Release - Create checksums and GPG sign #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release - Create checksums and GPG sign | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| gitReleaseTag: | |
| description: 'Release tag to upload to. Must start with "release-"' | |
| type: string | |
| env: | |
| RELEASE_FOLDER: '${{ github.workspace }}/releaseDist' | |
| jobs: | |
| sign_and_checksums: | |
| if: ${{ inputs.gitReleaseTag && startsWith(inputs.gitReleaseTag, 'release-') }} | |
| runs-on: ubuntu-22.04 # Updated in BRS | |
| environment: release-env | |
| permissions: | |
| contents: write # So that we can upload to release | |
| steps: | |
| - name: Checkout and setup | |
| uses: actions/checkout@v4 | |
| with: | |
| lfs: true | |
| - name: Set up JDK | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '11' | |
| distribution: 'temurin' | |
| gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} | |
| gpg-passphrase: MAVEN_GPG_PASSPHRASE | |
| - name: Get all release files | |
| run: | | |
| mkdir -p ${RELEASE_FOLDER} | |
| pushd ${RELEASE_FOLDER} | |
| gh release download ${{ inputs.gitReleaseTag }} -p "*.zip" -p "*.tgz" -p "*.jar" --repo=${{ github.repository }} | |
| popd | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - name: Checksums and sign | |
| run: | | |
| source icu4j/releases_tools/shared.sh | |
| # Convert 76.1 to 76_1 | |
| underscore_version=$(echo $artifact_version | sed 's/\./_/g') | |
| pushd ${RELEASE_FOLDER} | |
| sha512sum -b icu4c* > SHASUM512.txt | |
| md5sum -b *.jar > icu4j-${artifact_version}.md5 | |
| md5sum -b icu4c-*-data-bin-*.zip > icu4c-${underscore_version}-binary.md5 | |
| md5sum -b icu4c-*-src.* > icu4c-${underscore_version}-sources.md5 | |
| find . -type f -name 'icu4c*' -exec gpg --no-tty --batch --pinentry-mode loopback --passphrase=$MAVEN_GPG_PASSPHRASE -a --output {}.asc --detach-sig {} \; | |
| gpg --no-tty --batch --pinentry-mode loopback --passphrase=$MAVEN_GPG_PASSPHRASE -a --output SHASUM512.txt.asc --detach-sig SHASUM512.txt | |
| popd | |
| env: | |
| MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} | |
| - name: Upload to release | |
| run: | | |
| gh release upload ${{ inputs.gitReleaseTag }} LICENSE --clobber --repo=${{ github.repository }} | |
| gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/*.md5 --clobber --repo=${{ github.repository }} | |
| gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/*.asc --clobber --repo=${{ github.repository }} | |
| gh release upload ${{ inputs.gitReleaseTag }} ${RELEASE_FOLDER}/SHASUM512.txt --clobber --repo=${{ github.repository }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} |