github/actions/get-prerelease
+        with:
+          version: ${{ steps.get_version.outputs.version }}
+
+      # Get the release notes
+      - id: get_release_notes
+        uses: ./.github/actions/get-release-notes
+        with:
+          token: ${{ secrets.github-token }}
+          version: ${{ steps.get_version.outputs.version }}
+          repo_owner: ${{ github.repository_owner }}
+          repo_name: ${{ github.event.repository.name }}
+
+      # Check if the tag already exists
+      - id: tag_exists
+        uses: ./.github/actions/tag-exists
+        with:
+          tag: ${{ steps.get_version.outputs.version }}
+          token: ${{ secrets.github-token }}
+
+      # If the tag already exists, exit with an error
+      - if: steps.tag_exists.outputs.exists == 'true'
+        run: exit 1
+
+      # Publish the release to Maven
+      - uses: ./.github/actions/maven-publish
+        with:
+          java-version: ${{ inputs.java-version }}
+          is-android: ${{ inputs.is-android }}
+          version: ${{ steps.get_version.outputs.version }}
+          ossr-username: ${{ secrets.ossr-username }}
+          ossr-password: ${{ secrets.ossr-password }}
+          signing-key: ${{ secrets.signing-key }}
+          signing-password: ${{ secrets.signing-password }}
+
+      # Create a release for the tag
+      - uses: ./.github/actions/release-create
+        with:
+          token: ${{ secrets.github-token }}
+          name: ${{ steps.get_version.outputs.version }}
+          body: ${{ steps.get_release_notes.outputs.release-notes }}
+          tag: ${{ steps.get_version.outputs.version }}
+          commit: ${{ github.sha }}
+          prerelease: ${{ steps.get_prerelease.outputs.prerelease }}

.github/workflows/release.yml

@@ -0,0 +1,27 @@
+name: Create GitHub Release
+
+on:
+  pull_request:
+    types:
+      - closed
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
+### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `maven-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
+### TODO: Also remove `java-release` workflow from this repo's .github/workflows folder once the repo is public.
+
+jobs:
+  release:
+    uses: ./.github/workflows/java-release.yml
+    with:
+      java-version: 8.0.382-tem
+      is-android: false
+    secrets:
+      ossr-username: ${{ secrets.OSSR_USERNAME }}
+      ossr-password: ${{ secrets.OSSR_PASSWORD }}
+      signing-key: ${{ secrets.SIGNING_KEY }}
+      signing-password: ${{ secrets.SIGNING_PASSWORD }}
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.shiprc

@@ -1,6 +1,7 @@
 {
   "files": {
     "README.md": [],
+    ".version": [],
     "build.gradle": ["version = \"{MAJOR}.{MINOR}.{PATCH}\""]
   },
   "prefixVersion": false

.version

@@ -0,0 +1 @@
+0.22.1

build.gradle

@@ -8,12 +8,16 @@ group = 'com.auth0'
 
 logger.lifecycle("Using version ${version} for ${name} group $group")
 
+def signingKey = findProperty('signingKey')
+def signingKeyPwd = findProperty('signingPassword')
+
 oss {
     name 'jwks-rsa'
     repository 'jwks-rsa-java'
     organization 'auth0'
     description 'JSON Web Key Set parser library'
     baselineCompareVersion '0.15.0'
+    skipAssertSigningConfiguration true
 
     developers {
         auth0 {
@@ -31,6 +35,10 @@ oss {
     }
 }
 
+signing {
+    useInMemoryPgpKeys(signingKey, signingKeyPwd)
+}
+
 jacocoTestReport {
     reports {
         xml.enabled = true
@@ -71,14 +79,6 @@ dependencies {
     testImplementation group: 'org.hamcrest', name: 'hamcrest-library', version:'1.3'
 }
 
-// Creates a version.txt file containing the current version of the SDK.
-// This file is picked up and parsed by our Ship Orb to determine the version.
-task exportVersion()  {
-    doLast {
-        new File(rootDir, "version.txt").text = "$version"
-    }
-}
-
 // See https://github.com/google/guava/releases/tag/v32.1.0 for why this is required
 sourceSets.all {
     configurations.getByName(runtimeClasspathConfigurationName) {