Skip to content

build: update CI and release for native bundles and latest jreleaser #2473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maxandersen merged 12 commits into from
May 25, 2026
Merged

build: update CI and release for native bundles and latest jreleaser #2473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9876830
build: update CI and release for native bundles and latest jreleaser
maxandersen May 23, 2026
8c29d12
ci: retrigger CI
maxandersen May 23, 2026
75f64ff
fix: use cleanInstallDist instead of rm -rf for native image install
maxandersen May 23, 2026
a0e4a00
fix: support platform-named native binaries in IntegrationManager, Wr…
maxandersen May 23, 2026
84d6473
fix: update VersionIT regex to accept -SNAPSHOT suffix
maxandersen May 23, 2026
949d786
fix: map arm64 to aarch64 in jbang script to match native binary naming
maxandersen May 23, 2026
dcac785
fix: include expected binary names in native binary not-found warnings
maxandersen May 23, 2026
4492ad8
fix: disable signing in jreleaser dry-run to avoid keyring init failure
maxandersen May 23, 2026
f9ba10a
fix: correct jreleaser signing property prefix
maxandersen May 24, 2026
9266ad4
build: use jreleaser early-access to fix signing issue
maxandersen May 25, 2026
4f0fe6e
fix: use --yolo for jreleaser dry-run instead of manual signing overr…
maxandersen May 25, 2026
fc55d79
Merge branch 'main' into ci-release-jreleaser-update
maxandersen May 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 37 additions & 20 deletions .github/workflows/main-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
name: main-build

## Intent is to run the ci-build workflow and download the artifacts
## and perform as much of jreleaser flow as possible and publish
## as an ever moving earlyaccess release.
## Runs full CI on every push to main and publishes an earlyaccess
## pre-release with the latest artifacts (including native bundles).

on:
push:
Expand All @@ -17,33 +16,51 @@ concurrency:
jobs:
ci-build:
uses: ./.github/workflows/step-ci-build.yml
with:
skip_tests: true # temporary until we have jreleaser parts working

jreleaser:

earlyaccess:
needs: ci-build
runs-on: ubuntu-latest
env:
JRELEASER_VERSION: early-access
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- id: shared-build
uses: ./.github/actions/shared-build-setup
with:
java-version: 11
- name: Download jbang distribution
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build-jbang
path: build/install/jbang

- name: Download native image'
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build
- name: Download native bundles
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
pattern: ${{ steps.shared-build.outputs.github-short-sha }}-jbang.bin-*
path: build/native-image

- name: Show workspace tree
pattern: ${{ steps.shared-build.outputs.github-short-sha }}-jbang-native-bundles-*
path: build/distributions
merge-multiple: true
if-no-files-found: warn
- name: version extract
id: version
run: |
echo "Workspace: $GITHUB_WORKSPACE"
tree -a build
RELEASE_VERSION=`cat build/tmp/version.txt`
echo "RELEASE_VERSION=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
echo "Release version: $RELEASE_VERSION"
ls -la build/distributions
- name: Run JReleaser (earlyaccess)
uses: jreleaser/release-action@97b5e2f0e845de2fe1dbbdf451ac6a21233fafff # v2
env:
JRELEASER_PROJECT_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }}
JRELEASER_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
version: ${{ env.JRELEASER_VERSION }}
arguments: full-release
setup-java: false
- name: JReleaser output
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: jreleaser-earlyaccess
path: |
out/jreleaser/trace.log
out/jreleaser/output.properties
2 changes: 1 addition & 1 deletion .github/workflows/publish-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
JRELEASER_MAVENCENTRAL_JBANG_USERNAME: ${{ secrets.OSSRH_USERNAME }}
JRELEASER_MAVENCENTRAL_JBANG_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
JRELEASER_DOCKER_DEFAULT_PASSWORD: notusedbutrequiredbyjreleaser
JRELEASER_VERSION: 1.19.0
JRELEASER_VERSION: early-access
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
Expand Down
68 changes: 66 additions & 2 deletions .github/workflows/step-ci-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ on:
required: false
type: boolean
default: false
skip_jreleaser_dry_run:
description: 'Skip JReleaser dry-run (e.g. when called from release workflow)'
required: false
type: boolean
default: false
workflow_call:
inputs: *inputs

Expand Down Expand Up @@ -92,11 +97,24 @@ jobs:
name: ${{ steps.shared-build.outputs.github-short-sha }}-jbang.bin-${{ matrix.os }}
path: build/native-image/*
if-no-files-found: error

- name: build-native-bundles
run: |
./gradlew --no-daemon nativeDistZip nativeDistTar latestNativeDistZip latestNativeDistTar

- name: upload-native-bundles
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-jbang-native-bundles-${{ matrix.os }}
path: |
build/distributions/*-${{ runner.os == 'macOS' && 'mac' || runner.os == 'Windows' && 'windows' || 'linux' }}-*.zip
build/distributions/*-${{ runner.os == 'macOS' && 'mac' || runner.os == 'Windows' && 'windows' || 'linux' }}-*.tar
if-no-files-found: error

- name: create install with jbang.bin
- name: create install with native binary
if: ${{ !inputs.skip_tests }}
run: |
./gradlew --no-daemon installDist
./gradlew --no-daemon cleanInstallDist installDist
- name: integration-test-native-image
if: ${{ !inputs.skip_tests }}
env:
Expand Down Expand Up @@ -284,6 +302,52 @@ jobs:
chmod +x ./test_suite.sh
./test_suite.sh

jreleaser-dry-run:
needs: [build-shared, build-test-native-image]
if: always() && needs.build-shared.result == 'success' && !inputs.skip_jreleaser_dry_run
runs-on: ubuntu-latest
env:
JRELEASER_VERSION: early-access
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
Comment on lines +312 to +314
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable persisted checkout credentials in artifact-handling job.

Line 305 checks out code with default credential persistence. For this job, set persist-credentials: false to reduce token exposure risk.

🔧 Proposed hardening 
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          fetch-depth: 0
+         persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 305-307: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/step-ci-build.yml around lines 305 - 307, The checkout
step uses actions/checkout (the step with "uses: actions/checkout@...") and
currently leaves credential persistence enabled; update that checkout step in
the artifact-handling job to add the input persist-credentials: false so git
credentials are not stored for subsequent steps, keeping the rest of the
checkout inputs (like fetch-depth) as-is.

- id: shared-build
uses: ./.github/actions/shared-build-setup
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build
- name: Download native bundles
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
pattern: ${{ steps.shared-build.outputs.github-short-sha }}-jbang-native-bundles-*
path: build/distributions
merge-multiple: true
if-no-files-found: warn
- name: version extract
id: version
run: |
RELEASE_VERSION=`cat build/tmp/version.txt`
echo "RELEASE_VERSION=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
echo "Release version: $RELEASE_VERSION"
ls -la build/distributions
- name: Run JReleaser (dry-run)
uses: jreleaser/release-action@97b5e2f0e845de2fe1dbbdf451ac6a21233fafff # v2
env:
JRELEASER_PROJECT_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }}
JRELEASER_GITHUB_TOKEN: unused-dry-run
with:
version: ${{ env.JRELEASER_VERSION }}
arguments: release --dry-run --yolo
setup-java: false
- name: Upload release artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
if: always()
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-jreleaser-release-artifacts
path: out/jreleaser/

merge-test-reports:
if: always() && !inputs.skip_tests
needs: [unit-test-jvm, integration-test-jvm, build-test-native-image]
Expand Down
149 changes: 122 additions & 27 deletions .github/workflows/tag-and-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,111 @@ jobs:
echo "debug_enabled=false" >> $GITHUB_OUTPUT
fi

build:
needs: check-debug
validate-release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- name: Verify commit is on main
run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/main; then
echo "::error::Tagged commit is not on the main branch. Aborting release."
exit 1
fi
- name: Verify CI passed for this commit
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
STATUS=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }}/status --jq '.state')
echo "Commit CI status: $STATUS"
if [ "$STATUS" != "success" ]; then
echo "::error::CI has not passed for this commit (status: $STATUS). Aborting release."
exit 1
fi

build-shared:
needs: validate-release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- id: shared-build
uses: ./.github/actions/shared-build-setup
- name: build
run: ./gradlew --no-daemon clean build installDist publish -x spotlessCheck -x test -x integrationTest --build-cache --scan -s
- name: Upload build results
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build

build-native-image:
needs: build-shared
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- id: shared-build
uses: ./.github/actions/shared-build-setup
- name: setup-graalvm
uses: graalvm/setup-graalvm@bef4b0e916c7dd079bf60fb95d49139f67e32c5f # v1
with:
java-version: '25'
distribution: 'graalvm-community'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: false
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build
- name: build-native-image
run: ./gradlew --no-daemon nativeImage
- name: ensure native image is executable
run: chmod -v +x build/native-image/jbang.bin*
- name: build-native-bundles
run: ./gradlew --no-daemon nativeDistZip nativeDistTar latestNativeDistZip latestNativeDistTar
- name: upload-native-bundles
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-jbang-native-bundles-${{ matrix.os }}
path: |
build/distributions/*-${{ runner.os == 'macOS' && 'mac' || runner.os == 'Windows' && 'windows' || 'linux' }}-*.zip
build/distributions/*-${{ runner.os == 'macOS' && 'mac' || runner.os == 'Windows' && 'windows' || 'linux' }}-*.tar
if-no-files-found: error

smoke-test:
needs: build-shared
runs-on: ubuntu-latest
name: build-and-testing
env:
_JBANG_: ./build/install/jbang/bin/jbang
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
fetch-depth: 0
- id: shared-build
uses: ./.github/actions/shared-build-setup
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build
- name: smoke-test
run: |
chmod +x $_JBANG_
$_JBANG_ init --template=cli helloworld.java
$_JBANG_ --verbose helloworld.java
rm helloworld.java

release:
needs: [check-debug, build-shared, build-native-image, smoke-test]
runs-on: ubuntu-latest
name: release
env:
JRELEASER_SDKMAN_CONSUMER_KEY: ${{ secrets.SDKMAN_CONSUMER_KEY }}
JRELEASER_SDKMAN_CONSUMER_TOKEN: ${{ secrets.SDKMAN_CONSUMER_TOKEN }}
Expand All @@ -40,7 +141,7 @@ jobs:
JRELEASER_GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }}
JRELEASER_MAVENCENTRAL_JBANG_USERNAME: ${{ secrets.OSSRH_USERNAME }}
JRELEASER_MAVENCENTRAL_JBANG_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
JRELEASER_VERSION: 1.19.0
JRELEASER_VERSION: early-access
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
Expand All @@ -49,35 +150,29 @@ jobs:
uses: ./.github/actions/shared-build-setup
with:
java-version: 11
- name: build-gradle
run: ./gradlew --no-daemon clean build installDist publish --build-cache --scan -s
- name: integration-test
env:
_JBANG_TEST_JAVA_VERSION: 11
run: |
./gradlew integrationTest
- name: Arcive test results
uses: ./.github/actions/shared-test-archiving
if: always()
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
prefix: ${{ steps.shared-build.outputs.github-short-sha }}-integration-test-
suffix: -jvm
- name: integration-test-bash
run: |
export PATH=`pwd`/build/install/jbang/bin:$PATH
pastdir=`pwd`
cd itests
./test_suite.sh
cd $pastdir
name: ${{ steps.shared-build.outputs.github-short-sha }}-shared-build
path: build
- name: Download native bundles
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
pattern: ${{ steps.shared-build.outputs.github-short-sha }}-jbang-native-bundles-*
path: build/distributions
merge-multiple: true
if-no-files-found: error
- name: version extract
id: version
run: |
RELEASE_VERSION=`cat build/tmp/version.txt`
echo "::set-output name=RELEASE_VERSION::$RELEASE_VERSION"
echo "RELEASE_VERSION=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
echo "Release version: $RELEASE_VERSION"
ls -la build/distributions
- name: Run JReleaser
uses: jreleaser/release-action@97b5e2f0e845de2fe1dbbdf451ac6a21233fafff # v2
env:
JRELEASER_PROJECT_VERSION: ${{steps.version.outputs.RELEASE_VERSION}}
env:
JRELEASER_PROJECT_VERSION: ${{ steps.version.outputs.RELEASE_VERSION }}
with:
version: ${{ env.JRELEASER_VERSION }}
arguments: release
Expand All @@ -90,7 +185,7 @@ jobs:
path: |
out/jreleaser/trace.log
out/jreleaser/output.properties

- name: Start tmate session
if: always() && needs.check-debug.outputs.debug_enabled == 'true'
uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
Expand Down
Loading
Loading