apache · jdaugherty · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,6 +33,9 @@ jobs:
       release_version: ${{ steps.release_version.outputs.value }}
       extract_repository_name: ${{ steps.extract_repository_name.outputs.repository_name }}
     steps:
+      - name: "📝 Store the current release version"
+        id: release_version
+        run: echo "value=${GITHUB_REF:11}" >> $GITHUB_OUTPUT
       - name: "Output Agent IP" # in the event RAO blocks this agent, this can be used to debug it
         run: curl -s https://api.ipify.org
       - name: "Extract repository name"
@@ -41,6 +44,9 @@ jobs:
           echo "repository_name=${GITHUB_REPOSITORY##*/}" >> $GITHUB_OUTPUT
       - name: "📥 Checkout repository"
         uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: v${{ steps.release_version.outputs.value }}
       - name: 'Ensure Common Build Date' # to ensure a reproducible build
         run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
       - name: "Ensure source files use common date"
@@ -61,9 +67,6 @@ jobs:
         uses: gradle/actions/setup-gradle@v4
         with:
           develocity-access-key: ${{ secrets.GRAILS_DEVELOCITY_ACCESS_KEY }}
-      - name: "📝 Store the current release version"
-        id: release_version
-        run: echo "release_version=${GITHUB_REF:11}" >> $GITHUB_OUTPUT
       - name: "⚙️ Run pre-release"
         uses: apache/grails-github-actions/pre-release@asf
         env:
@@ -121,45 +124,45 @@ jobs:
       - name: "📥 Checkout repository"
         uses: actions/checkout@v4
         with:
-          repository: ${{ github.repository }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ github.ref_name }}
-          path: project
+          path: ${{ steps.extract_repository_name.outputs.repository_name }}
       - name: "🗑️ Remove unnecessary files"
         run: |
-          rm -f project/gradle/wrapper/gradle-wrapper.jar
-          rm -f project/gradle/wrapper/gradle-wrapper.properties
-          rm -f project/gradlew
-          rm -f project/.asf.yaml
+          rm -f ${{ steps.extract_repository_name.outputs.repository_name }}/gradle/wrapper/gradle-wrapper.jar
+          rm -f ${{ steps.extract_repository_name.outputs.repository_name }}/gradle/wrapper/gradle-wrapper.properties
+          rm -f ${{ steps.extract_repository_name.outputs.repository_name }}/gradlew
+          rm -f ${{ steps.extract_repository_name.outputs.repository_name }}/.asf.yaml
       - name: "Download CHECKSUMS.txt and rename to CHECKSUMS"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "CHECKSUMS.txt") | .url')
           curl -L -H "Authorization: token $GH_TOKEN" -o CHECKSUMS "$release_url"
       - name: "Download PUBLISHED_ARTIFACTS.txt and rename to PUBLISHED_ARTIFACTS"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "PUBLISHED_ARTIFACTS.txt") | .url')
           curl -L -H "Authorization: token $GH_TOKEN" -o PUBLISHED_ARTIFACTS "$release_url"
       - name: "Download BUILD_DATE.txt and rename to BUILD_DATE"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           release_url=$(gh release view ${{ github.ref_name }} --json assets --repo ${{ github.repository }} --jq '.assets[] | select(.name == "BUILD_DATE.txt") | .url')
           curl -L -H "Authorization: token $GH_TOKEN" -o BUILD_DATE "$release_url"
       - name: "Ensure source files use common date"
         run: |
-          SOURCE_DATE_EPOCH=$(cat project/BUILD_DATE)
+          SOURCE_DATE_EPOCH=$(cat ${{ steps.extract_repository_name.outputs.repository_name }}/BUILD_DATE)
           find . -depth \( -type f -o -type d \) -exec touch -d "@${SOURCE_DATE_EPOCH}" {} +
       - name: "📦 Create source distribution ZIP"
         run: |
           version="${{ github.ref_name }}"
           version="${version#v}"  # Strip 'v' prefix
-          zip -r "apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip" project -x 'project/.git/*' -x 'project/.github/*'
+          zip -r "apache-${{ steps.extract_repository_name.outputs.repository_name }}-${version}-incubating-src.zip" ${{ steps.extract_repository_name.outputs.repository_name }} -x '${{ steps.extract_repository_name.outputs.repository_name }}/.git/*' -x '${{ steps.extract_repository_name.outputs.repository_name }}/.github/*'
       - name: '🔐 Set up GPG'
         run: |
           echo "${{ secrets.GRAILS_GPG_KEY }}" | gpg --batch --import
@@ -191,25 +194,25 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -e
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} CHECKSUMS.txt --yes
       - name: "Remove BUILD_DATE.txt asset from release"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -e
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} BUILD_DATE.txt --yes
       - name: "Remove PUBLISHED_ARTIFACTS.txt asset from release"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -e
-          cd project
+          cd ${{ steps.extract_repository_name.outputs.repository_name }}
           gh release --repo ${{ github.repository }} delete-asset ${{ github.ref_name }} PUBLISHED_ARTIFACTS.txt --yes
   release:
     environment: release
-    needs: [publish, source]
+    needs: [publish, source, docs]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -218,12 +221,13 @@ jobs:
       - name: "📥 Checkout repository"
         uses: actions/checkout@v4
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: v${{ needs.publish.outputs.release_version }}
       - name: "☕️ Setup JDK"
         uses: actions/setup-java@v4
         with:
           distribution: liberica
-          java-version: '17.0.15' # this must be a specific version for reproducible builds
+          java-version: '17.0.15'
       - name: "🐘 Setup Gradle"
         uses: gradle/actions/setup-gradle@v4
         with:
@@ -233,7 +237,7 @@ jobs:
   docs:
     environment: docs
     name: "Publish Documentation"
-    needs: publish
+    needs: [publish, source]
     runs-on: ubuntu-latest
     permissions:
       contents: write # required for gradle.properties revert
@@ -242,11 +246,12 @@ jobs:
       - name: "📥 Checkout repository"
         uses: actions/checkout@v4
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: v${{ needs.publish.outputs.release_version }}
       - name: "☕️ Setup JDK"
         uses: actions/setup-java@v4
         with:
-          java-version: '17.0.15' # this must be a specific version for reproducible builds
+          java-version: '17.0.15'
           distribution: liberica
       - name: "🐘 Setup Gradle"
         uses: gradle/actions/setup-gradle@v4

diff --git a/etc/bin/Dockerfile b/etc/bin/Dockerfile
@@ -16,7 +16,7 @@
 # for testing in a container that is similar to the github action linux build environment
 # run this from the root of the project
 # `docker build -t grails:testing -f etc/bin/Dockerfile . && docker run -it --rm -v $(pwd):/home/groovy/project grails:testing bash`
-FROM bellsoft/liberica-openjdk-debian:17.0.14
+FROM bellsoft/liberica-openjdk-debian:17.0.15
 
 USER root
 RUN apt-get update && apt-get install -y curl unzip coreutils libdigest-sha-perl gpg vim sudo psmisc locales groovy rsync

diff --git a/etc/bin/download-release-artifacts.sh b/etc/bin/download-release-artifacts.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+#
+set -e
+
+PROJECT_NAME='grails-spring-security'
+REPO_NAME='apache/grails-spring-security'
+RELEASE_TAG=$1
+DOWNLOAD_LOCATION="${2:-downloads}"
+
+if [ -z "${RELEASE_TAG}" ]; then
+  echo "Usage: $0 [release-tag] <optional download location>"
+  exit 1
+fi
+
+echo "Downloading files to ${DOWNLOAD_LOCATION}"
+mkdir -p "${DOWNLOAD_LOCATION}"
+
+VERSION=${RELEASE_TAG#v}
+
+# Source distro
+curl -L -o "${DOWNLOAD_LOCATION}/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip" "https://github.com/${REPO_NAME}/releases/download/$RELEASE_TAG/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip"
+curl -L -o "${DOWNLOAD_LOCATION}/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip.asc" "https://github.com/${REPO_NAME}/releases/download/$RELEASE_TAG/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip.asc"
+curl -L -o "${DOWNLOAD_LOCATION}/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip.sha512" "https://github.com/${REPO_NAME}/releases/download/$RELEASE_TAG/apache-${PROJECT_NAME}-$VERSION-incubating-src.zip.sha512"
diff --git a/etc/bin/extract-build-artifact.sh b/etc/bin/extract-build-artifact.sh
@@ -20,29 +20,36 @@
 set -e
 
 ARTIFACT_NAME=$1
-
 if [ -z "${ARTIFACT_NAME}" ]; then
-  echo "Usage: $0 <artifact-name>"
+  echo "Usage: $0 <artifact-name> <optional location>"
   exit 1
 fi
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+EXTRACT_LOCATION="${2:-${SCRIPT_DIR}/results}"
+
+echo "Looking for build artifact ${ARTIFACT_NAME} in ${EXTRACT_LOCATION}"
 
-if [ -z "${SCRIPT_DIR}/results/first/${ARTIFACT_NAME}" ]; then
-    echo "First Artifact Not found: $ARTIFACT_NAME could not be found under ${SCRIPT_DIR}/results/first/${ARTIFACT_NAME}"
+if [ -z "${EXTRACT_LOCATION}/first/${ARTIFACT_NAME}" ]; then
+    echo "❌ First Artifact Not found: ${ARTIFACT_NAME} could not be found under ${EXTRACT_LOCATION}/first/${ARTIFACT_NAME}"
     exit 1;
 else
-  echo "First Artifact Found @ ${SCRIPT_DIR}/results/first/${ARTIFACT_NAME}"
+  echo "     ✅ First Artifact Found @ ${EXTRACT_LOCATION}/first/${ARTIFACT_NAME}"
 fi
-if [ -z "${SCRIPT_DIR}/results/second/${ARTIFACT_NAME}" ]; then
-    echo "Second Artifact Not found: $ARTIFACT_NAME could not be found under ${SCRIPT_DIR}/results/second/${ARTIFACT_NAME}"
+if [ -z "${EXTRACT_LOCATION}/second/${ARTIFACT_NAME}" ]; then
+    echo "❌ Second Artifact Not found: ${ARTIFACT_NAME} could not be found under ${EXTRACT_LOCATION}/second/${ARTIFACT_NAME}"
     exit 1;
 else
-  echo "Second Artifact Found @ ${SCRIPT_DIR}/results/first/${ARTIFACT_NAME}"
+  echo "     ✅ Second Artifact Found @ ${EXTRACT_LOCATION}/first/${ARTIFACT_NAME}"
 fi
 
-rm -rf "${SCRIPT_DIR}/results/firstArtifact" || true
-rm -rf "${SCRIPT_DIR}/results/secondArtifact" || true
+rm -rf "${EXTRACT_LOCATION}/firstArtifact" || true
+rm -rf "${EXTRACT_LOCATION}/secondArtifact" || true
+
+echo "     Extracting ${ARTIFACT_NAME} from first to ${EXTRACT_LOCATION}/firstArtifact"
+unzip -q "${EXTRACT_LOCATION}/first/${ARTIFACT_NAME}" -d "${EXTRACT_LOCATION}/firstArtifact"
+echo "     ✅ First Artifact Extracted"
 
-unzip "${SCRIPT_DIR}/results/first/${ARTIFACT_NAME}" -d "${SCRIPT_DIR}/results/firstArtifact"
-unzip "${SCRIPT_DIR}/results/second/${ARTIFACT_NAME}" -d "${SCRIPT_DIR}/results/secondArtifact"
+echo "     Extracting ${ARTIFACT_NAME} from second to ${EXTRACT_LOCATION}/secondArtifact"
+unzip -q "${EXTRACT_LOCATION}/second/${ARTIFACT_NAME}" -d "${EXTRACT_LOCATION}/secondArtifact"
+echo "     ✅ Second Artifact Extracted"
diff --git a/etc/bin/test-reproducible-builds.sh b/etc/bin/test-reproducible-builds.sh
@@ -45,7 +45,7 @@ find . -path ./etc -prune -o -type f -path '*/build/libs/*.jar' -print0 | xargs
 cd "${SCRIPT_DIR}/results"
 
 # diff -u first.txt second.txt
-DIFF_RESULTS=$(comm -3 first.txt second.txt | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | uniq | sort)
+DIFF_RESULTS=$(comm -3 first.txt second.txt | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | grep -v '^$' | uniq | sort)
 echo "Differing artifacts:"
 echo "$DIFF_RESULTS" > diff.txt
 cat diff.txt

diff --git a/etc/bin/verify-jar-artifacts.sh b/etc/bin/verify-jar-artifacts.sh
@@ -24,6 +24,7 @@ PROJECT_NAME='grails-spring-security'
 RELEASE_TAG=$1
 DOWNLOAD_LOCATION="${2:-downloads}"
 DOWNLOAD_LOCATION=$(realpath "${DOWNLOAD_LOCATION}")
+CWD=$(pwd)
 
 if [ -z "${RELEASE_TAG}" ]; then
   echo "Usage: $0 [release-tag] <optional download location>"
@@ -49,15 +50,17 @@ fi
 export GRAILS_GPG_HOME=$(mktemp -d)
 cleanup() {
   rm -rf "${GRAILS_GPG_HOME}"
+  cd "$CWD"
 }
 trap cleanup EXIT
 error() {
   echo "❌ JAR Verification failed ❌"
 }
 trap error ERR
+cd "${DOWNLOAD_LOCATION}"
 
 echo "Importing GPG key to independent GPG home ..."
-gpg --homedir "${GRAILS_GPG_HOME}" --import "${SCRIPT_DIR}/../../KEYS"
+gpg --homedir "${GRAILS_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/KEYS"
 echo "✅ GPG Key Imported"
 
 REPO_BASE_URL="https://repository.apache.org/content/groups/staging"

diff --git a/etc/bin/verify-reproducible.sh b/etc/bin/verify-reproducible.sh
@@ -89,8 +89,14 @@ cd "${DOWNLOAD_LOCATION}/${PROJECT_NAME}/etc/bin/results"
 
 echo "Checking for differences in checksums"
 # diff -u CHECKSUMS second.txt
-DIFF_RESULTS=$(comm -3 <(sort ../../../CHECKSUMS) <(sort second.txt) | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | uniq | sort)
-echo "$DIFF_RESULTS" > diff.txt
+DIFF_RESULTS=$(comm -3 <(sort ../../../CHECKSUMS) <(sort second.txt) | cut -d' ' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | grep -v '^$' | uniq | sort)
+echo "${DIFF_RESULTS}" > diff.txt
+
+if [ -n "${DIFF_RESULTS}" ]; then
+  echo "${DIFF_RESULTS}" > diff.txt
+else
+  > diff.txt  # Empty the file explicitly
+fi
 
 if [ -s diff.txt ]; then
   echo "Differences were found, diffing jar files ..."
@@ -104,7 +110,7 @@ if [ -s diff.txt ]; then
   fi
 
   while IFS= read -r jar_file; do
-      echo "Checking jar ${jar_file}..."
+      echo "Checking jar '${jar_file}'..."
 
       echo "Extracting ${jar_file}"
       "${SCRIPT_DIR}/extract-build-artifact.sh" "${jar_file}" "${DOWNLOAD_LOCATION}/${PROJECT_NAME}/etc/bin/results"

diff --git a/etc/bin/verify-source-distribution.sh b/etc/bin/verify-source-distribution.sh
@@ -50,7 +50,7 @@ shasum -a 512 -c "apache-${PROJECT_NAME}-${VERSION}-incubating-src.zip.sha512"
 echo "✅ Checksum Verified"
 
 echo "Importing GPG key to independent GPG home ..."
-gpg --homedir "${GRAILS_GPG_HOME}" --import "${SCRIPT_DIR}/../../KEYS"
+gpg --homedir "${GRAILS_GPG_HOME}" --import "${DOWNLOAD_LOCATION}/KEYS"
 echo "✅ GPG Key Imported"
 
 echo "Verifying GPG signature..."
@@ -78,7 +78,7 @@ if [ ! -d "${SRC_DIR}" ]; then
 fi
 
 echo "Checking for required files existence..."
-REQUIRED_FILES=("LICENSE" "NOTICE" "README.md" "CONTRIBUTING.md" "PUBLISHED_ARTIFACTS" "CHECKSUMS" "BUILD_DATE" "DISCLAIMER")
+REQUIRED_FILES=("LICENSE" "NOTICE" "README.md" "PUBLISHED_ARTIFACTS" "CHECKSUMS" "BUILD_DATE" "DISCLAIMER")
 
 for FILE in "${REQUIRED_FILES[@]}"; do
   if [ ! -f "${SRC_DIR}/$FILE" ]; then

diff --git a/etc/bin/verify.sh b/etc/bin/verify.sh
@@ -38,6 +38,10 @@ cleanup() {
 }
 trap cleanup ERR
 
+echo "Downloading KEYS file ..."
+curl -sSfLO "https://dist.apache.org/repos/dist/release/grails/KEYS"
+echo "✅ KEYS Downloaded"
+
 echo "Downloading Artifacts ..."
 "${SCRIPT_DIR}/download-release-artifacts.sh" "${RELEASE_TAG}" "${DOWNLOAD_LOCATION}"
 echo "✅ Artifacts Downloaded"