1010 workflow_dispatch :
1111 inputs :
1212 version :
13- description : ' Version tag to build (e.g., v3.1.1 or v3.1.1-beta1). Must be an existing tag. Prerelease tags will be published to Release page .'
13+ description : ' Version number to build (e.g., v3.1.1 or v3.1.1-beta1). Tag does not need to exist — this is a dry-run: artifacts are saved in the workflow run only, nothing is published .'
1414 required : true
1515 type : string
16- publish_release :
17- description : ' Publish to GitHub Release page (only effective for non-master branches / test purposes)'
18- required : false
19- type : boolean
20- default : false
2116
2217concurrency :
2318 group : release-${{ github.ref }}
41364237 id : setup-ndk
4338 with :
44- ndk-version : r26d
39+ ndk-version : r27c
4540 link-to-sdk : true
4641 add-to-path : true
4742
7469 env :
7570 EVENT_NAME : ${{ github.event_name }}
7671 INPUT_VERSION : ${{ github.event.inputs.version }}
77- INPUT_PUBLISH : ${{ github.event.inputs.publish_release }}
7872 run : |
7973 # Determine if this is a manual trigger or tag push
8074 if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
9286 VERSION="${RAW_VERSION#v}"
9387 TAG_NAME="v$VERSION"
9488 IS_MANUAL="true"
95-
96- # Determine if we should publish to Release page
97- if [ "$INPUT_PUBLISH" = "true" ]; then
98- IS_PUBLISH="true"
99- echo "📢 Manual trigger with publish enabled"
100- else
101- IS_PUBLISH="false"
102- echo "🔧 Manual trigger detected (artifacts only, no Release page publish)"
103- fi
89+ IS_PUBLISH="false"
90+ echo "🔧 Dry-run triggered manually (artifacts only, nothing published)"
10491 else
10592 # Tag push - extract from ref
10693 TAG_NAME="${GITHUB_REF#refs/tags/}"
@@ -142,6 +129,37 @@ jobs:
142129 echo "is_prerelease=$IS_PRERELEASE" >> $GITHUB_OUTPUT
143130 echo "✅ Valid version: $VERSION (tag: $TAG_NAME, prerelease: $IS_PRERELEASE, manual: $IS_MANUAL, publish: $IS_PUBLISH)"
144131
132+ - name : Validate tag is on master branch (official releases only)
133+ if : steps.tag_version.outputs.is_prerelease == 'false' && steps.tag_version.outputs.is_manual == 'false'
134+ run : |
135+ TAG_NAME="${{ steps.tag_version.outputs.tag_name }}"
136+
137+ echo "🔍 Validating that $TAG_NAME points to a commit on the master branch..."
138+
139+ # Resolve the commit the tag points to (dereference annotated tags)
140+ if ! TAG_COMMIT=$(git rev-parse "${TAG_NAME}^{commit}" 2>/dev/null); then
141+ echo "❌ Could not resolve tag commit for $TAG_NAME — does the tag exist in this repo?"
142+ exit 1
143+ fi
144+ echo "Tag commit: $TAG_COMMIT"
145+
146+ # Fetch latest master to ensure our ref is up to date (full fetch, no shallow boundary)
147+ if ! git fetch origin master; then
148+ echo "❌ Failed to fetch origin/master. Cannot validate that $TAG_NAME is on the master branch."
149+ exit 1
150+ fi
151+
152+ # Check whether TAG_COMMIT is reachable from origin/master
153+ if git merge-base --is-ancestor "$TAG_COMMIT" origin/master; then
154+ echo "✅ $TAG_NAME is on the master branch"
155+ else
156+ echo "❌ $TAG_NAME is NOT on the master branch!"
157+ echo "Official release tags must point to a commit that exists in master."
158+ echo "Tag commit : $TAG_COMMIT"
159+ echo "Please create the tag from the master branch and try again."
160+ exit 1
161+ fi
162+
145163name : Validate version matches project version
146164 run : |
147165 PROJECT_VERSION=$(grep -E 'versionName\s*:' build.gradle | sed -E 's/.*versionName\s*:\s*"([^"]+)".*/\1/')
@@ -332,7 +350,7 @@ jobs:
332350
333351 echo "✅ Individual checksum files created"
334352
335- name : Sync artifacts to maven repo and open PR
353+ name : Sync artifacts to maven repo
336354 if : steps.tag_version.outputs.is_publish == 'true'
337355 id : sync_maven_repo
338356 env :
@@ -344,15 +362,14 @@ jobs:
344362 TAG_NAME="${{ steps.tag_version.outputs.tag_name }}"
345363
346364 if [[ -z "${ARTIFACT_REPO_TOKEN:-}" ]]; then
347- echo "::warning ::ARTIFACT_REPO_TOKEN is not set; skipping Maven artifact sync ."
348- echo "artifact_pr_url=" >> $GITHUB_OUTPUT
349- exit 0
365+ echo "::error ::ARTIFACT_REPO_TOKEN is not configured. This secret is required to publish artifacts to the Maven repository ."
366+ echo "Please add ARTIFACT_REPO_TOKEN to the repository secrets: Settings → Secrets and variables → Actions → New repository secret"
367+ exit 1
350368 fi
351369
352370 ARTIFACT_REPO="wysaid/android-gpuimage-plus-maven"
353371 WORKDIR="/tmp/maven-repo-target"
354372 SOURCE_REPO="/tmp/maven-repo"
355- BRANCH="sync/v${VERSION}"
356373
357374 echo "🔄 Cloning artifact repo..."
358375 git clone --depth 1 "https://${ARTIFACT_REPO_TOKEN}@github.com/${ARTIFACT_REPO}.git" "$WORKDIR"
@@ -376,42 +393,34 @@ jobs:
376393 git config user.name "github-actions[bot]"
377394 git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
378395
379- git checkout -b "$BRANCH"
380396 git add org/wysaid/gpuimage-plus || true
381397
382- echo "artifact_pr_url =" >> $GITHUB_OUTPUT
398+ echo "artifact_commit_url =" >> $GITHUB_OUTPUT
383399
384400 if git diff --cached --quiet; then
385- echo "ℹ️ No changes to publish; skipping PR."
401+ echo "ℹ️ No changes to publish; skipping commit."
402+ popd
386403 exit 0
387404 fi
388405
389406 git commit -m "Publish artifacts ${TAG_NAME}"
390- git push origin "$BRANCH"
391-
392- echo "📝 Creating pull request..."
393- PR_BODY=$(printf "Automated artifact sync for %s.\n\nGenerated by main repo release workflow." "$TAG_NAME")
394- API_JSON=$(jq -n --arg title "Publish ${TAG_NAME} artifacts" \
395- --arg head "$BRANCH" \
396- --arg base "master" \
397- --arg body "$PR_BODY" \
398- '{title:$title, head:$head, base:$base, body:$body}')
399-
400- PR_RESPONSE=$(curl -sS -X POST \
401- -H "Authorization: token ${ARTIFACT_REPO_TOKEN}" \
402- -H "Accept: application/vnd.github+json" \
403- -d "$API_JSON" \
404- "https://api.github.com/repos/${ARTIFACT_REPO}/pulls")
405-
406- echo "PR response: $PR_RESPONSE"
407- PR_URL=$(echo "$PR_RESPONSE" | jq -r '.html_url')
408- if [[ "$PR_URL" == "null" || -z "$PR_URL" ]]; then
409- echo "❌ Failed to create PR"
410- exit 1
411- fi
412407
413- echo "✅ PR created: $PR_URL"
414- echo "artifact_pr_url=$PR_URL" >> $GITHUB_OUTPUT
408+ # Retry push up to 3 times to handle transient non-fast-forward conflicts
409+ PUSH_ATTEMPTS=0
410+ until git push origin master; do
411+ PUSH_ATTEMPTS=$((PUSH_ATTEMPTS + 1))
412+ if [ "$PUSH_ATTEMPTS" -ge 3 ]; then
413+ echo "::error::Maven artifact push failed after $PUSH_ATTEMPTS attempts (possible concurrent push). Re-run the sync step manually for tag $TAG_NAME."
414+ exit 1
415+ fi
416+ echo "⚠️ Push attempt $PUSH_ATTEMPTS failed; retrying after fetch+rebase..."
417+ git fetch origin master && git rebase origin/master
418+ done
419+
420+ COMMIT_SHA=$(git rev-parse HEAD)
421+ COMMIT_URL="https://github.com/${ARTIFACT_REPO}/commit/${COMMIT_SHA}"
422+ echo "✅ Artifacts pushed to maven repo: $COMMIT_URL"
423+ echo "artifact_commit_url=$COMMIT_URL" >> $GITHUB_OUTPUT
415424 popd
416425
417426 - name : Generate release notes
@@ -483,7 +492,7 @@ jobs:
483492
484493 - **Minimum Android SDK**: API 21 (Android 5.0)
485494 - **Target Android SDK**: API 25
486- - **NDK Version**: r26d
495+ - **NDK Version**: r27c
487496 - **Supported Architectures**: armeabi-v7a, arm64-v8a, x86, x86_64
488497
489498 ### 📚 Documentation
@@ -511,7 +520,7 @@ jobs:
511520 /tmp/release-artifacts/*.aar
512521 /tmp/release-artifacts/SHA256SUMS.txt
513522 /tmp/release-artifacts/*.sha256
514- draft : false
523+ draft : true
515524 prerelease : ${{ steps.tag_version.outputs.is_prerelease == 'true' }}
516525 generate_release_notes : true
517526 make_latest : ${{ steps.tag_version.outputs.is_prerelease != 'true' }}
@@ -536,9 +545,9 @@ jobs:
536545 echo "📦 Version: ${{ steps.tag_version.outputs.version }}"
537546 echo "📦 Artifacts are available for download from the workflow run."
538547 echo ""
539- echo "⚠️ Note: publish_release was not set to true ."
540- echo "⚠️ Artifacts are NOT published to the Release page. "
541- echo "⚠️ To publish, re-run with publish_release=true or push a tag. "
548+ echo "ℹ️ This was a manual dry-run — nothing was published ."
549+ echo "ℹ️ To make a real release, push the tag from master: "
550+ echo " git tag ${{ steps.tag_version.outputs.tag_name }} && git push origin ${{ steps.tag_version.outputs.tag_name }} "
542551 echo ""
543552 echo "📦 Built artifacts:"
544553 ls -lh /tmp/release-artifacts/
@@ -551,28 +560,26 @@ jobs:
551560 TAG_NAME="${{ steps.tag_version.outputs.tag_name }}"
552561
553562 if [ "$IS_PUBLISH" != "true" ]; then
554- echo "## 🔧 Build-Only Mode Completed Successfully!" >> $GITHUB_STEP_SUMMARY
563+ echo "## 🔧 Dry-Run Build Completed Successfully!" >> $GITHUB_STEP_SUMMARY
555564 echo "" >> $GITHUB_STEP_SUMMARY
556565 echo "**Version**: $VERSION" >> $GITHUB_STEP_SUMMARY
557- echo "**Trigger**: Manual (workflow_dispatch, publish_release=false )" >> $GITHUB_STEP_SUMMARY
566+ echo "**Trigger**: Manual dry-run (workflow_dispatch)" >> $GITHUB_STEP_SUMMARY
558567 echo "" >> $GITHUB_STEP_SUMMARY
559- echo "### ⚠️ Note " >> $GITHUB_STEP_SUMMARY
560- echo "Artifacts are **NOT published** to the Release page (publish_release was false) ." >> $GITHUB_STEP_SUMMARY
568+ echo "### ℹ️ Nothing was published " >> $GITHUB_STEP_SUMMARY
569+ echo "Artifacts are retained in this workflow run for **7 days** ." >> $GITHUB_STEP_SUMMARY
561570 echo "" >> $GITHUB_STEP_SUMMARY
562- echo "To publish to Release page, re-run with **publish_release=true**, or push a tag:" >> $GITHUB_STEP_SUMMARY
571+ echo "To make a real release, push the tag from master :" >> $GITHUB_STEP_SUMMARY
563572 echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
564- echo "git push origin $TAG_NAME" >> $GITHUB_STEP_SUMMARY
573+ echo "git tag $TAG_NAME && git push origin $TAG_NAME" >> $GITHUB_STEP_SUMMARY
565574 echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
566575 echo "" >> $GITHUB_STEP_SUMMARY
567576 echo "### 📦 Built Artifacts (available for download):" >> $GITHUB_STEP_SUMMARY
568577 else
569- echo "## 🎉 Release Created Successfully!" >> $GITHUB_STEP_SUMMARY
578+ echo "## 🎉 Release Draft Created Successfully!" >> $GITHUB_STEP_SUMMARY
570579 echo "" >> $GITHUB_STEP_SUMMARY
571580 echo "**Release**: $TAG_NAME" >> $GITHUB_STEP_SUMMARY
572581 echo "**Version**: $VERSION" >> $GITHUB_STEP_SUMMARY
573- if [ "$IS_MANUAL" = "true" ]; then
574- echo "**Trigger**: Manual (workflow_dispatch, publish_release=true)" >> $GITHUB_STEP_SUMMARY
575- fi
582+ echo "**Trigger**: Tag push" >> $GITHUB_STEP_SUMMARY
576583 echo "" >> $GITHUB_STEP_SUMMARY
577584 echo "### ✅ Version Validation" >> $GITHUB_STEP_SUMMARY
578585 echo "- ✅ Tag format validated: v\${major}.\${minor}.\${patch}" >> $GITHUB_STEP_SUMMARY
@@ -592,14 +599,18 @@ jobs:
592599 echo "" >> $GITHUB_STEP_SUMMARY
593600
594601 if [ "$IS_PUBLISH" = "true" ]; then
595- echo "Release page: ${{ github.server_url }}/${{ github.repository }}/releases/tag/$TAG_NAME" >> $GITHUB_STEP_SUMMARY
602+ echo "Review and publish the draft release: ${{ github.server_url }}/${{ github.repository }}/releases" >> $GITHUB_STEP_SUMMARY
603+ echo "(Draft tag: $TAG_NAME)" >> $GITHUB_STEP_SUMMARY
604+ echo "" >> $GITHUB_STEP_SUMMARY
605+ echo "**⚠️ Action required**: Go to the releases page, review the draft, then click *Publish release* to make it public." >> $GITHUB_STEP_SUMMARY
596606 fi
597607
598- ARTIFACT_PR_URL ="${{ steps.sync_maven_repo.outputs.artifact_pr_url }}"
599- if [ -n "$ARTIFACT_PR_URL " ]; then
608+ ARTIFACT_COMMIT_URL ="${{ steps.sync_maven_repo.outputs.artifact_commit_url }}"
609+ if [ -n "$ARTIFACT_COMMIT_URL " ]; then
600610 echo "" >> $GITHUB_STEP_SUMMARY
601- echo "### 📮 Artifact Repository PR" >> $GITHUB_STEP_SUMMARY
602- echo "- $ARTIFACT_PR_URL" >> $GITHUB_STEP_SUMMARY
611+ echo "### 📦 Maven Artifact Repository" >> $GITHUB_STEP_SUMMARY
612+ echo "- Commit: $ARTIFACT_COMMIT_URL" >> $GITHUB_STEP_SUMMARY
613+ echo "- Browse: https://maven.wysaid.org/org/wysaid/gpuimage-plus/" >> $GITHUB_STEP_SUMMARY
603614 fi
604615
605616 # Add build time if available
0 commit comments