DAT-19398 DevOps :: Fix Liquibase Checks versioning in the tarball to match the Liquibase Checks repository (#6642)

jandroav · web-flow · commit 11ef37bfc459 · 2025-01-14T11:23:42.000-03:00
* ✨ (build-extension-jars.yml): add job to get liquibase-checks version from pom.xml to ensure the correct version is used during the build process
♻️ (build-extension-jars.yml): refactor build-liquibase-checks job to depend on get-liquibase-checks-version for improved version management

* 📝 (create-release.yml): update workflow to improve formatting and readability by fixing indentation and removing unnecessary blank lines. This enhances maintainability and clarity of the workflow configuration.

* ♻️ (build-extension-jars.yml): refactor version extraction logic to simplify the command and ensure it captures the correct version from pom.xml

* ♻️ (workflows): refactor build workflows to remove owasp-scanner job
and simplify dependencies for build-azure-uber-jar and build-extension-jars jobs.
This change is made to streamline the CI process and improve build efficiency.

* ✨ (create-release.yml): enable OWASP scanner in the release workflow to enhance security checks before builds
♻️ (create-release.yml): update job dependencies to ensure OWASP scanner runs before building Azure uber and extension jars

* ♻️ (create-release.yml): refactor workflow to remove owasp-scanner job and adjust dependencies for build jobs to streamline the release process
✨ (create-release.yml): add get-liquibase-checks-version job to extract version from liquibase-checks repository for better version management
🔧 (create-release.yml): update build-extension-jars job to use specific branch for consistency in builds

* ✨ (build-extension-jars.yml): add delete-checks-packages job to remove old
versions of liquibase-checks package before building to ensure a clean
environment and avoid version conflicts.

* ♻️ (build-extension-jars.yml): refactor delete-checks-packages job to remove unnecessary dependency on setup_matrix and simplify workflow

* ♻️ (create-release.yml): refactor conditional logic to remove unnecessary line for better readability and maintainability

* ♻️ (create-release.yml): refactor artifact copying logic to handle liquibase-checks version separately for improved accuracy in release process

* 📝 (create-release.yml): add debug logs and cleanup step for liquibase extensions to improve troubleshooting and ensure no leftover artifacts remain

* ♻️ (create-release.yml): refactor JSON generation for repositories and servers to improve readability and maintainability

* ✨ (create-release.yml): add job to download extensions artifacts for Liquibase to ensure all necessary dependencies are available during the release process

* ♻️ (create-release.yml): refactor artifact copying logic to handle liquibase-checks separately for correct versioning

* ♻️ (create-release.yml): refactor workflow to include owasp-scanner job as a dependency for build jobs to ensure security scanning occurs before builds
diff --git a/.github/workflows/build-extension-jars.yml b/.github/workflows/build-extension-jars.yml
@@ -87,17 +87,47 @@ jobs:
           token: ${{ secrets.BOT_TOKEN }}
           ignore-versions: "^((?!${{ inputs.liquibase-version }}$).)*$"
 
+  get-liquibase-checks-version:
+      if: ${{ contains(inputs.extensions, 'liquibase-checks') }}
+      runs-on: ubuntu-latest
+      outputs:
+          version: ${{ steps.extract-version.outputs.version }}
+      steps:
+          - uses: actions/checkout@v4
+            with:
+              repository: liquibase/liquibase-checks
+              token: ${{ secrets.BOT_TOKEN }}
+
+          - id: extract-version
+            name: Extract version from pom.xml
+            shell: bash
+            run: |
+                VERSION=$(grep '<version>' pom.xml | head -n 1 | sed 's/.*<version>\(.*\)-SNAPSHOT<\/version>.*/\1/')
+                echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+  delete-checks-packages:
+    needs: [ get-liquibase-checks-version ]
+    runs-on: ubuntu-22.04
+    continue-on-error: true
+    steps:
+      - uses: actions/delete-package-versions@v5
+        with:
+          package-name: org.liquibase.ext.liquibase-checks
+          package-type: "maven"
+          token: ${{ secrets.BOT_TOKEN }}
+          ignore-versions: "^((?!${{ needs.get-liquibase-checks-version.outputs.version }}$).)*$"
+
   build-liquibase-checks:
-    if: ${{ contains(inputs.extensions, 'liquibase-checks') }}
-    needs: [ delete-extension-packages ]
-    uses: liquibase/build-logic/.github/workflows/publish-for-liquibase.yml@main
-    with:
-      repository: liquibase/liquibase-checks
-      version: ${{ inputs.liquibase-version }}
-    secrets: inherit
+      if: ${{ contains(inputs.extensions, 'liquibase-checks') }}
+      needs: [ delete-extension-packages, get-liquibase-checks-version, delete-checks-packages ]
+      uses: liquibase/build-logic/.github/workflows/publish-for-liquibase.yml@main
+      with:
+          repository: liquibase/liquibase-checks
+          version: ${{ needs.get-liquibase-checks-version.outputs.version }}
+      secrets: inherit
 
   build-and-deploy-extensions:
-    needs: [delete-dependency-packages, delete-extension-packages]
+    needs: [delete-dependency-packages, delete-extension-packages, delete-checks-packages]
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -17,7 +17,7 @@ on:
         required: false
         type: boolean
         default: false
-      dry_run: 
+      dry_run:
         description: 'Flag to indicate if the workflow is triggered to create a dry-run release'
         required: false
         type: boolean
@@ -42,7 +42,7 @@ on:
         required: true
         type: boolean
         default: false
-      dry_run: 
+      dry_run:
         description: 'Flag to indicate if the workflow is triggered to create a dry-run release'
         required: true
         type: boolean
@@ -73,7 +73,7 @@ jobs:
     steps:
       - run: |
           echo "Creating version ${{ inputs.version }} from ${{ inputs.branch }} with artifacts from build ${{ inputs.runId }} "
-          
+
   owasp-scanner:
     needs: [ setup ]
     uses: liquibase/build-logic/.github/workflows/owasp-scanner.yml@main
@@ -88,7 +88,7 @@ jobs:
      branch: ${{ needs.setup.outputs.branch }}
      liquibase-version: ${{ needs.setup.outputs.version }}
    secrets: inherit
-  
+
   build-extension-jars:
    needs: [ setup, owasp-scanner ]
    uses: liquibase/liquibase/.github/workflows/build-extension-jars.yml@master
@@ -99,8 +99,27 @@ jobs:
      branch: ${{ needs.setup.outputs.branch }}
    secrets: inherit
 
+  get-liquibase-checks-version:
+    needs: [ setup ]
+    if: ${{ contains(needs.setup.outputs.extensions, 'liquibase-checks') }}
+    runs-on: ubuntu-latest
+    outputs:
+        version: ${{ steps.extract-version.outputs.version }}
+    steps:
+        - uses: actions/checkout@v4
+          with:
+            repository: liquibase/liquibase-checks
+            token: ${{ secrets.BOT_TOKEN }}
+
+        - id: extract-version
+          name: Extract version from pom.xml
+          shell: bash
+          run: |
+              VERSION=$(grep '<version>' pom.xml | head -n 1 | sed 's/.*<version>\(.*\)-SNAPSHOT<\/version>.*/\1/')
+              echo "version=$VERSION" >> $GITHUB_OUTPUT
+
   reversion:
-    needs: [ setup, build-azure-uber-jar, build-extension-jars ]
+    needs: [ setup, build-azure-uber-jar, build-extension-jars, get-liquibase-checks-version ]
     name: Re-version artifacts ${{ needs.setup.outputs.version }}
     runs-on: ubuntu-22.04
     steps:
@@ -130,37 +149,61 @@ jobs:
 
       - name: Download liquibase-pro-azure-artifacts
         uses: actions/download-artifact@v4
-        with: 
+        with:
           name: liquibase-pro-azure-artifacts
           path: liquibase-pro/liquibase-azure-deps
 
-      - name: Generate repositories and servers JSON
-        id: generate-json
-        run: |
-          IFS=',' read -ra EXT <<< "${{ needs.setup.outputs.extensions }}"
-          repositories=""
-          servers=""
-          for i in "${EXT[@]}"; do
-            repositories+="{\"id\": \"$i\",\"url\": \"https://maven.pkg.github.com/liquibase/$i\",\"releases\": {\"enabled\": \"true\"},\"snapshots\": {\"enabled\": \"true\",\"updatePolicy\": \"always\"}},"
-            servers+="{\"id\": \"$i\",\"username\": \"liquibot\",\"password\": \"${{ secrets.LIQUIBOT_PAT_GPM_ACCESS }}\"},"
-          done
-          # Remove trailing comma and wrap with brackets
-          repositories="["${repositories::-1}"]"
-          servers="["${servers::-1}"]"
-          echo "REPOSITORIES_JSON=$repositories" >> $GITHUB_ENV
-          echo "SERVERS_JSON=$servers" >> $GITHUB_ENV
-
       - name: maven-settings-xml-action
         uses: whelk-io/maven-settings-xml-action@v22
         with:
-          repositories: ${{ env.REPOSITORIES_JSON }}
-          servers: ${{ env.SERVERS_JSON }}
-              
+          repositories: |
+            [
+              {
+                "id": "liquibase",
+                "url": "https://maven.pkg.github.com/liquibase/liquibase",
+                "releases": {
+                  "enabled": "true"
+                },
+                "snapshots": {
+                  "enabled": "true",
+                  "updatePolicy": "always"
+                }
+              },
+              {
+                "id": "liquibase-pro",
+                "url": "https://maven.pkg.github.com/liquibase/liquibase-pro",
+                "releases": {
+                  "enabled": "true"
+                },
+                "snapshots": {
+                  "enabled": "true",
+                  "updatePolicy": "always"
+                }
+              }
+            ]
+          servers: |
+            [
+              {
+                "id": "liquibase",
+                "username": "liquibot",
+                "password": "${{ secrets.LIQUIBOT_PAT_GPM_ACCESS }}"
+              },
+              {
+                "id": "liquibase-pro",
+                "username": "liquibot",
+                "password": "${{ secrets.LIQUIBOT_PAT_GPM_ACCESS }}"
+              }
+            ]
+
       - name: Get extensions artifacts
         run: |
           IFS=',' read -ra ADDR <<< "${{ needs.setup.outputs.extensions }}"
           for extension in "${ADDR[@]}"; do
-            mvn dependency:get -DgroupId=org.liquibase.ext -DartifactId=$extension -Dversion=${{ needs.setup.outputs.version }} -Dtransitive=false || echo "Failed to download $extension artifact"
+            if [ "$extension" != "liquibase-checks" ]; then
+              mvn dependency:get -DgroupId=org.liquibase.ext -DartifactId=$extension -Dversion=${{ needs.setup.outputs.version }} -Dtransitive=false || echo "Failed to download $extension artifact"
+            else
+              mvn dependency:get -DgroupId=org.liquibase.ext -DartifactId=$extension -Dversion=${{ needs.get-liquibase-checks-version.outputs.version }} -Dtransitive=false || echo "Failed to download $extension artifact"
+            fi
           done
 
       - name: Set up JDK
@@ -181,7 +224,7 @@ jobs:
           mkdir -p $PWD/.github/util/
           # Download a script (re-version.sh) from a URL and save it to the specified directory
           curl -o $PWD/.github/util/re-version.sh https://raw.githubusercontent.com/liquibase/liquibase/$scripts_branch/.github/util/re-version.sh
-          
+
           # Download another script (sign-artifacts.sh) from a URL and save it to the specified directory
           curl -o $PWD/.github/util/sign-artifacts.sh https://raw.githubusercontent.com/liquibase/liquibase/$scripts_branch/.github/util/sign-artifacts.sh
           curl -o $PWD/.github/util/ManifestReversion.java https://raw.githubusercontent.com/liquibase/liquibase/$scripts_branch/.github/util/ManifestReversion.java
@@ -192,33 +235,41 @@ jobs:
 
           # Execute the sign-artifacts.sh script with specific arguments
           $PWD/.github/util/sign-artifacts.sh download/liquibase-artifacts "${{ needs.setup.outputs.version }}" "${{ needs.setup.outputs.branch }}"
-          
+
           ## Sign Files
           ## liquibase-azure-deps and liquibase extensions are already on its correct version. Check reusable workflow: build-azure-uber-jar.yml and build-extension-jars.yml
           mv liquibase-pro/liquibase-azure-deps/* re-version/out
-          
+
           # Modify the zip file
           unzip re-version/out/liquibase-${{ needs.setup.outputs.version }}.zip -d re-version/out/liquibase-${{ needs.setup.outputs.version }}
           mkdir -p re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions
           rm -rf re-version/out/liquibase-${{ needs.setup.outputs.version }}.zip
           IFS=',' read -ra EXT <<< "${{ needs.setup.outputs.extensions }}"
           for i in "${EXT[@]}"; do
-            cp ~/.m2/repository/org/liquibase/ext/$i/${{ needs.setup.outputs.version }}/$i-${{ needs.setup.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$i.jar || echo "Failed to move $i artifact"
+            if [ "$i" != "liquibase-checks" ]; then
+              cp ~/.m2/repository/org/liquibase/ext/$i/${{ needs.setup.outputs.version }}/$i-${{ needs.setup.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$i.jar || echo "Failed to move $i artifact"
+            else
+              cp ~/.m2/repository/org/liquibase/ext/$i/${{ needs.get-liquibase-checks-version.outputs.version }}/$i-${{ needs.get-liquibase-checks-version.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$i.jar || echo "Failed to move $i artifact"
+            fi
           done
           (cd re-version/out/liquibase-${{ needs.setup.outputs.version }} && zip -r ../liquibase-${{ needs.setup.outputs.version }}.zip . && cd .. && rm -rf liquibase-${{ needs.setup.outputs.version }})
-          
+
           # Modify the tar.gz file
           mkdir -p re-version/out/liquibase-${{ needs.setup.outputs.version }}
           tar -xzvf re-version/out/liquibase-${{ needs.setup.outputs.version }}.tar.gz -C re-version/out/liquibase-${{ needs.setup.outputs.version }}
           rm -rf re-version/out/liquibase-${{ needs.setup.outputs.version }}.tar.gz
           mkdir -p re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions
           for I in "${EXT[@]}"; do
-            cp ~/.m2/repository/org/liquibase/ext/$I/${{ needs.setup.outputs.version }}/$I-${{ needs.setup.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$I.jar || echo "Failed to move $I artifact"
+            if [ "$I" != "liquibase-checks" ]; then
+              cp ~/.m2/repository/org/liquibase/ext/$I/${{ needs.setup.outputs.version }}/$I-${{ needs.setup.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$I.jar || echo "Failed to move $I artifact"
+            else
+              cp ~/.m2/repository/org/liquibase/ext/$I/${{ needs.get-liquibase-checks-version.outputs.version }}/$I-${{ needs.get-liquibase-checks-version.outputs.version }}.jar re-version/out/liquibase-${{ needs.setup.outputs.version }}/internal/extensions/$I.jar || echo "Failed to move $I artifact"
+            fi
           done
           (cd re-version/out/liquibase-${{ needs.setup.outputs.version }} && tar -czvf ../liquibase-${{ needs.setup.outputs.version }}.tar.gz * && cd .. && rm -rf liquibase-${{ needs.setup.outputs.version }})
 
           $PWD/.github/util/sign-artifacts.sh re-version/out
-   
+
           # Move files to a specific directory
           mkdir re-version/final
           mv re-version/out/liquibase-core-${{ needs.setup.outputs.version }}.jar re-version/final
@@ -253,7 +304,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     outputs:
       dry_run_zip_url: ${{ steps.extract-dry-run-url.outputs.dry_run_zip_url }}
-      dry_run_tar_gz_url: ${{ steps.extract-dry-run-url.outputs.dry_run_tar_gz_url }} 
+      dry_run_tar_gz_url: ${{ steps.extract-dry-run-url.outputs.dry_run_tar_gz_url }}
     steps:
       - uses: actions/checkout@v4
 
@@ -291,19 +342,19 @@ jobs:
           echo "Saving windows key"
           echo "$INSTALL4J_WINDOWS_KEY" | base64 -d > liquibase-dist/target/keys/datical_windows.pfx
           version="${{ needs.setup.outputs.version }}"
-          
+
           ##### Rebuild installers
           tarFile=$(pwd)/re-version/final/liquibase-$version.tar.gz
           scriptDir=$(pwd)/.github/util/
-          
+
           mkdir -p liquibase-dist/target/liquibase-$version
           (cd liquibase-dist/target/liquibase-$version && tar xfz $tarFile)
           (cd liquibase-dist && $scriptDir/package-install4j.sh $version)
           mv liquibase-dist/target/liquibase-*-installer-* re-version/final
-          
+
           ##Sign Files
           $PWD/.github/util/sign-artifacts.sh re-version/final
-          
+
           (cd re-version/final && zip liquibase-additional-$version.zip *.asc *.md5 *.sha1)
           rm re-version/final/*.asc
           rm re-version/final/*.md5
@@ -348,11 +399,10 @@ jobs:
           echo $zip_url
           echo "dry_run_tar_gz_url=$tar_gz_url" >> $GITHUB_OUTPUT
           echo "dry_run_zip_url=$zip_url" >> $GITHUB_OUTPUT
-        
+
       - name: Attach standalone zip to Build
         if: ${{ inputs.standalone_zip == true && inputs.dry_run == false }}
         uses: actions/upload-artifact@v4
         with:
             name: liquibase-installers-${{ needs.setup.outputs.version }}
             path: re-version/final/*
-    
