DAT-13175 Full automation of OSS extension release

.github/workflows/create-release.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   sonar:
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit
     with:
       extraCommand: ${{ inputs.extraCommand }}

.github/workflows/extension-attach-artifact-release.yml

@@ -27,7 +27,6 @@ on:
 jobs:
   attach-to-release:
     name: Attach Artifact to Release
-    if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
       - run: sleep 30
@@ -85,9 +84,9 @@ jobs:
 
       - name: Get Reusable Script Files
         run: |
-          curl -o $PWD/.github/get_draft_release.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/get_draft_release.sh
-          curl -o $PWD/.github/sign_artifact.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/sign_artifact.sh
-          curl -o $PWD/.github/upload_asset.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/upload_asset.sh
+          curl -o $PWD/.github/get_draft_release.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/get_draft_release.sh
+          curl -o $PWD/.github/sign_artifact.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/sign_artifact.sh
+          curl -o $PWD/.github/upload_asset.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/upload_asset.sh
           chmod +x $PWD/.github/get_draft_release.sh
           chmod +x $PWD/.github/sign_artifact.sh
           chmod +x $PWD/.github/upload_asset.sh
@@ -176,7 +175,7 @@ jobs:
       - name: Get upload_zip.sh Script File
         if: inputs.zip == 'true'
         run: |
-          curl -o $PWD/.github/upload_zip.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/upload_zip.sh
+          curl -o $PWD/.github/upload_zip.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/upload_zip.sh
           chmod +x $PWD/.github/upload_zip.sh
 
       - name: Attach Zip File to Draft Release

.github/workflows/extension-release-prepare.yml

@@ -107,7 +107,7 @@ jobs:
   release-rollback:
     needs: prepare-release
     if: ${{ always() && contains(needs.*.result, 'failure') }}
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit
     with:
       extraCommand: ${{ inputs.extraCommand }}

.github/workflows/extension-release-published.yml

@@ -19,7 +19,7 @@ on:
 jobs:
   maven-release:
     needs: release
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit
     with:
       extraCommand: ${{ inputs.extraCommand }}

.github/workflows/os-extension-automated-release.yml

@@ -0,0 +1,244 @@
+name: Automated OS Extension Release 
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version to release (4.26.0, 4.26.1, etc.))'
+        required: true
+        type: string
+      repositories:
+        description: 'Comma separated list of repositories to release'
+        required: false
+        default: '["liquibase-bigquery","liquibase-cache","liquibase-cassandra","liquibase-cosmosdb","liquibase-db2i","liquibase-filechangelog","liquibase-nochangeloglock","liquibase-hanadb","liquibase-maxdb","liquibase-modify-column","liquibase-mssql","liquibase-oracle","liquibase-postgresql","liquibase-redshift","liquibase-sqlfire","liquibase-teradata","liquibase-vertica","liquibase-yugabytedb","liquibase-hibernate"]'
+        type: string
+
+jobs:
+  check-security-vulnerabilities:
+    # 1. Parse the input repositories into an array.
+    # 2. Initialize a flag to track if there are security vulnerabilities.
+    # 3. Check for open Dependabot security alerts.
+    # 4. Print the status of security vulnerabilities for each repository.
+    # 5. Set the flag if security vulnerabilities are found in any repository.
+    # 6. If security vulnerabilities are found in any repository, print an error message and exit with an error code.
+    runs-on: ubuntu-latest
+    name: Check Security Vulnerabilities
+    strategy:
+      matrix:
+        repository: ${{ fromJson(inputs.repositories) }}
+    steps:
+    - name: Security
+      run: |
+        security_fail=false
+        echo "Checking repository: ${{ matrix.repository }}"
+        security_url="https://api.github.com/repos/liquibase/${{ matrix.repository }}/dependabot/alerts?state=open"
+        response=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" $security_url | jq length)
+        echo "Open Alerts: $response"
+        if [[ $response == "0" ]]; then
+          echo "Security vulnerabilities for ${{ matrix.repository }} are addressed."
+        else
+          echo "Security vulnerabilities for ${{ matrix.repository }} are not addressed."
+          security_fail=true
+        fi
+        if [[ $security_fail == true ]]; then
+          echo "Security vulnerabilities are not addressed for ${{ matrix.repository }}"
+          exit 1
+        fi
+
+  run-extensions-dependabot:
+    needs: check-security-vulnerabilities
+    runs-on: ubuntu-latest
+    name: Dependabot
+    strategy:
+      matrix:
+        repository: ${{ fromJson(inputs.repositories) }}
+    steps:
+    - name: Install Dependabot CLI
+      run: |
+        #https://github.com/dependabot/cli
+        wget https://github.com/dependabot/cli/releases/download/v1.39.0/dependabot-v1.39.0-linux-amd64.tar.gz
+        tar xvzf dependabot-v1.39.0-linux-amd64.tar.gz
+        sudo mv dependabot /usr/local/bin/
+
+    - name: Run dependabot on extension
+      run: |
+        echo "Running Dependabot on repository: ${{ matrix.repository }}"
+        dependabot update maven "liquibase/${{ matrix.repository }}"
+
+  update-pom:
+    needs: check-security-vulnerabilities
+    runs-on: ubuntu-latest
+    name: Update pom.xml
+    strategy:
+      matrix:
+        repository: ${{ fromJson(inputs.repositories) }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        repository: "liquibase/${{ matrix.repository }}"
+        token: ${{ secrets.BOT_TOKEN }}
+
+    - name: Set up Git
+      run: |
+        git config --unset-all http.https://github.com/.extraheader
+        git config --local user.email "[email protected]"
+        git config --local user.name "liquibot"
+
+    # look for dependencies in maven
+    - name: maven-settings-xml-action
+      uses: whelk-io/maven-settings-xml-action@v21
+      with:
+        repositories: |
+          [
+            {
+              "id": "liquibase",
+              "url": "https://maven.pkg.github.com/liquibase/liquibase",
+              "releases": {
+                "enabled": "true"
+              },
+              "snapshots": {
+                "enabled": "true",
+                "updatePolicy": "always"
+              }
+            },
+            {
+              "id": "liquibase-pro",
+              "url": "https://maven.pkg.github.com/liquibase/liquibase-pro",
+              "releases": {
+                "enabled": "true"
+              },
+              "snapshots": {
+                "enabled": "true",
+                "updatePolicy": "always"
+              }
+            }
+          ]
+        servers: |
+          [
+            {
+              "id": "liquibase-pro",
+              "username": "liquibot",
+              "password": "${{ secrets.LIQUIBOT_PAT }}"
+            },
+            {
+              "id": "liquibase",
+              "username": "liquibot",
+              "password": "${{ secrets.LIQUIBOT_PAT }}"
+            }
+          ]
+
+    - name: Update pom.xml
+      env:
+        GH_TOKEN: ${{ secrets.BOT_TOKEN }}
+      run: |
+        mvn versions:set -DnewVersion=${{ inputs.version }}-SNAPSHOT
+        sed -i "s/<liquibase.version>.*<\/liquibase.version>/<liquibase.version>${{ inputs.version }}<\/liquibase.version>/" pom.xml
+        git add pom.xml
+        git commit -m "Update liquibase.version to ${{ inputs.version }}"
+        git remote set-url origin https://liquibot:${{ secrets.BOT_TOKEN }}@github.com/liquibase/${{ matrix.repository }}.git
+        git push
+
+  release-draft-releases:
+    # 1. Initialize a flag to track if the specified version is found.
+    # 2. If draft releases are found, check if they contain the specified version to release.
+    # 3. If the version is found publish it as the latest release.
+    # 4. Print relevant information about the process.
+    needs: update-pom
+    runs-on: ubuntu-latest
+    name: Release Draft
+    strategy:
+      matrix:
+        repository: ${{ fromJson(inputs.repositories) }}
+    steps:
+    - name: Check for Artifact in Draft Releases
+      run: |
+          sleep 120
+          published_drafts_file=published_drafts.txt
+          found=false
+          echo "Checking repository: ${{ matrix.repository }}"
+          assets=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases" | jq -r '.[] | select(.draft == true)' | jq -r '.assets[]')
+          echo "Assets: $assets"
+          # check if assests are empty
+          if [ -z "$assets" ]; then
+            echo "No assets found"
+          else
+            if echo "$assets" | jq -e '.name | contains("${{ inputs.version }}")' > /dev/null; then
+              found=true
+              echo "Found an asset containing '${{ inputs.version }}'"
+            else
+              echo "No asset containing '${{ inputs.version }}' found"
+            fi
+            if [ "$found" = true ] ; then
+              # Get the draft release ID
+              RELEASE_ID=$(curl -s -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases" | jq -r '.[] | select(.draft == true) | .id')
+              echo "Draft release ID: $RELEASE_ID"
+              RELEASE_TITLE="v${{ inputs.version }}"
+              # Update the release title
+              # echo "Updating release title to $RELEASE_TITLE... for ${{ matrix.repository }}"
+              # curl -s -X PATCH -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" -d '{"name": "'"$RELEASE_TITLE"'"}' "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
+              # Publish the draft release as the latest release
+              echo "Publishing the draft release as the latest release to https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
+              curl -s -X PATCH -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${{ secrets.BOT_TOKEN }}" -d '{"draft": false}' "https://api.github.com/repos/liquibase/${{ matrix.repository }}/releases/$RELEASE_ID"
+              echo "Draft release published as the latest release for ${{ matrix.repository }}"
+              echo "${{ matrix.repository }}: v${{ inputs.version }}" >> $published_drafts_file
+            else
+              echo "No artifact containing '${{ inputs.version }}' found in the last draft release."
+            fi
+          fi
+
+
+    - name: Archive published_drafts.txt
+      uses: actions/upload-artifact@v3
+      with:
+        name: published_drafts
+        path: published_drafts.txt
+
+  create-and-close-nexus-stagging:
+    # 1. This job pauses the workflow for 60 seconds, allowing time for Sonatype Nexus stagging repos to be ready.
+    # 2. The job uses the Sonatype Nexus API to retrieve information about staging repositories.
+    # 3. It extracts the IDs of repositories containing the string "liquibase."
+    # 4. For each repository, it checks if it is an extension by examining its relative path.
+    # 5. If an extension is detected, the repository is closed using the Sonatype Nexus API.
+    # 6. A sleep of 120 seconds follows the closure before the final release step (commented out for safety).
+    needs: release-draft-releases
+    runs-on: ubuntu-latest
+    name: Nexus
+    steps:
+      - name: Wait for Sonatype Nexus
+        run: sleep 60
+
+      - name: Publish OSS Extensions
+        run: |
+          closed_nexus_repos_file=closed_nexus_repos.txt
+          api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/staging/profile_repositories")
+          # Extract ids of repositories-item containing the string "liquibase"
+          repositories=$(echo "$api_output" | grep -B 8 "liquibase" | grep "<repositoryId>" | awk -F"<|>" '{print $3}')
+          echo "Repository IDs containing 'liquibase': $repositories"
+          # Loop through each repository and close it
+          for repo_id in $repositories; do
+            echo "Check if $repo_id repository is an extension"
+            api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/repositories/$repo_id/content/org/liquibase/")
+            relative_path=$(echo "$api_output" | grep -oP '<relativePath>\K[^<]+' | awk 'NR==1')
+            echo "Relative path: $relative_path"
+            if [[ "$relative_path" == *"/org/liquibase/ext/"* ]]; then
+                echo "Relative path contains '/org/liquibase/ext/'. It is an extension."
+                curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"data":{"stagedRepositoryIds":["'"$repo_id"'"],"description":"Closing '"$repo_id"'."}}' https://oss.sonatype.org/service/local/staging/bulk/close
+                api_output=$(curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" "https://oss.sonatype.org/service/local/repositories/$repo_id/content/org/liquibase/ext/")
+                relative_path=$(echo "$api_output" | grep -oP '<relativePath>\K[^<]+' | awk 'NR==1')
+                echo "Closed repository: $repo_id - $relative_path" >> $closed_nexus_repos_file
+                #sleep 120
+                #curl -s -u "${{ secrets.SONATYPE_USERNAME }}:${{ secrets.SONATYPE_TOKEN }}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"data":{"stagedRepositoryIds":["'"$repo_id"'"],"description":"Releasing '"$repo_id"'."}}' https://oss.sonatype.org/service/local/staging/bulk/promote
+                #echo "Released repository: $repo_id"
+            else
+                echo "Relative path does not contain '/org/liquibase/ext/'. It is not an extension."
+            fi
+          done
+
+      - name: Archive closed_nexus_repos.txt
+        uses: actions/upload-artifact@v3
+        with:
+          name: closed_nexus_repos
+          path: closed_nexus_repos.txt
+

.github/workflows/os-extension-test.yml

@@ -203,7 +203,7 @@ jobs:
   sonar-pr:
     if: ${{ !inputs.nightly }} 
     needs: [ unit-test ]
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit
     with:
       extraCommand: ${{ inputs.extraCommand }} 

.github/workflows/package-linux.yml

@@ -64,11 +64,11 @@ jobs:
             # Under the src folder is where specific packages files live. The GitHub action inputs will modify the universal package-deb-pom.xml to tell the process which assets to use during the packaging step
             mkdir -p $PWD/.github/src/${{ inputs.artifactId }}/deb/control
             mkdir -p $PWD/.github/src/${{ inputs.artifactId }}/main/archive
-            curl -o $PWD/.github/src/${{ inputs.artifactId }}/deb/control/control https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/src/${{ inputs.artifactId }}/deb/control/control
-            curl -o $PWD/.github/src/${{ inputs.artifactId }}/deb/control/postinst https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/src/${{ inputs.artifactId }}/deb/control/postinst
-            curl -o $PWD/.github/src/${{ inputs.artifactId }}/main/archive/${{ inputs.artifactId }}-env.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/src/${{ inputs.artifactId }}/main/archive/${{ inputs.artifactId }}-env.sh
-            curl -o $PWD/.github/package-deb-pom.xml https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/package-deb-pom.xml
-            curl -o $PWD/.github/sign_artifact.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.8/.github/sign_artifact.sh
+            curl -o $PWD/.github/src/${{ inputs.artifactId }}/deb/control/control https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/src/${{ inputs.artifactId }}/deb/control/control
+            curl -o $PWD/.github/src/${{ inputs.artifactId }}/deb/control/postinst https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/src/${{ inputs.artifactId }}/deb/control/postinst
+            curl -o $PWD/.github/src/${{ inputs.artifactId }}/main/archive/${{ inputs.artifactId }}-env.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/src/${{ inputs.artifactId }}/main/archive/${{ inputs.artifactId }}-env.sh
+            curl -o $PWD/.github/package-deb-pom.xml https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/package-deb-pom.xml
+            curl -o $PWD/.github/sign_artifact.sh https://raw.githubusercontent.com/liquibase/build-logic/v0.5.9/.github/sign_artifact.sh
             chmod +x $PWD/.github/sign_artifact.sh
 
         - name: Import GPG key

.github/workflows/pom-release-published.yml

@@ -68,5 +68,5 @@ jobs:
 
   maven-release:
     needs: release
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit

.github/workflows/pro-extension-test.yml

@@ -263,7 +263,7 @@ jobs:
   sonar-pr:
     if: ${{ !inputs.nightly }} 
     needs: [ unit-test ]
-    uses: liquibase/build-logic/.github/workflows/[email protected].8
+    uses: liquibase/build-logic/.github/workflows/[email protected].9
     secrets: inherit
     with:
       extraCommand: ${{ inputs.extraCommand }}