Switch to reusable workflows

Issue gh-14538
Closes gh-14242
Closes gh-13195
Closes gh-10460
Closes gh-11308

Author: sjohnr

.github/workflows/continuous-integration-workflow.yml

@@ -9,299 +9,111 @@ on:
   workflow_dispatch: # Manual trigger
 
 env:
-  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  GRADLE_ENTERPRISE_CACHE_USER: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
+  GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
-  GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
-  COMMIT_OWNER: ${{ github.event.pusher.name }}
-  COMMIT_SHA: ${{ github.sha }}
-  STRUCTURE101_LICENSEID: ${{ secrets.STRUCTURE101_LICENSEID }}
-  ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-  ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+  GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
 permissions:
   contents: read
 
 jobs:
-  prerequisites:
-    name: Pre-requisites for building
-    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'spring-projects/spring-security' }}
-    outputs:
-      runjobs: ${{ steps.continue.outputs.runjobs }}
-      project_version: ${{ steps.continue.outputs.project_version }}
-      samples_branch: ${{ steps.continue.outputs.samples_branch }}
-    steps:
-      - uses: actions/checkout@v4
-      - id: continue
-        name: Determine if should continue
-        run: |
-          # Run jobs if in upstream repository
-          echo "runjobs=true" >>$GITHUB_OUTPUT
-          # Extract version from gradle.properties
-          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
-          echo "project_version=$version" >>$GITHUB_OUTPUT
-          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
-          echo "samples_branch=$samples_branch" >>$GITHUB_OUTPUT
-  build_jdk_17:
-    name: Build JDK 17
-    needs: [prerequisites]
+  build:
+    name: Build
+    uses: spring-io/spring-security-release-tools/.github/workflows/build.yml@v1
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    if: needs.prerequisites.outputs.runjobs
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK 17
-        uses: actions/setup-java@v4
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-          cache: 'gradle'
-      - name: Set up Gradle
-        uses: gradle/gradle-build-action@v3
-      - name: Set up gradle user name
-        run: echo 'systemProp.user.name=spring-builds+github' >> gradle.properties
-      - name: Build with Gradle
-        env:
-          GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USER }}
-          GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
-          GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
-        run: ./gradlew clean build --continue -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD"
-  snapshot_tests:
-    name: Test against snapshots
-    needs: [prerequisites]
-    runs-on: ubuntu-latest
-    if: needs.prerequisites.outputs.runjobs
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Snapshot Tests
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          ./gradlew test --refresh-dependencies -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PspringFrameworkVersion='6.0.+' -PreactorVersion='2022.0.+' -PspringDataVersion='2022.0.+' -PlocksDisabled --stacktrace
-  check_samples:
-    name: Check Samples project
-    needs: [prerequisites]
+        os: [ ubuntu-latest, windows-latest ]
+        jdk: [ 17 ]
+    with:
+      runs-on: ${{ matrix.os }}
+      java-version: ${{ matrix.jdk }}
+      distribution: temurin
+    secrets: inherit
+  test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    strategy:
+      matrix:
+        java-version: [ 17 ]
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PspringFrameworkVersion=6.0.+ -PreactorVersion=2022.0.+ -PspringDataVersion=2022.0.+ --stacktrace
+    secrets: inherit
+  check-samples:
+    name: Check Samples
     runs-on: ubuntu-latest
-    if: needs.prerequisites.outputs.runjobs
+    if: ${{ github.repository_owner == 'spring-projects' }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@v2
         with:
-          java-version: '17'
-          distribution: 'temurin'
+          java-version: 17
+          distribution: temurin
       - name: Check samples project
         env:
           LOCAL_REPOSITORY_PATH: ${{ github.workspace }}/build/publications/repos
           SAMPLES_DIR: ../spring-security-samples
-          VERSION: ${{ needs.prerequisites.outputs.project_version }}
-          SAMPLES_BRANCH: ${{ needs.prerequisites.outputs.samples_branch }}
         run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
+          # Extract version from gradle.properties
+          version=$(cat gradle.properties | grep "version=" | awk -F'=' '{print $2}')
+          # Extract samplesBranch from gradle.properties
+          samples_branch=$(cat gradle.properties | grep "samplesBranch=" | awk -F'=' '{print $2}')
           ./gradlew publishMavenJavaPublicationToLocalRepository
-          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$SAMPLES_BRANCH" -PcloneOutputDirectory="$SAMPLES_DIR"
-          ./gradlew --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$VERSION" :runAllTests
-  check_tangles:
+          ./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
+          ./gradlew --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" :runAllTests
+  check-tangles:
     name: Check for Package Tangles
-    needs: [ prerequisites ]
     runs-on: ubuntu-latest
-    if: needs.prerequisites.outputs.runjobs
+    if: ${{ github.repository_owner == 'spring-projects' }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up gradle
         uses: spring-io/spring-gradle-build-action@v2
         with:
-          java-version: '17'
-          distribution: 'temurin'
+          java-version: 17
+          distribution: temurin
       - name: Check for package tangles
+        env:
+          STRUCTURE101_LICENSEID: ${{ secrets.STRUCTURE101_LICENSEID }}
         run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
           ./gradlew check s101 -Ps101.licenseId="$STRUCTURE101_LICENSEID" --stacktrace
-  deploy_artifacts:
+  deploy-artifacts:
     name: Deploy Artifacts
-    needs: [build_jdk_17, snapshot_tests, check_samples, check_tangles]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Deploy artifacts
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          ./gradlew publishArtifacts finalizeDeployArtifacts -PossrhUsername="$OSSRH_TOKEN_USERNAME" -PossrhPassword="$OSSRH_TOKEN_PASSWORD" -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" --stacktrace
-        env:
-          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_PRIVATE_KEY }}
-          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }}
-          OSSRH_TOKEN_USERNAME: ${{ secrets.OSSRH_S01_TOKEN_USERNAME }}
-          OSSRH_TOKEN_PASSWORD: ${{ secrets.OSSRH_S01_TOKEN_PASSWORD }}
-          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
-  deploy_docs:
+    needs: [ build, test, check-samples, check-tangles ]
+    uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
+    with:
+      should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
+    secrets: inherit
+  deploy-docs:
     name: Deploy Docs
-    needs: [build_jdk_17, snapshot_tests, check_samples, check_tangles]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Deploy Docs
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          ./gradlew deployDocs -PdeployDocsSshKey="$DOCS_SSH_KEY" -PdeployDocsSshUsername="$DOCS_USERNAME" -PdeployDocsHost="$DOCS_HOST" --stacktrace
-        env:
-          DOCS_USERNAME: ${{ secrets.DOCS_USERNAME }}
-          DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
-          DOCS_HOST: ${{ secrets.DOCS_HOST }}
-  deploy_schema:
+    needs: [ build, test, check-samples, check-tangles ]
+    uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
+    with:
+      should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
+    secrets: inherit
+  deploy-schema:
     name: Deploy Schema
-    needs: [build_jdk_17, snapshot_tests, check_samples, check_tangles]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Deploy Schema
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          ./gradlew deploySchema -PdeployDocsSshKey="$DOCS_SSH_KEY" -PdeployDocsSshUsername="$DOCS_USERNAME" -PdeployDocsHost="$DOCS_HOST" --stacktrace --info
-        env:
-          DOCS_USERNAME: ${{ secrets.DOCS_USERNAME }}
-          DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
-          DOCS_HOST: ${{ secrets.DOCS_HOST }}
-  perform_release:
-    name: Perform release
-    needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    timeout-minutes: 90
-    if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
-    env:
-      REPO: ${{ github.repository }}
-      BRANCH: ${{ github.ref_name }}
-      TOKEN: ${{ github.token }}
-      VERSION: ${{ needs.prerequisites.outputs.project_version }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Wait for Artifactory Artifacts
-        if: ${{ contains(needs.prerequisites.outputs.project_version, '-RC') || contains(needs.prerequisites.outputs.project_version, '-M') }}
-        run: |
-          echo "Wait for artifacts of $REPO@$VERSION to appear on Artifactory."
-          until curl -f -s https://repo.spring.io/artifactory/milestone/org/springframework/security/spring-security-core/$VERSION/ > /dev/null
-          do
-            sleep 30
-            echo "."
-          done
-          echo "Artifacts for $REPO@$VERSION have been released to Artifactory."
-      - name: Wait for Maven Central Artifacts
-        if: ${{ !contains(needs.prerequisites.outputs.project_version, '-RC') && !contains(needs.prerequisites.outputs.project_version, '-M') }}
-        run: |
-          echo "Wait for artifacts of $REPO@$VERSION to appear on Maven Central."
-          until curl -f -s https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/$VERSION/ > /dev/null
-          do
-            sleep 30
-            echo "."
-          done
-          echo "Artifacts for $REPO@$VERSION have been released to Maven Central."
-      - name: Create GitHub Release
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          echo "Tagging and publishing $REPO@$VERSION release on GitHub."
-          ./gradlew createGitHubRelease -PnextVersion=$VERSION -Pbranch=$BRANCH -PcreateRelease=true -PgitHubAccessToken=$TOKEN
-      - name: Announce Release on Slack
-        id: spring-security-announcing
-        uses: slackapi/[email protected]
-        with:
-          payload: |
-            {
-              "text": "spring-security-announcing `${{ env.VERSION }}` is available now",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "spring-security-announcing `${{ env.VERSION }}` is available now"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SPRING_RELEASE_SLACK_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
-      - name: Setup git config
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@users.noreply.github.com'
-      - name: Update to next Snapshot Version
-        run: |
-          export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
-          export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
-          export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          echo "Updating $REPO@$VERSION to next snapshot version."
-          ./gradlew :updateToSnapshotVersion
-          git commit -am "Next development version"
-          git push
-  perform_post_release:
-    name: Perform post-release
-    needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-    timeout-minutes: 90
-    if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
-    env:
-      TOKEN: ${{ github.token }}
-      VERSION: ${{ needs.prerequisites.outputs.project_version }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up gradle
-        uses: spring-io/spring-gradle-build-action@v2
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Schedule next release (if not already scheduled)
-        run: ./gradlew scheduleNextRelease -PnextVersion=$VERSION -PgitHubAccessToken=$TOKEN
+    needs: [ build, test, check-samples, check-tangles ]
+    uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
+    with:
+      should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
+    secrets: inherit
+  perform-release:
+    name: Perform Release
+    needs: [ deploy-artifacts, deploy-docs, deploy-schema ]
+    uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
+    with:
+      should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
+      project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
+      milestone-repo-url: https://repo.spring.io/artifactory/milestone
+      release-repo-url: https://repo1.maven.org/maven2
+      artifact-path: org/springframework/security/spring-security-core
+      slack-announcing-id: spring-security-announcing
+    secrets: inherit
   notify_result:
     name: Check for failures
-    needs: [perform_release, perform_post_release]
+    needs: [ perform-release ]
     if: failure()
     runs-on: ubuntu-latest
     permissions: