chore(build): build release binaries in ci#36
Draft
sklarsa wants to merge 14 commits into
Draft
Conversation
Restructure the Maven Central release workflow into a pipeline that proves the release good before doing anything irreversible: resolve versions, build the five native libraries, run the full test suite against them, and validate the signed bundle with the Central Portal before pushing the tag or publishing. Push only the release tag (never a commit to main); land the next snapshot bump as a follow-up PR. Upload as a droppable VALIDATED deployment, publish it through the Portal API, and do not block on the asynchronous propagation to Maven Central. Add a shared native-artifact staging script, harden the shell (pipefail, guarded objdump), pin the versions-set plugin, and flip central-publishing to autoPublish=false. Rewrite the release docs for the new flow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address self-review findings on the release workflow: - Push the release tag before the irreversible Central publish POST, not after. Validation already proved the bundle good; a tag is deletable, a publish is not, so a tag-push failure (e.g. missing bot bypass) now leaves nothing published and a clean rerun. - Guard deployment-id capture and the status peek with || true so a no-match or transient curl/jq error cannot abort the step under errexit; the status peek timeout stays non-fatal. - Only commit the version bump when versions:set actually changed the poms, so a no-op override does not abort after upload. - Make open-bump-pr idempotent: force-with-lease the branch and skip PR creation when one already exists. - Re-check the Central version (not just the tag) in publish after the environment gate. - Read the release version from core/pom.xml, the shipped artifact. - Build both macOS targets to completion (fail-fast: false). - Fix the README Maven coordinate (org.questdb:questdb-client) and align the release docs with the tag-before-publish order and test coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Second self-review pass:
- open-bump-pr pushed the bump branch with --force-with-lease, but the
job never fetches that branch, so there is no lease reference and the
push is rejected ("stale info") whenever the branch already exists (and
on first creation). Use plain --force; the branch is a throwaway owned
solely by this workflow.
- Tag is now pushed before the publish POST, so a POST failure used to
leave a tag that blocks reruns while nothing was published. Add an
if: failure() step that deletes the tag; the publish job fails only
when nothing reached Central, so this never drops a real release's tag.
- Correct the release doc: the Windows DLL is cross-compiled on Linux and
only objdump-checked, not load-tested like the macOS/Linux libraries.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The tag-rollback step was gated only on if: failure(), which can fire after the publish POST already returned 2xx (the deployment is then irreversibly Sonatype's) -- via the status peek exiting on FAILED or a job timeout mid-peek -- deleting the tag of a release that will publish. Set a published=true step output immediately after the 2xx accept and gate the rollback on `failure() && steps.central-publish.outputs.published != 'true'`. Outputs persist even if the step later fails, so the tag can never be rolled back once the publish was accepted. Rollback now runs only for failures before the POST, where nothing reached Central. Also warn, instead of silently swallowing, when the tag deletion itself fails. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- open-bump-pr opened the PR with --base "${SOURCE_REF}", which fails for
a tag or SHA ref and would redden a run whose release already
succeeded. Skip the bump with a notice when source_ref is not a branch;
the bump is post-release housekeeping and can be done manually.
- Document that MAVEN_GPG_PRIVATE_KEY must be the ASCII-armored key as a
JSON-escaped string (newlines as \n) so parse-json-secrets restores
real newlines for gpg --import -- the most common Central release
failure.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Reworks the Maven Central release into a single manually-triggered workflow that proves the release is good before doing anything irreversible. Native libraries are built and tested in CI (not committed by hand), and the git tag / Central publish only happen after the full test suite and the Central Portal validation have passed.
Release flow (abridged)
Trigger
Release to Maven Centralfrom the Actions tab, then approve the gatedpublishstep when prompted:-SNAPSHOTPOM; fails fast if the tag or Central version already exists.objdump-checked for a clean runtime-dependency list.maven-releaseenvironment) — after approval: signs and uploads a droppableVALIDATEDdeployment, pushes the release tag, then performs the single irreversible step of publishing the deployment via the Central Portal API. If anything fails, the tag is rolled back so reruns stay clean.Key properties: validation happens before the tag is pushed, and the Central publish is the single irreversible step and runs last — a tag-push failure leaves nothing published and a clean rerun. The tag pins the exact verified tree. We never push commits to
main(the snapshot bump is a PR, somainkeeps its PR-only protection). The run does not block on Maven Central's asynchronous propagation (which can take minutes to an hour+).Required one-time setup
github-actions[bot]as a bypass actor on the org-widerestrict-tag-pushingruleset, so thepublishjob can push (and roll back) the release tag. (Do not bypass themainbranch ruleset — the snapshot bump goes through a PR.)maven-releaseenvironment: configure required reviewers (the human approval gate before any credentials are used).MAVEN_RELEASE_AWS_SECRET_ARN) must define:MAVEN_GPG_PRIVATE_KEY,MAVEN_CENTRAL_USERNAME,MAVEN_CENTRAL_PASSWORD, and optionallyMAVEN_GPG_PASSPHRASE(empty/absent for a passphrase-less key).Full procedure:
artifacts/release/README.md.Follow-ups (not blocking)
/25/latest/) and the Windowsjni_md.h(currentlyjdk25u@master) to exact builds + checksums — marked withTODO(pin)in the workflow.central-publishing-maven-plugin0.9.0 log line matches thedeploymentId: <uuid>capture, and that the GPG key imports cleanly from the AWS secret.Evidence
Verified that the
include-native-artifactsprofile bundles staged binaries into the jar by mockinglibquestdb.sowith a test string, packaging, and confirming the jar contains the mocked version: