Skip to content

[refactor] Modernize Maven 3 build pipeline and release automation #6429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
windauer merged 10 commits into from
Jun 1, 2026
Merged

[refactor] Modernize Maven 3 build pipeline and release automation #6429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d759e8b
[refactor] modernize Maven 3 build and release pipeline
duncdrum May 31, 2026
f15aaee
[ci] add tag-triggered release pipeline and update release docs
duncdrum May 31, 2026
71943fe
[bugfix] remove default eb mac codesign cert
duncdrum May 31, 2026
8daadcf
[ci] fix Docker tag publishing on release
duncdrum May 31, 2026
eb9663f
[bugfix] make sure that in both jansi related JARfiles the mac native…
dizzzz May 29, 2026
67eb9fb
[ci] bump plugin versions and migrate notarization to API Key auth
duncdrum May 31, 2026
87ce60e
[ci] harden release workflows:
duncdrum May 31, 2026
cba7030
[fix] cleanup CI profile calls
duncdrum May 31, 2026
dd3adbb
[chore] bump min mvn version
duncdrum May 31, 2026
2fc0afb
[chore] cleanup
duncdrum Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/install-mvnd/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ inputs:
version:
description: 'The version of the Maven Daemon to install'
required: true
default: '1.0.3'
default: '1.0.6'
file-version-suffix:
description: 'A suffix to append to the version of the download file of Maven Daemon to install'
required: false
Expand Down
30 changes: 27 additions & 3 deletions .github/actions/maven-github-settings/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,43 @@
# Creates Maven settings.xml with auth for the eXist-db org's GitHub Packages repos.
# Creates Maven settings.xml with auth for the eXist-db org's GitHub Packages repos
# and optionally for Sonatype Central Portal publishing.
# Required for resolving artifacts from maven.pkg.github.com/eXist-db/{exist, exist-xqts-runner, jackrabbit-webdav-jakarta}.
name: Maven GitHub Packages settings
description: Create settings.xml with github, github-xqts-runner, and github-jackrabbit-webdav-jakarta servers
description: Create settings.xml with GitHub Packages and (optionally) Sonatype Central Portal servers
inputs:
token:
description: 'GitHub token for package authentication'
required: true
central-token-username:
description: 'Sonatype Central Portal user token username (release jobs only)'
required: false
default: ''
central-token-password:
description: 'Sonatype Central Portal user token password (release jobs only)'
required: false
default: ''
runs:
using: 'composite'
steps:
- name: Create Maven settings for GitHub Packages
shell: bash
env:
CENTRAL_TOKEN_USERNAME: ${{ inputs.central-token-username }}
CENTRAL_TOKEN_PASSWORD: ${{ inputs.central-token-password }}
run: |
mkdir -p ~/.m2
OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')

# Build optional Central Portal server block
CENTRAL_SERVER=""
if [ -n "$CENTRAL_TOKEN_USERNAME" ]; then
CENTRAL_SERVER="
<server>
<id>central</id>
<username>${CENTRAL_TOKEN_USERNAME}</username>
<password>${CENTRAL_TOKEN_PASSWORD}</password>
</server>"
fi

cat > ~/.m2/settings.xml << EOF
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">
<servers>
Expand All @@ -31,7 +55,7 @@ runs:
<id>github-jackrabbit-webdav-jakarta</id>
<username>${OWNER}</username>
<password>${{ inputs.token }}</password>
</server>
</server>${CENTRAL_SERVER}
</servers>
</settings>
EOF
48 changes: 38 additions & 10 deletions .github/workflows/ci-container.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
name: Publish Container
on:
push:
branches:
- develop
- master
tags:
- 'eXist-*'
pull_request:
schedule:
- cron: "0 6 * * *"
Expand All @@ -11,8 +16,13 @@ jobs:
name: Test and Publish Container Images
runs-on: ubuntu-latest
timeout-minutes: 60
# NOTE (DP): Publish on develop and master, test on PRs against these
if: github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || github.base_ref == 'develop' || github.base_ref == 'master'
# Publish on develop (latest) and eXist-* tags (versioned + release); test on PRs against these branches.
if: >
github.ref == 'refs/heads/develop' ||
github.ref == 'refs/heads/master' ||
startsWith(github.ref, 'refs/tags/eXist-') ||
github.base_ref == 'develop' ||
github.base_ref == 'master'
steps:
- uses: actions/checkout@v6
with:
Expand All @@ -23,11 +33,11 @@ jobs:
distribution: temurin
java-version: '21'
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4
with:
platforms: linux/amd64,linux/arm64
- name: Make buildkit default
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
id: buildx
- uses: ./.github/actions/maven-cache
- uses: ./.github/actions/maven-github-settings
Expand All @@ -43,7 +53,17 @@ jobs:
timeout-minutes: 35
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: mvn -V -B --no-transfer-progress -q -Pdocker -DskipTests -Ddependency-check.skip=true -P !mac-dmg-on-unix,!installer,!concurrency-stress-tests,!micro-benchmarks,skip-build-dist-archives clean package
run: |
REVISION_ARG=""
if [[ "${{ github.ref }}" == refs/tags/eXist-* ]]; then
VERSION="${{ github.ref_name }}"
REVISION_ARG="-Drevision=${VERSION#eXist-}"
fi
mvn -V -B --no-transfer-progress -q \
-Pdocker,skip-build-dist-archives \
-DskipTests -Ddependency-check.skip=true \
$REVISION_ARG \
clean package
- name: Check local images
run: docker image ls
- name: Check license headers
Expand Down Expand Up @@ -73,8 +93,6 @@ jobs:
name: exist-core-failed-log
path: exist.log

# NOTE (DP): When on master push release, when on develop push latest: Version is included automatically
# TODO (DP): Confirm that releases triggered from maven publish images with the non SNAPSHOT version
- name: Publish latest images
if: github.repository == 'eXist-db/exist' && github.ref == 'refs/heads/develop'
env:
Expand All @@ -83,14 +101,24 @@ jobs:
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
run: mvn --no-transfer-progress -q -Ddocker.tag=latest -Ddocker.username=$DOCKER_USERNAME -Ddocker.password=$DOCKER_PASSWORD docker:build docker:push
working-directory: ./exist-docker
- name: Publish release images
if: github.repository == 'eXist-db/exist' && github.ref == 'refs/heads/master'

- name: Publish versioned release images
if: github.repository == 'eXist-db/exist' && startsWith(github.ref, 'refs/tags/eXist-')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
run: mvn --no-transfer-progress -q -Ddocker.tag=release -Ddocker.username=$DOCKER_USERNAME -Ddocker.password=$DOCKER_PASSWORD docker:build docker:push
run: |
VERSION="${{ github.ref_name }}"
VERSION="${VERSION#eXist-}"
mvn --no-transfer-progress -q \
-Drevision="$VERSION" \
-Ddocker.tag=release \
-Ddocker.username=$DOCKER_USERNAME \
-Ddocker.password=$DOCKER_PASSWORD \
docker:build docker:push
working-directory: ./exist-docker

# NOTE (DP): This is for debugging, publishes an experimental image from inside PRs against develop
# - name: Publish experimental images
# if: github.base_ref == 'develop'
Expand Down
63 changes: 63 additions & 0 deletions .github/workflows/ci-release-prepare.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Prepare Release

# Replaces mvn release:prepare. Updates CITATION.cff, commits, creates the
# annotated tag, and pushes — which then triggers ci-release.yml.
#
# Requires a fine-grained PAT (RELEASE_PAT) with contents:write on this repo.
# GITHUB_TOKEN pushes do not trigger downstream tag workflows.

on:
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g. 7.0.0)'
required: true
type: string

permissions:
contents: write

jobs:
prepare:
name: Prepare eXist-${{ inputs.version }}
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
# PAT required so the tag push triggers ci-release.yml.
# GITHUB_TOKEN pushes are intentionally blocked from triggering workflows.
token: ${{ secrets.RELEASE_PAT }}

- uses: actions/setup-java@v5
with:
distribution: temurin
java-version: '21'

- uses: ./.github/actions/maven-cache

- uses: ./.github/actions/maven-github-settings
with:
token: ${{ secrets.GITHUB_TOKEN }}

- name: Update CITATION.cff
run: |
mvn -B --no-transfer-progress \
-Pcitation-release-metadata \
-DupdateCff=true \
-Drevision=${{ inputs.version }} \
validate

- name: Commit and tag
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add CITATION.cff
# Only commit if CITATION.cff actually changed
git diff --staged --quiet || \
git commit -m "[release] Prepare eXist-${{ inputs.version }}"
git tag -a "eXist-${{ inputs.version }}" \
-m "eXist-db ${{ inputs.version }}"
git push origin HEAD
git push origin "eXist-${{ inputs.version }}"
Loading
Loading