From 100c88bd108be3509ea41d4fd1552a5076144e0e Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Mon, 18 Nov 2024 15:42:16 +0000
Subject: [PATCH 1/9] Headless release: basic github action structure

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-plugins.sh   |   8 ++
 .github/scripts/deploy-to-docker.sh |   8 ++
 .github/scripts/deploy-to-maven.sh  |   8 ++
 .github/scripts/deploy-to-s3.sh     |   8 ++
 .github/workflows/release.yml       | 176 ++++++++++++++++++++++++++++
 Makefile                            |   6 +
 6 files changed, 214 insertions(+)
 create mode 100644 .github/scripts/deploy-plugins.sh
 create mode 100644 .github/scripts/deploy-to-docker.sh
 create mode 100644 .github/scripts/deploy-to-maven.sh
 create mode 100644 .github/scripts/deploy-to-s3.sh
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/scripts/deploy-plugins.sh b/.github/scripts/deploy-plugins.sh
new file mode 100644
index 0000000000..a335cb8bdc
--- /dev/null
+++ b/.github/scripts/deploy-plugins.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# stub deployment
+echo "Deploying plugins"
diff --git a/.github/scripts/deploy-to-docker.sh b/.github/scripts/deploy-to-docker.sh
new file mode 100644
index 0000000000..02cd698099
--- /dev/null
+++ b/.github/scripts/deploy-to-docker.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# stub deployment
+echo "Deploying to docker"
diff --git a/.github/scripts/deploy-to-maven.sh b/.github/scripts/deploy-to-maven.sh
new file mode 100644
index 0000000000..231eb09a30
--- /dev/null
+++ b/.github/scripts/deploy-to-maven.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# stub deployment
+echo "Deploying to maven"
diff --git a/.github/scripts/deploy-to-s3.sh b/.github/scripts/deploy-to-s3.sh
new file mode 100644
index 0000000000..ae2eaa935a
--- /dev/null
+++ b/.github/scripts/deploy-to-s3.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# stub deployment
+echo "Deploying to S3"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000000..4895e4857e
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,176 @@
+name: Release
+run-name: Release ${{ github.ref_name }}
+
+# TODO:tom real workflow trigger
+on:
+  workflow_dispatch:
+
+env:
+  JAVA_VERSION: 17
+
+jobs:
+  # --------------------------------------------------
+  # job: assemble
+  # --------------------------------------------------
+  assemble:
+    name: Assemble
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          architecture: x64
+          cache: gradle
+
+      # build steps
+      - name: Compile
+        run: make distribution
+
+      # upload steps
+      - name: Upload artifacts (libs)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: libs
+          path: modules/*/build/libs/
+
+      - name: Upload artifacts (distribution)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: distribution
+          path: build/releases/
+
+      - name: Upload artifacts (plugins)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          compression-level: 0
+          name: plugins
+          path: |
+            plugins/build/libs/
+            plugins/*/build/libs/
+
+  # --------------------------------------------------
+  # job: deploy-maven
+  # --------------------------------------------------
+  deploy-maven:
+    name: Deploy to Maven
+    runs-on: ubuntu-latest
+    needs: assemble
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          architecture: x64
+          cache: gradle
+
+      - name: Download artifacts (libs)
+        uses: actions/download-artifact@v4
+        with:
+          name: libs
+          path: modules
+
+      # deploy step
+      - name: Deploy to maven
+        run: bash .github/scripts/deploy-to-maven.sh
+
+  # --------------------------------------------------
+  # job: deploy-s3
+  # --------------------------------------------------
+  deploy-s3:
+    name: Deploy to S3
+    runs-on: ubuntu-latest
+    needs: assemble
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Download artifacts (distribution)
+        uses: actions/download-artifact@v4
+        with:
+          name: distribution
+          path: build/releases
+
+      # deploy step
+      - name: Deploy to S3
+        run: bash .github/scripts/deploy-to-s3.sh
+
+  # --------------------------------------------------
+  # job: deploy-docker
+  # --------------------------------------------------
+  deploy-docker:
+    name: Deploy to Docker
+    runs-on: ubuntu-latest
+    needs: assemble
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      # deploy step
+      - name: Deploy to docker
+        run: bash .github/scripts/deploy-to-docker.sh
+
+  # --------------------------------------------------
+  # job: deploy-plugins
+  # --------------------------------------------------
+  deploy-plugins:
+    name: Deploy Plugins
+    runs-on: ubuntu-latest
+    needs: assemble
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          architecture: x64
+          cache: gradle
+
+      - name: Download artifacts (plugins)
+        uses: actions/download-artifact@v4
+        with:
+          name: plugins
+          path: plugins
+
+      # deploy step
+      - name: Deploy plugins
+        run: bash .github/scripts/deploy-plugins.sh
diff --git a/Makefile b/Makefile
index 4a12211e00..776a171000 100644
--- a/Makefile
+++ b/Makefile
@@ -85,6 +85,12 @@ endif
 smoke:
 	NXF_SMOKE=1 ./gradlew ${mm}test
 
+#
+# Generate all the jars required to create a release
+#
+distribution:
+	BUILD_PACK=1 ./gradlew buildInfo compile assemble pack javadocJar sourcesJar testFixturesJar
+
 #
 # Upload JAR artifacts to Maven Central
 #

From 1a5c47f80e1cd4e159510de83223044f63071f62 Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Tue, 19 Nov 2024 15:36:10 +0000
Subject: [PATCH 2/9] Headless release: upload distribution to S3

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-s3.sh | 41 ++++++++++++++++++++++++--
 .github/workflows/release.yml   |  9 ++++++
 Makefile                        |  6 ----
 packing.gradle                  | 51 ---------------------------------
 4 files changed, 48 insertions(+), 59 deletions(-)

diff --git a/.github/scripts/deploy-to-s3.sh b/.github/scripts/deploy-to-s3.sh
index ae2eaa935a..98803682e2 100644
--- a/.github/scripts/deploy-to-s3.sh
+++ b/.github/scripts/deploy-to-s3.sh
@@ -4,5 +4,42 @@ set -e
 # change to the project root
 cd "$(dirname "$0")/../.."
 
-# stub deployment
-echo "Deploying to S3"
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+S3_RELEASE_DIR="releases/v$NF_VERSION"
+
+# check if the release already exists
+aws s3api head-object --bucket "$S3_RELEASE_BUCKET" --key "$S3_RELEASE_DIR/nextflow" > /dev/null 2>&1 \
+  && release_exists=true
+
+if [[ $release_exists ]]; then
+  echo "Version $NF_VERSION already deployed to S3, skipping"
+  exit
+fi
+
+# collect files to deploy
+files=(build/releases/nextflow-"$NF_VERSION"-*)
+if [[ ${#files[@]} -eq 0 ]]; then
+  echo "ERROR - can't find any files to upload"
+  exit 1
+fi
+files+=(
+  'nextflow'
+  'nextflow.sha1'
+  'nextflow.sha256'
+  'nextflow.md5'
+)
+
+# upload them to s3 bucket
+for file in "${files[@]}"; do
+  filename=$(basename "$file")
+  aws s3 cp "$file" "s3://$S3_RELEASE_BUCKET/$S3_RELEASE_DIR/$filename" \
+    --no-progress \
+    --storage-class STANDARD \
+    --region eu-west-1 \
+    --acl public-read
+done
+
+echo "Done"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4895e4857e..b07a13c5ad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -111,6 +111,13 @@ jobs:
           fetch-depth: 1
           submodules: true
 
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+
       - name: Download artifacts (distribution)
         uses: actions/download-artifact@v4
         with:
@@ -120,6 +127,8 @@ jobs:
       # deploy step
       - name: Deploy to S3
         run: bash .github/scripts/deploy-to-s3.sh
+        env:
+          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
 
   # --------------------------------------------------
   # job: deploy-docker
diff --git a/Makefile b/Makefile
index 776a171000..11bcf5eebb 100644
--- a/Makefile
+++ b/Makefile
@@ -103,12 +103,6 @@ upload:
 pack:
 	BUILD_PACK=1 ./gradlew pack
 
-#
-# Upload NF launcher to nextflow.io web site
-#
-deploy:
-	BUILD_PACK=1 ./gradlew deploy
-
 #
 # Close artifacts uploaded to Maven central
 #
diff --git a/packing.gradle b/packing.gradle
index 07e404c0d9..c5c1efda4e 100644
--- a/packing.gradle
+++ b/packing.gradle
@@ -31,21 +31,6 @@ ext.nextflowDir = "$homeDir/.nextflow/framework/$version"
 ext.releaseDir = "$buildDir/releases"
 ext.s3CmdOpts="--acl public-read --storage-class STANDARD --region eu-west-1"
 
-protected error(String message) {
-    logger.error message
-    throw new StopExecutionException(message)
-}
-
-protected checkVersionExits(String version) {
-    if(version.endsWith('-SNAPSHOT'))
-        return
-
-    def cmd = "AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS} AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET} aws s3 ls s3://www2.nextflow.io/releases/v$version/nextflow"
-    def status=['bash','-c', cmd].execute().waitFor()
-    if( status == 0 )
-        error("STOP!! Version $version already deployed!")
-}
-
 protected resolveDeps( String configName, String... x ) {
 
     final deps = [] as Set
@@ -125,42 +110,6 @@ task pack( dependsOn: [packOne, packDist]) {
 
 }
 
-task deploy( type: Exec, dependsOn: [clean, compile, pack]) {
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    def files = []
-
-    doFirst {
-        checkVersionExits(version)
-        
-        def path = new File(releaseDir)
-        if( !path.exists() ) error("Releases path does not exist: $path")
-        path.eachFile {
-            if( it.name.startsWith("nextflow-$version"))
-                files << it
-        }
-
-        if( !files ) error("Can't find any file to upload -- Check path: $path")
-        files << file('nextflow').absoluteFile
-        files << file('nextflow.sha1').absoluteFile
-        files << file('nextflow.sha256').absoluteFile
-        files << file('nextflow.md5').absoluteFile
-
-        println "Uploading artifacts: "
-        files.each { println "- $it"}
-
-        def script = []
-        script << "export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}"
-        script << "export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}"
-        script.addAll( files.collect { "aws s3 cp ${it} s3://www2.nextflow.io/releases/v${version}/${it.name} ${s3CmdOpts}"})
-
-        temp.text = script.join('\n')
-    }
-
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
 task installLauncher(type: Copy, dependsOn: ['pack']) {
     from "$releaseDir/nextflow-$version-one.jar"
     into "$homeDir/.nextflow/framework/$version/"

From 8c50160ab93af395974f161f5618d54d911d1199 Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Wed, 20 Nov 2024 10:37:07 +0000
Subject: [PATCH 3/9] Headless release: docker build and push

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-docker.sh | 24 ++++++++++++++++++++++--
 .github/workflows/release.yml       | 15 +++++++++++++++
 Makefile                            |  6 ------
 docker/Makefile                     |  6 ------
 packing.gradle                      | 19 +------------------
 5 files changed, 38 insertions(+), 32 deletions(-)

diff --git a/.github/scripts/deploy-to-docker.sh b/.github/scripts/deploy-to-docker.sh
index 02cd698099..5148abcce3 100644
--- a/.github/scripts/deploy-to-docker.sh
+++ b/.github/scripts/deploy-to-docker.sh
@@ -4,5 +4,25 @@ set -e
 # change to the project root
 cd "$(dirname "$0")/../.."
 
-# stub deployment
-echo "Deploying to docker"
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# build the docker image
+cd docker
+make build version="$NF_VERSION"
+
+# push to docker hub
+IMAGE_TAG="nextflow/nextflow:$NF_VERSION"
+docker push "$IMAGE_TAG"
+
+# push to seqera registry
+if [ -z "$SEQERA_REGISTRY" ]; then
+  echo "Missing env var SEQERA_REGISTRY"
+  exit 1
+fi
+SEQERA_IMAGE_TAG="$SEQERA_REGISTRY/$IMAGE_TAG"
+
+docker tag "$IMAGE_TAG" "$SEQERA_IMAGE_TAG"
+docker push "$SEQERA_IMAGE_TAG"
+
+echo "Done"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b07a13c5ad..db6d5dbb9e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -146,9 +146,24 @@ jobs:
           fetch-depth: 1
           submodules: true
 
+      - name: Login to Docker hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_ID }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Login to Seqera registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+          username: ${{ secrets.SEQERA_PUBLIC_CR_USER }}
+          password: ${{ secrets.SEQERA_PUBLIC_CR_PASSWORD }}
+
       # deploy step
       - name: Deploy to docker
         run: bash .github/scripts/deploy-to-docker.sh
+        env:
+          SEQERA_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
 
   # --------------------------------------------------
   # job: deploy-plugins
diff --git a/Makefile b/Makefile
index 11bcf5eebb..c1ed5498ec 100644
--- a/Makefile
+++ b/Makefile
@@ -115,12 +115,6 @@ close:
 release:
 	BUILD_PACK=1 ./gradlew release
 
-#
-# Create and upload docker image distribution
-#
-dockerImage:
-	BUILD_PACK=1 ./gradlew dockerImage
-
 #
 # Create local docker image
 #
diff --git a/docker/Makefile b/docker/Makefile
index e65294f7fe..3c19a9d3e6 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -23,12 +23,6 @@ build-arm: dist/docker/arm64
 	cp ../nextflow .
 	docker buildx build --platform linux/arm64 --output=type=docker --progress=plain --tag nextflow/nextflow:${version} --build-arg TARGETPLATFORM=linux/arm64 .
 
-release: build
-	docker push nextflow/nextflow:${version}
-	#
-	docker tag nextflow/nextflow:${version} public.cr.seqera.io/nextflow/nextflow:${version}
-	docker push public.cr.seqera.io/nextflow/nextflow:${version}
-
 #Static builds can now be found at:
 #
 #  Linux:   https://download.docker.com/linux/static
diff --git a/packing.gradle b/packing.gradle
index c5c1efda4e..0777f3e2f4 100644
--- a/packing.gradle
+++ b/packing.gradle
@@ -120,23 +120,6 @@ task installScratch(type: Copy, dependsOn: ['pack']) {
     into "${rootProject.projectDir}/test-e2e/.nextflow/framework/$version/"
 }
 
-/*
- * build, tag and publish a and new docker packaged nextflow release
- */
-task dockerImage(type: Exec) {
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    temp.text =  """\
-    grep $version nextflow
-    cp nextflow docker/nextflow
-    cd docker
-    make release version=$version
-    """.stripIndent()
-
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
 /*
  * Build a docker container image with the current snapshot
  * DO NOT CALL IT DIRECTLY! Use the `make dockerPack` command instead
@@ -184,7 +167,7 @@ task dockerPack(type: Exec, dependsOn: ['packOne']) {
  * 
  * https://github.com/aktau/github-release/
  */
-task release(type: Exec, dependsOn: [pack, dockerImage]) {
+task release(type: Exec, dependsOn: [pack]) {
 
     def launcherFile = file('nextflow').absoluteFile
     def launcherSha1 = file('nextflow.sha1').absoluteFile

From 83c817c0b85f6606bb5c0d85f8b18c9ed260864b Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Thu, 21 Nov 2024 14:29:21 +0000
Subject: [PATCH 4/9] Headless release: publish jars to maven

The target repository is an S3 bucket, jars are no longer
published to maven central repo.x

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-maven.sh | 10 ++++-
 .github/workflows/release.yml      |  4 ++
 Makefile                           | 12 ------
 build.gradle                       | 66 +++++++++---------------------
 4 files changed, 31 insertions(+), 61 deletions(-)

diff --git a/.github/scripts/deploy-to-maven.sh b/.github/scripts/deploy-to-maven.sh
index 231eb09a30..92415ec6ba 100644
--- a/.github/scripts/deploy-to-maven.sh
+++ b/.github/scripts/deploy-to-maven.sh
@@ -4,5 +4,11 @@ set -e
 # change to the project root
 cd "$(dirname "$0")/../.."
 
-# stub deployment
-echo "Deploying to maven"
+echo "Publishing nextflow jars to maven"
+
+# the release process should have already built the jars, so to avoid re-compiling everything
+# we can tell gradle to skip all non publish/publication related tasks
+./gradlew publishToMaven \
+  $( ./gradlew publishToMaven --dry-run | grep -iv 'publish\|publication' | awk '/^:/ { print "-x" $1 }')
+
+echo "Done"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index db6d5dbb9e..89f6c50e89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -94,6 +94,10 @@ jobs:
       # deploy step
       - name: Deploy to maven
         run: bash .github/scripts/deploy-to-maven.sh
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PUBLISH_URL }}
 
   # --------------------------------------------------
   # job: deploy-s3
diff --git a/Makefile b/Makefile
index c1ed5498ec..ae0a8726e2 100644
--- a/Makefile
+++ b/Makefile
@@ -91,24 +91,12 @@ smoke:
 distribution:
 	BUILD_PACK=1 ./gradlew buildInfo compile assemble pack javadocJar sourcesJar testFixturesJar
 
-#
-# Upload JAR artifacts to Maven Central
-#
-upload:
-	./gradlew upload
-
 #
 # Create self-contained distribution package
 #
 pack:
 	BUILD_PACK=1 ./gradlew pack
 
-#
-# Close artifacts uploaded to Maven central
-#
-close:
-	./gradlew closeAndReleaseRepository
-
 #
 # Upload final package to GitHub
 #
diff --git a/build.gradle b/build.gradle
index 4b4ee6e1f2..46dad2fb0a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -15,7 +15,6 @@
  */
 
 plugins {
-    id "io.codearte.nexus-staging" version "0.30.0"
     id 'java'
     id 'idea'
 }
@@ -274,21 +273,11 @@ task exportClasspath {
     }
 }
 
-ext.nexusUsername = project.findProperty('nexusUsername')
-ext.nexusPassword = project.findProperty('nexusPassword')
-ext.nexusFullName = project.findProperty('nexusFullName')
-ext.nexusEmail = project.findProperty('nexusEmail')
-
 // `signing.keyId` property needs to be defined in the `gradle.properties` file
 ext.enableSignArchives = project.findProperty('signing.keyId')
 
 ext.coreProjects = projects( ':nextflow', ':nf-commons', ':nf-httpfs' )
 
-configure(coreProjects) {
-    group = 'io.nextflow'
-    version = rootProject.file('VERSION').text.trim()
-}
-
 /*
  * Maven central deployment
  * http://central.sonatype.org/pages/gradle.html
@@ -297,6 +286,9 @@ configure(coreProjects) {
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
 
+    group = 'io.nextflow'
+    version = rootProject.file('VERSION').text.trim()
+
     task javadocJar(type: Jar) {
         archiveClassifier = 'javadoc'
         from configurations.groovyDoc
@@ -333,9 +325,8 @@ configure(coreProjects) {
                     }
                     developers {
                         developer {
-                            id = nexusUsername
-                            name = nexusFullName
-                            email = nexusEmail
+                            name = 'Paolo Di Tommaso'
+                            email = 'paolo.ditommaso@gmail.com'
                         }
                     }
                     scm {
@@ -352,13 +343,15 @@ configure(coreProjects) {
 
         repositories {
             maven {
-                // change URLs to point to your repos, e.g. http://my.org/repo
-                def releasesRepoUrl = "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
-                def snapshotsRepoUrl = "https://oss.sonatype.org/content/repositories/snapshots/"
+                // TOMDO
+                def releasesRepoUrl = "s3://tom-test-aws/maven/releases"
+                def snapshotsRepoUrl = "s3://tom-test-aws/maven/snapshots"
+//                def releasesRepoUrl = "s3://.amazonaws.com/maven.seqera.io/releases"
+//                def snapshotsRepoUrl = "https://s3-eu-west-1.amazonaws.com/maven.seqera.io/snapshots"
                 url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl
-                credentials(PasswordCredentials) {
-                    username nexusUsername
-                    password nexusPassword
+                credentials(AwsCredentials) {
+                    accessKey = System.env.AWS_ACCESS_KEY_ID ?: findProperty('aws_access_key_id')
+                    secretKey = System.env.AWS_SECRET_ACCESS_KEY ?: findProperty('aws_secret_access_key')
                 }
             }
         }
@@ -371,46 +364,25 @@ configure(coreProjects) {
 
 }
 
-
-String bytesToHex(byte[] bytes) {
-    StringBuffer result = new StringBuffer();
-    for (byte byt : bytes) result.append(Integer.toString((byt & 0xff) + 0x100, 16).substring(1));
-    return result.toString();
+task publishToMaven {
+    dependsOn coreProjects.publish
 }
 
+
 task makeDigest { doLast {
     byte[] digest
     String  str = file('nextflow').text
     // create sha1
     digest = java.security.MessageDigest.getInstance("SHA1").digest(str.getBytes())
-    file('nextflow.sha1').text = new BigInteger(1, digest).toString(16) + '\n'
+    file('nextflow.sha1').text = digest.encodeHex().toString() + '\n'
     // create sha-256
     digest = java.security.MessageDigest.getInstance("SHA-256").digest(str.getBytes())
-    file('nextflow.sha256').text = bytesToHex(digest) + '\n'
+    file('nextflow.sha256').text = digest.encodeHex().toString() + '\n'
     // create md5
     digest = java.security.MessageDigest.getInstance("MD5").digest(str.getBytes())
-    file('nextflow.md5').text = bytesToHex(digest) + '\n'
+    file('nextflow.md5').text = digest.encodeHex().toString() + '\n'
 }}
 
-
-task upload {
-    dependsOn compile
-    dependsOn makeDigest
-    dependsOn coreProjects.publish
-}
-
-/*
- * Configure Nextflow staging plugin -- https://github.com/Codearte/gradle-nexus-staging-plugin
- * It adds the tasks
- * - closeRepository
- * - releaseRepository
- * - closeAndReleaseRepository
- */
-nexusStaging {
-    packageGroup = 'io.nextflow'
-    delayBetweenRetriesInMillis = 10_000
-}
-
 if( System.env.BUILD_PACK ) {
     apply from: 'packing.gradle'
 }

From 03f70a20e6c9c523ba7a8e2bea2f6473943d512b Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Tue, 26 Nov 2024 12:07:52 +0000
Subject: [PATCH 5/9] Headless release: publish plugins & update index json

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-plugins-to-github.sh   | 44 +++++++++++++++
 .github/scripts/deploy-plugins-to-maven.sh    | 14 +++++
 ...loy-plugins.sh => update-plugins-index.sh} |  7 ++-
 .github/workflows/release.yml                 | 25 ++++++++-
 Makefile                                      |  7 ---
 build.gradle                                  | 15 ++---
 .../tasks/GithubRepositoryPublisher.groovy    | 21 +++++--
 plugins/build.gradle                          | 55 +++++--------------
 8 files changed, 121 insertions(+), 67 deletions(-)
 create mode 100644 .github/scripts/deploy-plugins-to-github.sh
 create mode 100644 .github/scripts/deploy-plugins-to-maven.sh
 rename .github/scripts/{deploy-plugins.sh => update-plugins-index.sh} (53%)

diff --git a/.github/scripts/deploy-plugins-to-github.sh b/.github/scripts/deploy-plugins-to-github.sh
new file mode 100644
index 0000000000..93f11508b9
--- /dev/null
+++ b/.github/scripts/deploy-plugins-to-github.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+GH_ORG=${GH_ORG:-'nextflow-io'}
+
+# function to extract plugin version from manifest
+function get_plugin_version() {
+  grep 'Plugin-Version' "$1/src/resources/META-INF/MANIFEST.MF" |\
+    cut -d ':' -f 2 |\
+    xargs
+}
+
+# deploy plugin artifacts to github releases
+echo "Publishing plugins to github"
+
+for plugin in plugins/nf-*; do
+  if [[ -d "$plugin" ]]; then
+    # get plugin name and version
+    plugin_name=$(basename "$plugin")
+    plugin_repo="$GH_ORG/$plugin_name"
+    plugin_version=$(get_plugin_version "$plugin")
+
+    # check if release already exists
+    gh release view --repo "$plugin_repo" "$plugin_version" > /dev/null 2>&1 \
+      && release_exists=true
+
+    # if not exists, create github release, with zip & meta json files
+    if [[ $release_exists ]]; then
+      echo "Plugin $plugin_name $plugin_version already deployed to github, skipping"
+    else
+      gh release create \
+        --repo "$plugin_repo" \
+        --title "Version $plugin_version" \
+        "$plugin_version" \
+        "$plugin/build/libs/$plugin_name-$plugin_version.zip" \
+        "$plugin/build/libs/$plugin_name-$plugin_version-meta.json"
+    fi
+  fi
+done
+
+echo "Done"
diff --git a/.github/scripts/deploy-plugins-to-maven.sh b/.github/scripts/deploy-plugins-to-maven.sh
new file mode 100644
index 0000000000..114129caba
--- /dev/null
+++ b/.github/scripts/deploy-plugins-to-maven.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+echo "Publishing plugins to maven"
+
+# the release process should have already built the jars, so to avoid re-compiling everything
+# we can tell gradle to skip all non publish/publication related tasks
+./gradlew publishPluginsToMaven \
+  $( ./gradlew publishPluginsToMaven --dry-run | grep -iv 'publish\|publication' | awk '/^:/ { print "-x" $1 }')
+
+echo "Done"
diff --git a/.github/scripts/deploy-plugins.sh b/.github/scripts/update-plugins-index.sh
similarity index 53%
rename from .github/scripts/deploy-plugins.sh
rename to .github/scripts/update-plugins-index.sh
index a335cb8bdc..1cfe68d08c 100644
--- a/.github/scripts/deploy-plugins.sh
+++ b/.github/scripts/update-plugins-index.sh
@@ -4,5 +4,8 @@ set -e
 # change to the project root
 cd "$(dirname "$0")/../.."
 
-# stub deployment
-echo "Deploying plugins"
+echo "Updating plugins index"
+
+./gradlew plugins:publishIndex
+
+echo "Done"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 89f6c50e89..5576bc5564 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -199,6 +199,25 @@ jobs:
           name: plugins
           path: plugins
 
-      # deploy step
-      - name: Deploy plugins
-        run: bash .github/scripts/deploy-plugins.sh
+      # deploy steps
+      - name: Deploy plugins to maven
+        run: bash .github/scripts/deploy-plugins-to-maven.sh
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PLUGINS_PUBLISH_URL }}
+
+      - name: Deploy plugins to github
+        run: bash .github/scripts/deploy-plugins-to-github.sh
+        env:
+          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
+          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
+
+      - name: Update plugins index
+        run: bash .github/scripts/update-plugins-index.sh
+        env:
+          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
+          GH_USER: ${{ vars.DEPLOY_GITHUB_USER }}
+          GH_USER_EMAIL: ${{ vars.DEPLOY_GITHUB_EMAIL }}
+          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
+          PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
diff --git a/Makefile b/Makefile
index ae0a8726e2..a3247235a3 100644
--- a/Makefile
+++ b/Makefile
@@ -108,10 +108,3 @@ release:
 #
 dockerPack:
 	BUILD_PACK=1 ./gradlew publishToMavenLocal dockerPack -Dmaven.repo.local=${PWD}/build/docker/.nextflow/capsule/deps/
-
-
-upload-plugins:
-	./gradlew plugins:upload
-
-publish-index:
-	./gradlew plugins:publishIndex
diff --git a/build.gradle b/build.gradle
index 46dad2fb0a..f841e8d798 100644
--- a/build.gradle
+++ b/build.gradle
@@ -343,15 +343,12 @@ configure(coreProjects) {
 
         repositories {
             maven {
-                // TOMDO
-                def releasesRepoUrl = "s3://tom-test-aws/maven/releases"
-                def snapshotsRepoUrl = "s3://tom-test-aws/maven/snapshots"
-//                def releasesRepoUrl = "s3://.amazonaws.com/maven.seqera.io/releases"
-//                def snapshotsRepoUrl = "https://s3-eu-west-1.amazonaws.com/maven.seqera.io/snapshots"
-                url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl
+                url = System.getenv('MAVEN_PUBLISH_URL')
+                    ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
+
                 credentials(AwsCredentials) {
-                    accessKey = System.env.AWS_ACCESS_KEY_ID ?: findProperty('aws_access_key_id')
-                    secretKey = System.env.AWS_SECRET_ACCESS_KEY ?: findProperty('aws_secret_access_key')
+                    accessKey = System.getenv('AWS_ACCESS_KEY_ID') ?: findProperty('aws_access_key_id')
+                    secretKey = System.getenv('AWS_SECRET_ACCESS_KEY') ?: findProperty('aws_secret_access_key')
                 }
             }
         }
@@ -361,14 +358,12 @@ configure(coreProjects) {
         required { enableSignArchives }
         sign publishing.publications.mavenJava
     }
-
 }
 
 task publishToMaven {
     dependsOn coreProjects.publish
 }
 
-
 task makeDigest { doLast {
     byte[] digest
     String  str = file('nextflow').text
diff --git a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
index 6f5babbe9d..a37a33f130 100644
--- a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
+++ b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
@@ -61,6 +61,7 @@ class GithubRepositoryPublisher extends DefaultTask {
 
 
     String mergeIndex(List<PluginMeta> mainIndex, Map<String,List<PluginRelease>> pluginsToPublish) {
+        boolean modified = false
 
         for( Map.Entry<String,List<PluginRelease>> item : pluginsToPublish ) {
             final pluginId = item.key
@@ -69,6 +70,7 @@ class GithubRepositoryPublisher extends DefaultTask {
 
             if (!indexEntry) {
                 mainIndex.add(new PluginMeta(id: pluginId, releases: pluginReleases))
+                modified = true
             }
             else {
                 for (PluginRelease rel : pluginReleases) {
@@ -79,11 +81,13 @@ class GithubRepositoryPublisher extends DefaultTask {
                     // if not, add to the index
                     if( !indexRel ) {
                         indexEntry.releases << rel
+                        modified = true
                     }
                     // otherwise, verify the checksum matches
                     else if( indexRel.sha512sum != rel.sha512sum ) {
                         if( overwrite ) {
                             indexEntry.releases[index] = rel
+                            modified = true
                         }
                         else {
                             def msg = "Plugin $pluginId@${rel.version} invalid checksum:\n"
@@ -97,11 +101,15 @@ class GithubRepositoryPublisher extends DefaultTask {
             }
         }
 
-        new GsonBuilder()
+        if ( modified ) {
+            new GsonBuilder()
                 .setPrettyPrinting()
                 .disableHtmlEscaping()
                 .create()
                 .toJson(mainIndex)
+        } else {
+            null
+        }
     }
 
     List<PluginMeta> parseMainIndex(GithubClient github, String path) {
@@ -188,10 +196,13 @@ class GithubRepositoryPublisher extends DefaultTask {
         logger.quiet("Merging index")
         final result = mergeIndex(mainIndex, pluginsToPublish)
 
-        // push to github
-        logger.quiet("Publish merged index to $indexUrl")
-
-        github.pushChange(targetFileName, result.toString() + '\n', "Nextflow plugins update")
+        if ( result ) {
+            // push to github
+            logger.quiet("Publish merged index to $indexUrl")
+            github.pushChange(targetFileName, result.toString() + '\n', "Nextflow plugins update")
+        } else {
+            logger.quiet("No changes to index")
+        }
     }
 
 }
diff --git a/plugins/build.gradle b/plugins/build.gradle
index 78b2656ffd..2e06f8fbe2 100644
--- a/plugins/build.gradle
+++ b/plugins/build.gradle
@@ -1,18 +1,9 @@
-import io.nextflow.gradle.tasks.GithubUploader
 import io.nextflow.gradle.tasks.GithubRepositoryPublisher
 import org.apache.commons.codec.digest.DigestUtils
 
 apply plugin: 'java'
 apply plugin: "io.nextflow.nf-build-plugin"
 
-ext.github_organization = 'nextflow-io'
-ext.github_username = project.findProperty('github_username') ?: 'pditommaso'
-ext.github_access_token = project.findProperty('github_access_token') ?: System.getenv('GITHUB_TOKEN')
-ext.github_commit_email = project.findProperty('github_commit_email') ?: 'paolo.ditommaso@gmail.com'
-ext.aws_access_key_id = project.findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
-ext.aws_secret_access_key = project.findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
-ext.publishRepoUrl = project.findProperty('publish_repo_url') ?: System.getenv('PUBLISH_REPO_URL') ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
-
 jar.enabled = false
 
 String computeSha512(File file) {
@@ -120,24 +111,6 @@ subprojects {
     */
     project.parent.tasks.getByName("assemble").dependsOn << copyPluginZip
 
-
-    /*
-     * Upload the plugin zip & json meta file to the corresponding GitHub repo
-     */
-    task uploadPlugin(type: GithubUploader, dependsOn: makeZip) {
-        group 'nextflow'
-        assets = providers.provider {["$buildDir/libs/${project.name}-${project.version}.zip",
-                                      "$buildDir/libs/${project.name}-${project.version}-meta.json" ]}
-        release = providers.provider { project.version }
-        unstable = providers.provider { project.version.endsWith('-SNAPSHOT') }
-        repo = providers.provider { project.name }
-        owner = github_organization
-        userName = github_username
-        authToken = github_access_token
-        skipExisting = true
-        ignore = true
-    }
-
     jar {
         from sourceSets.main.allSource
         doLast {
@@ -162,23 +135,25 @@ subprojects {
         }
         repositories {
             maven {
-                url = publishRepoUrl
+                url = System.getenv('MAVEN_PUBLISH_URL')
+                    ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
+
                 credentials(AwsCredentials) {
-                    // keys are defined in the `gradle.properties` file
-                    accessKey aws_access_key_id
-                    secretKey aws_secret_access_key
+                    accessKey = System.getenv('AWS_ACCESS_KEY_ID') ?: findProperty('aws_access_key_id')
+                    secretKey = System.getenv('AWS_SECRET_ACCESS_KEY') ?: findProperty('aws_secret_access_key')
                 }
             }
         }
     }
 
-
 }
 
-/*
- * Upload all plugins to the corresponding GitHub repos
+/**
+ * Publish jars to maven repositories
  */
-task upload(dependsOn: [subprojects.uploadPlugin, subprojects.publish]) { }
+task publishPluginsToMaven {
+    dependsOn subprojects.publish
+}
 
 /*
  * Copies the plugins required dependencies in the corresponding lib directory
@@ -194,10 +169,10 @@ project.parent.tasks.getByName("assemble").dependsOn << assemble
  * Merge and publish the plugins index file
  */
 task publishIndex( type: GithubRepositoryPublisher ) {
-    indexUrl = 'https://github.com/nextflow-io/plugins/main/plugins.json'
+    indexUrl = System.getenv('PLUGINS_INDEX_JSON') ?: 'https://github.com/nextflow-io/plugins/main/plugins.json'
     repos = allPlugins()
-    owner = github_organization
-    githubUser = github_username
-    githubEmail = github_commit_email
-    githubToken = github_access_token
+    owner = System.getenv('GH_ORG') ?: 'nextflow-io'
+    githubUser = System.getenv('GH_USER') ?: project.findProperty('github_username')
+    githubEmail = System.getenv('GH_USER_EMAIL') ?: project.findProperty('github_commit_email')
+    githubToken = System.getenv('GH_TOKEN') ?: project.findProperty('github_access_token')
 }

From 13341bea403b0923c05822b7053dd184a5a1f474 Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Thu, 28 Nov 2024 11:43:58 +0000
Subject: [PATCH 6/9] Headless release: wire everything up

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-github.sh | 22 +++++++
 .github/scripts/publish-release.sh  | 35 +++++++++++
 .github/scripts/tag-release.sh      | 14 +++++
 .github/workflows/build.yml         | 18 ++++++
 .github/workflows/release.yml       | 96 +++++++++++++++++++++++++++--
 Makefile                            |  2 +-
 make-release.sh                     | 76 +++++++++++++++++++++++
 packing.gradle                      | 59 ------------------
 8 files changed, 256 insertions(+), 66 deletions(-)
 create mode 100644 .github/scripts/deploy-to-github.sh
 create mode 100644 .github/scripts/publish-release.sh
 create mode 100644 .github/scripts/tag-release.sh
 create mode 100755 make-release.sh

diff --git a/.github/scripts/deploy-to-github.sh b/.github/scripts/deploy-to-github.sh
new file mode 100644
index 0000000000..3a9585d34d
--- /dev/null
+++ b/.github/scripts/deploy-to-github.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+echo "Publishing nextflow release to github"
+
+# create a github (pre)release and attach launcher and dist files
+# use --verify-tag to fail if tag doesn't exist
+gh release create \
+  --prerelease \
+  --title "Version $NF_VERSION" \
+  --verify-tag \
+  "v$NF_VERSION" \
+  nextflow \
+  "build/releases/nextflow-$NF_VERSION-dist"
+
+echo "Done"
diff --git a/.github/scripts/publish-release.sh b/.github/scripts/publish-release.sh
new file mode 100644
index 0000000000..b6cc0c2d35
--- /dev/null
+++ b/.github/scripts/publish-release.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# determine publish location
+S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+if [[ "$NF_VERSION" =~ /^.+(-edge|-EDGE)$/ ]]; then
+  S3_RELEASE_DIR="releases/edge"
+else
+  S3_RELEASE_DIR="releases/latest"
+fi
+
+
+#publish nextflow script as latest
+files+=(
+  'nextflow'
+  'nextflow.sha1'
+  'nextflow.sha256'
+  'nextflow.md5'
+  'VERSION'
+)
+
+for file in "${files[@]}"; do
+  filename=$(echo "$file" | tr '[:upper:]' '[:lower:]')
+  aws s3 cp "$file" "s3://$S3_RELEASE_BUCKET/$S3_RELEASE_DIR/$filename" \
+    --no-progress \
+    --storage-class STANDARD \
+    --region eu-west-1 \
+   --acl public-read
+done
diff --git a/.github/scripts/tag-release.sh b/.github/scripts/tag-release.sh
new file mode 100644
index 0000000000..39a0da3d88
--- /dev/null
+++ b/.github/scripts/tag-release.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/../.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# create & push an annotated git tag
+git tag "v$NF_VERSION"
+git push origin "v$NF_VERSION"
+
+echo "Done"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9a8675a013..5f602c3d75 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -243,3 +243,21 @@ jobs:
             env:
                 GITHUB_TOKEN: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
                 GRADLE_OPTS: '-Dorg.gradle.daemon=false'
+
+  release:
+    name: Release
+    if: ${{ contains(needs.build.outputs.commit_message,'[release]') }}
+    runs-on: ubuntu-latest
+    needs: build
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Release
+        run: gh workflow run release.yml --ref ${{ github.ref }}
+        env:
+          GH_TOKEN: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5576bc5564..c802cab2ac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,7 +1,5 @@
 name: Release
-run-name: Release ${{ github.ref_name }}
 
-# TODO:tom real workflow trigger
 on:
   workflow_dispatch:
 
@@ -61,13 +59,35 @@ jobs:
             plugins/build/libs/
             plugins/*/build/libs/
 
+  # --------------------------------------------------
+  # job: tag
+  # --------------------------------------------------
+  tag:
+    name: Tag
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: assemble
+    permissions:
+      contents: write
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      # execute steps
+      - name: Tag
+        run: bash .github/scripts/tag-release.sh
+
   # --------------------------------------------------
   # job: deploy-maven
   # --------------------------------------------------
   deploy-maven:
     name: Deploy to Maven
     runs-on: ubuntu-latest
-    needs: assemble
+    needs: tag
     timeout-minutes: 15
     steps:
       # setup steps
@@ -105,7 +125,7 @@ jobs:
   deploy-s3:
     name: Deploy to S3
     runs-on: ubuntu-latest
-    needs: assemble
+    needs: tag
     timeout-minutes: 15
     steps:
       # setup steps
@@ -140,7 +160,9 @@ jobs:
   deploy-docker:
     name: Deploy to Docker
     runs-on: ubuntu-latest
-    needs: assemble
+    needs:
+      - tag
+      - deploy-s3
     timeout-minutes: 15
     steps:
       # setup steps
@@ -169,13 +191,41 @@ jobs:
         env:
           SEQERA_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
 
+  # --------------------------------------------------
+  # job: deploy-github
+  # --------------------------------------------------
+  deploy-github:
+    name: Deploy to Github
+    runs-on: ubuntu-latest
+    needs: tag
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Download artifacts (distribution)
+        uses: actions/download-artifact@v4
+        with:
+          name: distribution
+          path: build/releases
+
+        # deploy steps
+      - name: Create github release
+        run: bash .github/scripts/deploy-to-github.sh
+        env:
+          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
+
   # --------------------------------------------------
   # job: deploy-plugins
   # --------------------------------------------------
   deploy-plugins:
     name: Deploy Plugins
     runs-on: ubuntu-latest
-    needs: assemble
+    needs: tag
     timeout-minutes: 15
     steps:
       # setup steps
@@ -221,3 +271,37 @@ jobs:
           GH_USER_EMAIL: ${{ vars.DEPLOY_GITHUB_EMAIL }}
           GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
           PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
+
+
+  # --------------------------------------------------
+  # job: publish
+  # --------------------------------------------------
+  publish:
+    name: Publish release
+    runs-on: ubuntu-latest
+    needs:
+      - deploy-s3
+      - deploy-docker
+      - deploy-maven
+      - deploy-github
+    timeout-minutes: 15
+    steps:
+      # setup steps
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          submodules: true
+
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+
+      # deploy steps
+      - name: Publish release
+        run: bash .github/scripts/publish-release.sh
+        env:
+          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
diff --git a/Makefile b/Makefile
index a3247235a3..c3be61fffb 100644
--- a/Makefile
+++ b/Makefile
@@ -101,7 +101,7 @@ pack:
 # Upload final package to GitHub
 #
 release:
-	BUILD_PACK=1 ./gradlew release
+	./make-release.sh
 
 #
 # Create local docker image
diff --git a/make-release.sh b/make-release.sh
new file mode 100755
index 0000000000..95a7c66c74
--- /dev/null
+++ b/make-release.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -e
+
+cd "$(dirname "$0")"
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# read the plugin versions
+plugins=()
+plugin_versions=()
+function get_plugin_version() {
+  grep 'Plugin-Version' "$1/src/resources/META-INF/MANIFEST.MF" |\
+    cut -d ':' -f 2 |\
+    xargs
+}
+for plugin in plugins/nf-*; do
+  if [[ -d "$plugin" ]]; then
+    plugins+=("$plugin")
+    plugin_versions+=("$(get_plugin_version "$plugin")")
+  fi
+done
+
+# prompt user to check versions are correct
+echo "
+------------------------
+This will release:
+
+  nextflow: $NF_VERSION
+"
+for i in "${!plugins[@]}"; do
+  plugin_name=$(basename "${plugins[$i]}")
+  echo "  $plugin_name: ${plugin_versions[$i]}"
+done
+echo "------------------------
+
+If these are not the versions you want to release, type 'no' and update the below
+files (without committing), then run this script again:
+  .
+  ├── VERSION
+  ├── nextflow
+  ├── changelog.txt
+  └── plugins/nf-*/
+      ├── src/main/resources/META-INF/MANIFEST.MF
+      └── changelog.txt
+"
+
+echo -n "Type 'yes' to proceed: "
+read -r proceed
+if [[ "$proceed" != "yes" ]]; then
+  echo "Aborting"
+  exit
+fi
+
+# update the digest files before committing anything
+./gradlew makeDigest
+
+# create the release commit, including text '[release]' to trigger the github action
+# the github action workflow will perform the following tasks
+# - tag the release
+# - build the release artifacts
+# - deploy the release artifacts to maven/docker/S3/etc
+# - create a (pre-release) github release
+# - deploy the plugins, and update the plugin index
+git commit -s -am "Release $NF_VERSION [release]"
+# push the current branch is to the remote origin
+git push origin HEAD
+
+echo "
+------------------------------------------------------------
+Release commit pushed.
+This should trigger a github release workflow.
+Once the workflow is complete, you should add the changelog
+to the github release.
+------------------------------------------------------------
+"
diff --git a/packing.gradle b/packing.gradle
index 0777f3e2f4..2ce2c17ca4 100644
--- a/packing.gradle
+++ b/packing.gradle
@@ -29,7 +29,6 @@ ext.mainClassName = 'nextflow.cli.Launcher'
 ext.homeDir = System.properties['user.home']
 ext.nextflowDir = "$homeDir/.nextflow/framework/$version"
 ext.releaseDir = "$buildDir/releases"
-ext.s3CmdOpts="--acl public-read --storage-class STANDARD --region eu-west-1"
 
 protected resolveDeps( String configName, String... x ) {
 
@@ -161,61 +160,3 @@ task dockerPack(type: Exec, dependsOn: ['packOne']) {
 
     commandLine 'bash', '-e', temp.absolutePath
 }
-
-/*
- * Tag and upload the release
- * 
- * https://github.com/aktau/github-release/
- */
-task release(type: Exec, dependsOn: [pack]) {
-
-    def launcherFile = file('nextflow').absoluteFile
-    def launcherSha1 = file('nextflow.sha1').absoluteFile
-    def launcherSha256 = file('nextflow.sha256').absoluteFile
-    def nextflowAllFile = file("$releaseDir/nextflow-${version}-dist")
-    def versionFile = file('VERSION').absoluteFile
-
-    def snapshot = version ==~ /^.+(-RC\d+|-SNAPSHOT)$/
-    def edge = version ==~ /^.+(-edge|-EDGE)$/
-    def isLatest = !snapshot && !edge
-    def cmd =  """\
-    # tag the release
-    git push || exit \$?
-    (git tag -a v$version -m 'Tagging version $version [release]' -f && git push origin v$version -f) || exit \$?
-    sleep 1
-    gh release create --repo nextflow-io/nextflow --prerelease --title "Version $version" v$version 
-    sleep 1
-    gh release upload --repo nextflow-io/nextflow v$version ${launcherFile} ${nextflowAllFile}        
-    """.stripIndent()
-
-    if( edge )
-        cmd += """
-        # publish the script as the latest
-        export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}
-        export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}
-        aws s3 cp $launcherFile s3://www2.nextflow.io/releases/edge/nextflow $s3CmdOpts
-        aws s3 cp $launcherSha1 s3://www2.nextflow.io/releases/edge/nextflow.sha1 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/edge/nextflow.sha256 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/edge/nextflow.md5 $s3CmdOpts
-        aws s3 cp $versionFile s3://www2.nextflow.io/releases/edge/version $s3CmdOpts
-        """.stripIndent()
-        
-    else if( isLatest )
-        cmd += """
-        # publish the script as the latest
-        export AWS_ACCESS_KEY_ID=${System.env.NXF_AWS_ACCESS}
-        export AWS_SECRET_ACCESS_KEY=${System.env.NXF_AWS_SECRET}
-        aws s3 cp $launcherFile s3://www2.nextflow.io/releases/latest/nextflow $s3CmdOpts
-        aws s3 cp $launcherSha1 s3://www2.nextflow.io/releases/latest/nextflow.sha1 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/latest/nextflow.sha256 $s3CmdOpts
-        aws s3 cp $launcherSha256 s3://www2.nextflow.io/releases/latest/nextflow.md5 $s3CmdOpts
-        aws s3 cp $versionFile s3://www2.nextflow.io/releases/latest/version $s3CmdOpts
-        """.stripIndent()
-
-    def temp = File.createTempFile('upload',null)
-    temp.deleteOnExit()
-    temp.text = cmd
-    commandLine 'bash', '-e', temp.absolutePath
-}
-
-

From 19f01c47566c2ce9ada884bcdf92f21ea9971f77 Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Tue, 3 Dec 2024 12:56:54 +0000
Subject: [PATCH 7/9] Headless release: Automatically copy from 'changelog.txt'
 into github release notes

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-github.sh | 36 ++++++++++++++++++++++++++++-
 .github/scripts/publish-release.sh  |  2 +-
 make-release.sh                     |  4 ++--
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/.github/scripts/deploy-to-github.sh b/.github/scripts/deploy-to-github.sh
index 3a9585d34d..7db90712bb 100644
--- a/.github/scripts/deploy-to-github.sh
+++ b/.github/scripts/deploy-to-github.sh
@@ -7,13 +7,47 @@ cd "$(dirname "$0")/../.."
 # read the nextflow version
 read -r NF_VERSION<VERSION
 
+function get_change_notes() {
+  # extract the most recent changelog notes from 'changelog.txt',
+  # which should have been manually updated for the release
+  #
+  # TODO eventually replace with proper automated changelog generation
+  is_relevant=false
+  while IFS="" read -r line || [ -n "$line" ]
+  do
+    # ignore all lines until we find the correct version
+    if [[ "$line" == "$NF_VERSION "* ]]; then
+      is_relevant=true
+    fi
+
+    # then, if line starts with a dash, add to notes
+    if [[ "$is_relevant" == true && "$line" == -* ]] ; then
+      printf '%s\n' "$line"
+    fi
+    # until the first empty line
+    if [[ "$is_relevant" == true && -z "$line" ]]; then
+      break
+    fi
+  done < changelog.txt
+}
+
 echo "Publishing nextflow release to github"
 
 # create a github (pre)release and attach launcher and dist files
 # use --verify-tag to fail if tag doesn't exist
+notes=$(get_change_notes)
+
+# if edge version, mark as pre-release
+if [[ "$NF_VERSION" =~ .+(-edge|-EDGE) ]]; then
+  prerelease='--prerelease'
+else
+  prerelease=
+fi
+
 gh release create \
-  --prerelease \
+  --draft $prerelease \
   --title "Version $NF_VERSION" \
+  --notes "$notes" \
   --verify-tag \
   "v$NF_VERSION" \
   nextflow \
diff --git a/.github/scripts/publish-release.sh b/.github/scripts/publish-release.sh
index b6cc0c2d35..ffbd319be6 100644
--- a/.github/scripts/publish-release.sh
+++ b/.github/scripts/publish-release.sh
@@ -9,7 +9,7 @@ read -r NF_VERSION<VERSION
 
 # determine publish location
 S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
-if [[ "$NF_VERSION" =~ /^.+(-edge|-EDGE)$/ ]]; then
+if [[ "$NF_VERSION" =~ .+(-edge|-EDGE) ]]; then
   S3_RELEASE_DIR="releases/edge"
 else
   S3_RELEASE_DIR="releases/latest"
diff --git a/make-release.sh b/make-release.sh
index 95a7c66c74..7259ab79b7 100755
--- a/make-release.sh
+++ b/make-release.sh
@@ -70,7 +70,7 @@ echo "
 ------------------------------------------------------------
 Release commit pushed.
 This should trigger a github release workflow.
-Once the workflow is complete, you should add the changelog
-to the github release.
+Once the workflow is complete, you should check and publish
+the draft github release.
 ------------------------------------------------------------
 "

From 466df18bf0e35aa35e5f0dfc6f3cf8905cff1877 Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Wed, 4 Dec 2024 11:16:08 +0000
Subject: [PATCH 8/9] Headless release: alternative single script workflow in
 `build.yml`

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-plugins-to-github.sh |   0
 .github/scripts/deploy-plugins-to-maven.sh  |   0
 .github/scripts/deploy-to-docker.sh         |   0
 .github/scripts/deploy-to-github.sh         |   0
 .github/scripts/deploy-to-maven.sh          |   0
 .github/scripts/deploy-to-s3.sh             |   0
 .github/scripts/publish-release.sh          |   0
 .github/scripts/release.sh                  |  28 ++
 .github/scripts/tag-release.sh              |   0
 .github/scripts/update-plugins-index.sh     |   0
 .github/workflows/build.yml                 |  70 ++++-
 .github/workflows/release.yml               | 307 --------------------
 12 files changed, 96 insertions(+), 309 deletions(-)
 mode change 100644 => 100755 .github/scripts/deploy-plugins-to-github.sh
 mode change 100644 => 100755 .github/scripts/deploy-plugins-to-maven.sh
 mode change 100644 => 100755 .github/scripts/deploy-to-docker.sh
 mode change 100644 => 100755 .github/scripts/deploy-to-github.sh
 mode change 100644 => 100755 .github/scripts/deploy-to-maven.sh
 mode change 100644 => 100755 .github/scripts/deploy-to-s3.sh
 mode change 100644 => 100755 .github/scripts/publish-release.sh
 create mode 100644 .github/scripts/release.sh
 mode change 100644 => 100755 .github/scripts/tag-release.sh
 mode change 100644 => 100755 .github/scripts/update-plugins-index.sh
 delete mode 100644 .github/workflows/release.yml

diff --git a/.github/scripts/deploy-plugins-to-github.sh b/.github/scripts/deploy-plugins-to-github.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/deploy-plugins-to-maven.sh b/.github/scripts/deploy-plugins-to-maven.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/deploy-to-docker.sh b/.github/scripts/deploy-to-docker.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/deploy-to-github.sh b/.github/scripts/deploy-to-github.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/deploy-to-maven.sh b/.github/scripts/deploy-to-maven.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/deploy-to-s3.sh b/.github/scripts/deploy-to-s3.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/publish-release.sh b/.github/scripts/publish-release.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/release.sh b/.github/scripts/release.sh
new file mode 100644
index 0000000000..78310b866f
--- /dev/null
+++ b/.github/scripts/release.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -e
+
+# build artifacts
+make distribution
+
+# tag release
+./tag-release.sh
+
+# deploy to maven
+./deploy-to-maven.sh
+
+# deploy to S3
+./deploy-to-s3.sh
+
+# deploy to docker
+./deploy-to-docker.sh
+
+# deploy to github
+./deploy-to-github.sh
+
+# deploy plugins
+./deploy-plugins-to-maven.sh
+./deploy-plugins-to-github.sh
+./update-plugins-index.sh
+
+# finally, publish the distribution
+./publish-release.sh
diff --git a/.github/scripts/tag-release.sh b/.github/scripts/tag-release.sh
old mode 100644
new mode 100755
diff --git a/.github/scripts/update-plugins-index.sh b/.github/scripts/update-plugins-index.sh
old mode 100644
new mode 100755
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f602c3d75..1a77e9e0f8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -244,6 +244,9 @@ jobs:
                 GITHUB_TOKEN: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
                 GRADLE_OPTS: '-Dorg.gradle.daemon=false'
 
+  # --------------------------------------------------
+  # job: release
+  # --------------------------------------------------
   release:
     name: Release
     if: ${{ contains(needs.build.outputs.commit_message,'[release]') }}
@@ -251,13 +254,76 @@ jobs:
     needs: build
     timeout-minutes: 10
     steps:
+      # setup steps
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
           submodules: true
 
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
+          architecture: x64
+
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+
+      - name: Login to Docker hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_ID }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Login to Seqera registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+          username: ${{ secrets.SEQERA_PUBLIC_CR_USER }}
+          password: ${{ secrets.SEQERA_PUBLIC_CR_PASSWORD }}
+
+      # release step
       - name: Release
-        run: gh workflow run release.yml --ref ${{ github.ref }}
+        run: bash .github/scripts/release.sh
         env:
-          GH_TOKEN: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
+          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
+          GH_USER: ${{ vars.DEPLOY_GITHUB_USER }}
+          GH_USER_EMAIL: ${{ vars.DEPLOY_GITHUB_EMAIL }}
+          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
+          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PLUGINS_PUBLISH_URL }}
+          PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
+          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
+          SEQERA_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+
+      # upload steps
+      - name: Upload artifacts (libs)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: libs
+          path: modules/*/build/libs/
+
+      - name: Upload artifacts (distribution)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          name: distribution
+          path: build/releases/
+
+      - name: Upload artifacts (plugins)
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 3
+          compression-level: 0
+          name: plugins
+          path: |
+            plugins/build/libs/
+            plugins/*/build/libs/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index c802cab2ac..0000000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,307 +0,0 @@
-name: Release
-
-on:
-  workflow_dispatch:
-
-env:
-  JAVA_VERSION: 17
-
-jobs:
-  # --------------------------------------------------
-  # job: assemble
-  # --------------------------------------------------
-  assemble:
-    name: Assemble
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ env.JAVA_VERSION }}
-          distribution: 'temurin'
-          architecture: x64
-          cache: gradle
-
-      # build steps
-      - name: Compile
-        run: make distribution
-
-      # upload steps
-      - name: Upload artifacts (libs)
-        uses: actions/upload-artifact@v4
-        with:
-          retention-days: 3
-          name: libs
-          path: modules/*/build/libs/
-
-      - name: Upload artifacts (distribution)
-        uses: actions/upload-artifact@v4
-        with:
-          retention-days: 3
-          name: distribution
-          path: build/releases/
-
-      - name: Upload artifacts (plugins)
-        uses: actions/upload-artifact@v4
-        with:
-          retention-days: 3
-          compression-level: 0
-          name: plugins
-          path: |
-            plugins/build/libs/
-            plugins/*/build/libs/
-
-  # --------------------------------------------------
-  # job: tag
-  # --------------------------------------------------
-  tag:
-    name: Tag
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    needs: assemble
-    permissions:
-      contents: write
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      # execute steps
-      - name: Tag
-        run: bash .github/scripts/tag-release.sh
-
-  # --------------------------------------------------
-  # job: deploy-maven
-  # --------------------------------------------------
-  deploy-maven:
-    name: Deploy to Maven
-    runs-on: ubuntu-latest
-    needs: tag
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ env.JAVA_VERSION }}
-          distribution: 'temurin'
-          architecture: x64
-          cache: gradle
-
-      - name: Download artifacts (libs)
-        uses: actions/download-artifact@v4
-        with:
-          name: libs
-          path: modules
-
-      # deploy step
-      - name: Deploy to maven
-        run: bash .github/scripts/deploy-to-maven.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
-          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PUBLISH_URL }}
-
-  # --------------------------------------------------
-  # job: deploy-s3
-  # --------------------------------------------------
-  deploy-s3:
-    name: Deploy to S3
-    runs-on: ubuntu-latest
-    needs: tag
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Setup AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: eu-west-1
-          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
-
-      - name: Download artifacts (distribution)
-        uses: actions/download-artifact@v4
-        with:
-          name: distribution
-          path: build/releases
-
-      # deploy step
-      - name: Deploy to S3
-        run: bash .github/scripts/deploy-to-s3.sh
-        env:
-          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
-
-  # --------------------------------------------------
-  # job: deploy-docker
-  # --------------------------------------------------
-  deploy-docker:
-    name: Deploy to Docker
-    runs-on: ubuntu-latest
-    needs:
-      - tag
-      - deploy-s3
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Login to Docker hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_HUB_ID }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: Login to Seqera registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.SEQERA_PUBLIC_CR_URL }}
-          username: ${{ secrets.SEQERA_PUBLIC_CR_USER }}
-          password: ${{ secrets.SEQERA_PUBLIC_CR_PASSWORD }}
-
-      # deploy step
-      - name: Deploy to docker
-        run: bash .github/scripts/deploy-to-docker.sh
-        env:
-          SEQERA_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
-
-  # --------------------------------------------------
-  # job: deploy-github
-  # --------------------------------------------------
-  deploy-github:
-    name: Deploy to Github
-    runs-on: ubuntu-latest
-    needs: tag
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Download artifacts (distribution)
-        uses: actions/download-artifact@v4
-        with:
-          name: distribution
-          path: build/releases
-
-        # deploy steps
-      - name: Create github release
-        run: bash .github/scripts/deploy-to-github.sh
-        env:
-          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
-
-  # --------------------------------------------------
-  # job: deploy-plugins
-  # --------------------------------------------------
-  deploy-plugins:
-    name: Deploy Plugins
-    runs-on: ubuntu-latest
-    needs: tag
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ env.JAVA_VERSION }}
-          distribution: 'temurin'
-          architecture: x64
-          cache: gradle
-
-      - name: Download artifacts (plugins)
-        uses: actions/download-artifact@v4
-        with:
-          name: plugins
-          path: plugins
-
-      # deploy steps
-      - name: Deploy plugins to maven
-        run: bash .github/scripts/deploy-plugins-to-maven.sh
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
-          MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PLUGINS_PUBLISH_URL }}
-
-      - name: Deploy plugins to github
-        run: bash .github/scripts/deploy-plugins-to-github.sh
-        env:
-          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
-          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
-
-      - name: Update plugins index
-        run: bash .github/scripts/update-plugins-index.sh
-        env:
-          GH_ORG: ${{ vars.PLUGINS_GITHUB_ORG }}
-          GH_USER: ${{ vars.DEPLOY_GITHUB_USER }}
-          GH_USER_EMAIL: ${{ vars.DEPLOY_GITHUB_EMAIL }}
-          GH_TOKEN: ${{ secrets.DEPLOY_GITHUB_TOKEN }}
-          PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
-
-
-  # --------------------------------------------------
-  # job: publish
-  # --------------------------------------------------
-  publish:
-    name: Publish release
-    runs-on: ubuntu-latest
-    needs:
-      - deploy-s3
-      - deploy-docker
-      - deploy-maven
-      - deploy-github
-    timeout-minutes: 15
-    steps:
-      # setup steps
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-          submodules: true
-
-      - name: Setup AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: eu-west-1
-          aws-access-key-id: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
-
-      # deploy steps
-      - name: Publish release
-        run: bash .github/scripts/publish-release.sh
-        env:
-          S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}

From 95593a9f83472cee523945c4cd405a90cc526d3a Mon Sep 17 00:00:00 2001
From: Tom Sellman <tom.sellman@seqera.io>
Date: Thu, 12 Dec 2024 11:12:59 +0000
Subject: [PATCH 9/9] Move release scripts to their own 'release' dir

(and do some testing of the github action/scripts)

Signed-off-by: Tom Sellman <tom.sellman@seqera.io>
---
 .github/scripts/deploy-to-docker.sh           | 28 ----------
 .github/scripts/release.sh                    | 28 ----------
 .github/scripts/update-plugins-index.sh       | 11 ----
 .github/workflows/build.yml                   |  6 ++-
 Makefile                                      |  3 +-
 build.gradle                                  | 11 ++--
 .../tasks/GithubRepositoryPublisher.groovy    |  4 +-
 make-release.sh                               | 16 ++++--
 plugins/build.gradle                          | 18 +++----
 .../deploy-plugins-to-github.sh               | 11 ++--
 .../deploy-plugins-to-maven.sh                |  8 ++-
 release/deploy-to-docker.sh                   | 43 +++++++++++++++
 .../scripts => release}/deploy-to-github.sh   |  8 ++-
 .../scripts => release}/deploy-to-maven.sh    |  8 ++-
 {.github/scripts => release}/deploy-to-s3.sh  | 11 +++-
 release/main.sh                               | 52 +++++++++++++++++++
 .../publish-launcher-script.sh                | 16 ++++--
 {.github/scripts => release}/tag-release.sh   | 10 +++-
 release/update-plugins-index.sh               | 15 ++++++
 19 files changed, 200 insertions(+), 107 deletions(-)
 delete mode 100755 .github/scripts/deploy-to-docker.sh
 delete mode 100644 .github/scripts/release.sh
 delete mode 100755 .github/scripts/update-plugins-index.sh
 rename {.github/scripts => release}/deploy-plugins-to-github.sh (84%)
 rename {.github/scripts => release}/deploy-plugins-to-maven.sh (73%)
 create mode 100755 release/deploy-to-docker.sh
 rename {.github/scripts => release}/deploy-to-github.sh (88%)
 rename {.github/scripts => release}/deploy-to-maven.sh (70%)
 rename {.github/scripts => release}/deploy-to-s3.sh (81%)
 create mode 100644 release/main.sh
 rename .github/scripts/publish-release.sh => release/publish-launcher-script.sh (68%)
 rename {.github/scripts => release}/tag-release.sh (58%)
 create mode 100755 release/update-plugins-index.sh

diff --git a/.github/scripts/deploy-to-docker.sh b/.github/scripts/deploy-to-docker.sh
deleted file mode 100755
index 5148abcce3..0000000000
--- a/.github/scripts/deploy-to-docker.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# change to the project root
-cd "$(dirname "$0")/../.."
-
-# read the nextflow version
-read -r NF_VERSION<VERSION
-
-# build the docker image
-cd docker
-make build version="$NF_VERSION"
-
-# push to docker hub
-IMAGE_TAG="nextflow/nextflow:$NF_VERSION"
-docker push "$IMAGE_TAG"
-
-# push to seqera registry
-if [ -z "$SEQERA_REGISTRY" ]; then
-  echo "Missing env var SEQERA_REGISTRY"
-  exit 1
-fi
-SEQERA_IMAGE_TAG="$SEQERA_REGISTRY/$IMAGE_TAG"
-
-docker tag "$IMAGE_TAG" "$SEQERA_IMAGE_TAG"
-docker push "$SEQERA_IMAGE_TAG"
-
-echo "Done"
diff --git a/.github/scripts/release.sh b/.github/scripts/release.sh
deleted file mode 100644
index 78310b866f..0000000000
--- a/.github/scripts/release.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# build artifacts
-make distribution
-
-# tag release
-./tag-release.sh
-
-# deploy to maven
-./deploy-to-maven.sh
-
-# deploy to S3
-./deploy-to-s3.sh
-
-# deploy to docker
-./deploy-to-docker.sh
-
-# deploy to github
-./deploy-to-github.sh
-
-# deploy plugins
-./deploy-plugins-to-maven.sh
-./deploy-plugins-to-github.sh
-./update-plugins-index.sh
-
-# finally, publish the distribution
-./publish-release.sh
diff --git a/.github/scripts/update-plugins-index.sh b/.github/scripts/update-plugins-index.sh
deleted file mode 100755
index 1cfe68d08c..0000000000
--- a/.github/scripts/update-plugins-index.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# change to the project root
-cd "$(dirname "$0")/../.."
-
-echo "Updating plugins index"
-
-./gradlew plugins:publishIndex
-
-echo "Done"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1a77e9e0f8..86436823f2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -252,6 +252,8 @@ jobs:
     if: ${{ contains(needs.build.outputs.commit_message,'[release]') }}
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+        contents: write
     timeout-minutes: 10
     steps:
       # setup steps
@@ -290,7 +292,7 @@ jobs:
 
       # release step
       - name: Release
-        run: bash .github/scripts/release.sh
+        run: bash release/main.sh
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEPLOY_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEPLOY_SECRET_ACCESS_KEY }}
@@ -301,7 +303,7 @@ jobs:
           MAVEN_PUBLISH_URL: ${{ vars.MAVEN_PLUGINS_PUBLISH_URL }}
           PLUGINS_INDEX_JSON: ${{ vars.PLUGINS_INDEX_JSON }}
           S3_RELEASE_BUCKET: ${{ vars.S3_RELEASE_BUCKET }}
-          SEQERA_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
+          SEQERA_CONTAINER_REGISTRY: ${{ vars.SEQERA_PUBLIC_CR_URL }}
 
       # upload steps
       - name: Upload artifacts (libs)
diff --git a/Makefile b/Makefile
index c3be61fffb..040877a530 100644
--- a/Makefile
+++ b/Makefile
@@ -98,8 +98,9 @@ pack:
 	BUILD_PACK=1 ./gradlew pack
 
 #
-# Upload final package to GitHub
+# Initiate the nextflow release process
 #
+.PHONY: release
 release:
 	./make-release.sh
 
diff --git a/build.gradle b/build.gradle
index f841e8d798..bfd98929fe 100644
--- a/build.gradle
+++ b/build.gradle
@@ -279,8 +279,7 @@ ext.enableSignArchives = project.findProperty('signing.keyId')
 ext.coreProjects = projects( ':nextflow', ':nf-commons', ':nf-httpfs' )
 
 /*
- * Maven central deployment
- * http://central.sonatype.org/pages/gradle.html
+ * Maven deployment
  */
 configure(coreProjects) {
     apply plugin: 'maven-publish'
@@ -343,12 +342,12 @@ configure(coreProjects) {
 
         repositories {
             maven {
-                url = System.getenv('MAVEN_PUBLISH_URL')
-                    ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
+                url = findProperty('maven_publish_url') ?: System.getenv('MAVEN_PUBLISH_URL')
+                url = version.endsWith('-SNAPSHOT') ? "$url/snapshots" : "$url/releases"
 
                 credentials(AwsCredentials) {
-                    accessKey = System.getenv('AWS_ACCESS_KEY_ID') ?: findProperty('aws_access_key_id')
-                    secretKey = System.getenv('AWS_SECRET_ACCESS_KEY') ?: findProperty('aws_secret_access_key')
+                    accessKey = findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
+                    secretKey = findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
                 }
             }
         }
diff --git a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
index a37a33f130..0d4ed66d22 100644
--- a/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
+++ b/buildSrc/src/main/groovy/io/nextflow/gradle/tasks/GithubRepositoryPublisher.groovy
@@ -102,13 +102,13 @@ class GithubRepositoryPublisher extends DefaultTask {
         }
 
         if ( modified ) {
-            new GsonBuilder()
+            return new GsonBuilder()
                 .setPrettyPrinting()
                 .disableHtmlEscaping()
                 .create()
                 .toJson(mainIndex)
         } else {
-            null
+            return null
         }
     }
 
diff --git a/make-release.sh b/make-release.sh
index 7259ab79b7..769e44264d 100755
--- a/make-release.sh
+++ b/make-release.sh
@@ -1,6 +1,14 @@
 #!/usr/bin/env bash
 set -e
 
+# -----------------------------------------------------------------------------
+# Nextflow release entrypoint
+#
+# This script starts a Nextflow release, and is executed by the `make release`
+# command. It will help guide you through the manual steps required to perform
+# a release, and then trigger a release build on the CI system (Github Actions).
+# -----------------------------------------------------------------------------
+
 cd "$(dirname "$0")"
 
 # read the nextflow version
@@ -40,9 +48,11 @@ files (without committing), then run this script again:
   ├── VERSION
   ├── nextflow
   ├── changelog.txt
-  └── plugins/nf-*/
-      ├── src/main/resources/META-INF/MANIFEST.MF
-      └── changelog.txt
+  ├── plugins/nf-*/
+  │   ├── src/main/resources/META-INF/MANIFEST.MF
+  │   └── changelog.txt
+  └── modules/nextflow/
+      └── src/main/resources/META-INF/plugins-info.txt
 "
 
 echo -n "Type 'yes' to proceed: "
diff --git a/plugins/build.gradle b/plugins/build.gradle
index 2e06f8fbe2..b547fa78a3 100644
--- a/plugins/build.gradle
+++ b/plugins/build.gradle
@@ -135,12 +135,12 @@ subprojects {
         }
         repositories {
             maven {
-                url = System.getenv('MAVEN_PUBLISH_URL')
-                    ?: ( version.endsWith('-SNAPSHOT') ? "s3://maven.seqera.io/snapshots" : "s3://maven.seqera.io/releases" )
+                url = findProperty('maven_publish_url') ?: System.getenv('MAVEN_PUBLISH_URL')
+                url = version.endsWith('-SNAPSHOT') ? "$url/snapshots" : "$url/releases"
 
                 credentials(AwsCredentials) {
-                    accessKey = System.getenv('AWS_ACCESS_KEY_ID') ?: findProperty('aws_access_key_id')
-                    secretKey = System.getenv('AWS_SECRET_ACCESS_KEY') ?: findProperty('aws_secret_access_key')
+                    accessKey = findProperty('aws_access_key_id') ?: System.getenv('AWS_ACCESS_KEY_ID')
+                    secretKey = findProperty('aws_secret_access_key') ?: System.getenv('AWS_SECRET_ACCESS_KEY')
                 }
             }
         }
@@ -169,10 +169,10 @@ project.parent.tasks.getByName("assemble").dependsOn << assemble
  * Merge and publish the plugins index file
  */
 task publishIndex( type: GithubRepositoryPublisher ) {
-    indexUrl = System.getenv('PLUGINS_INDEX_JSON') ?: 'https://github.com/nextflow-io/plugins/main/plugins.json'
+    indexUrl = project.findProperty('plugins_index_url') ?: System.getenv('PLUGINS_INDEX_JSON')
     repos = allPlugins()
-    owner = System.getenv('GH_ORG') ?: 'nextflow-io'
-    githubUser = System.getenv('GH_USER') ?: project.findProperty('github_username')
-    githubEmail = System.getenv('GH_USER_EMAIL') ?: project.findProperty('github_commit_email')
-    githubToken = System.getenv('GH_TOKEN') ?: project.findProperty('github_access_token')
+    owner = project.findProperty('github_organization') ?: System.getenv('GH_ORG')
+    githubUser = project.findProperty('github_username') ?: System.getenv('GH_USER')
+    githubEmail = project.findProperty('github_commit_email') ?: System.getenv('GH_USER_EMAIL')
+    githubToken =  project.findProperty('github_access_token') ?: System.getenv('GH_TOKEN')
 }
diff --git a/.github/scripts/deploy-plugins-to-github.sh b/release/deploy-plugins-to-github.sh
similarity index 84%
rename from .github/scripts/deploy-plugins-to-github.sh
rename to release/deploy-plugins-to-github.sh
index 93f11508b9..4fa333469f 100755
--- a/.github/scripts/deploy-plugins-to-github.sh
+++ b/release/deploy-plugins-to-github.sh
@@ -2,7 +2,7 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
 GH_ORG=${GH_ORG:-'nextflow-io'}
 
@@ -14,7 +14,11 @@ function get_plugin_version() {
 }
 
 # deploy plugin artifacts to github releases
-echo "Publishing plugins to github"
+echo "
+----------------------------------
+-- Publishing plugins to github --
+----------------------------------
+"
 
 for plugin in plugins/nf-*; do
   if [[ -d "$plugin" ]]; then
@@ -24,11 +28,12 @@ for plugin in plugins/nf-*; do
     plugin_version=$(get_plugin_version "$plugin")
 
     # check if release already exists
+    release_exists=false
     gh release view --repo "$plugin_repo" "$plugin_version" > /dev/null 2>&1 \
       && release_exists=true
 
     # if not exists, create github release, with zip & meta json files
-    if [[ $release_exists ]]; then
+    if [[ $release_exists == true ]]; then
       echo "Plugin $plugin_name $plugin_version already deployed to github, skipping"
     else
       gh release create \
diff --git a/.github/scripts/deploy-plugins-to-maven.sh b/release/deploy-plugins-to-maven.sh
similarity index 73%
rename from .github/scripts/deploy-plugins-to-maven.sh
rename to release/deploy-plugins-to-maven.sh
index 114129caba..238093625a 100755
--- a/.github/scripts/deploy-plugins-to-maven.sh
+++ b/release/deploy-plugins-to-maven.sh
@@ -2,9 +2,13 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
-echo "Publishing plugins to maven"
+echo "
+---------------------------------
+-- Publishing plugins to maven --
+---------------------------------
+"
 
 # the release process should have already built the jars, so to avoid re-compiling everything
 # we can tell gradle to skip all non publish/publication related tasks
diff --git a/release/deploy-to-docker.sh b/release/deploy-to-docker.sh
new file mode 100755
index 0000000000..4779582f73
--- /dev/null
+++ b/release/deploy-to-docker.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# read the nextflow version
+read -r NF_VERSION<VERSION
+
+# build the docker image
+echo "
+---------------------------------------
+-- Building nextflow container image --
+---------------------------------------
+"
+cd docker
+make build version="$NF_VERSION"
+
+# push to docker hub
+echo "
+-------------------------------------
+-- Pushing container to docker hub --
+-------------------------------------
+"
+IMAGE_TAG="nextflow/nextflow:$NF_VERSION"
+docker push "$IMAGE_TAG"
+
+# push to seqera registry
+echo "
+------------------------------------------
+-- Pushing container to seqera registry --
+------------------------------------------
+"
+if [ -z "$SEQERA_CONTAINER_REGISTRY" ]; then
+  echo "Missing env var SEQERA_CONTAINER_REGISTRY"
+  exit 1
+fi
+SEQERA_IMAGE_TAG="$SEQERA_CONTAINER_REGISTRY/$IMAGE_TAG"
+
+docker tag "$IMAGE_TAG" "$SEQERA_IMAGE_TAG"
+docker push "$SEQERA_IMAGE_TAG"
+
+echo "Done"
diff --git a/.github/scripts/deploy-to-github.sh b/release/deploy-to-github.sh
similarity index 88%
rename from .github/scripts/deploy-to-github.sh
rename to release/deploy-to-github.sh
index 7db90712bb..f647be5b03 100755
--- a/.github/scripts/deploy-to-github.sh
+++ b/release/deploy-to-github.sh
@@ -2,7 +2,7 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
 # read the nextflow version
 read -r NF_VERSION<VERSION
@@ -31,7 +31,11 @@ function get_change_notes() {
   done < changelog.txt
 }
 
-echo "Publishing nextflow release to github"
+echo "
+-------------------------------------------
+-- Publishing nextflow release to github --
+-------------------------------------------
+"
 
 # create a github (pre)release and attach launcher and dist files
 # use --verify-tag to fail if tag doesn't exist
diff --git a/.github/scripts/deploy-to-maven.sh b/release/deploy-to-maven.sh
similarity index 70%
rename from .github/scripts/deploy-to-maven.sh
rename to release/deploy-to-maven.sh
index 92415ec6ba..78c2562784 100755
--- a/.github/scripts/deploy-to-maven.sh
+++ b/release/deploy-to-maven.sh
@@ -2,9 +2,13 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
-echo "Publishing nextflow jars to maven"
+echo "
+---------------------------------------
+-- Publishing nextflow jars to maven --
+---------------------------------------
+"
 
 # the release process should have already built the jars, so to avoid re-compiling everything
 # we can tell gradle to skip all non publish/publication related tasks
diff --git a/.github/scripts/deploy-to-s3.sh b/release/deploy-to-s3.sh
similarity index 81%
rename from .github/scripts/deploy-to-s3.sh
rename to release/deploy-to-s3.sh
index 98803682e2..d56e4dd2cc 100755
--- a/.github/scripts/deploy-to-s3.sh
+++ b/release/deploy-to-s3.sh
@@ -2,19 +2,26 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
 # read the nextflow version
 read -r NF_VERSION<VERSION
 
+echo "
+-------------------------------------------
+-- Uploading nextflow distribution to S3 --
+-------------------------------------------
+"
+
 S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
 S3_RELEASE_DIR="releases/v$NF_VERSION"
 
 # check if the release already exists
+release_exists=false
 aws s3api head-object --bucket "$S3_RELEASE_BUCKET" --key "$S3_RELEASE_DIR/nextflow" > /dev/null 2>&1 \
   && release_exists=true
 
-if [[ $release_exists ]]; then
+if [[ $release_exists == true ]]; then
   echo "Version $NF_VERSION already deployed to S3, skipping"
   exit
 fi
diff --git a/release/main.sh b/release/main.sh
new file mode 100644
index 0000000000..2ecee62fe1
--- /dev/null
+++ b/release/main.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -e
+
+# -----------------------------------------------------------------------------
+# Nextflow release script
+#
+# This is the orchestration script for Nextflow releases.
+#
+# It is intended to be run by 'headless' CI environments (eg Github Actions)
+# to execute a release.You probably don't want to run this script directly.
+#
+# Instead, use the `make release` command to be guided through the process.
+# -----------------------------------------------------------------------------
+
+# set defaults for unspecified env vars
+export GH_ORG=${GH_ORG:-'nextflow-io'}
+export GH_USER=${GH_USER:-'pditommaso'} # TODO - use a service user for releases
+export GH_USER_EMAIL=${GH_USER_EMAIL:-'paolo.ditommaso@gmail.com'}
+
+export MAVEN_PUBLISH_URL=${MAVEN_PUBLISH_URL:-'s3://maven.seqera.io'}
+export PLUGINS_INDEX_JSON=${PLUGINS_INDEX_JSON:-'https://github.com/nextflow-io/plugins/main/plugins.json'}
+export S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
+export SEQERA_CONTAINER_REGISTRY=${SEQERA_CONTAINER_REGISTRY:-'public.cr.seqera.io'}
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+# build artifacts
+make distribution
+
+# tag release
+./release/tag-release.sh
+
+# deploy to maven
+./release/deploy-to-maven.sh
+
+# deploy to S3
+./release/deploy-to-s3.sh
+
+# deploy to docker
+./release/deploy-to-docker.sh
+
+# deploy to github
+./release/deploy-to-github.sh
+
+# deploy plugins
+./release/deploy-plugins-to-maven.sh
+./release/deploy-plugins-to-github.sh
+./release/update-plugins-index.sh
+
+# finally, publish the new launcher
+./release/publish-launcher-script.sh
diff --git a/.github/scripts/publish-release.sh b/release/publish-launcher-script.sh
similarity index 68%
rename from .github/scripts/publish-release.sh
rename to release/publish-launcher-script.sh
index ffbd319be6..7ee69ec937 100755
--- a/.github/scripts/publish-release.sh
+++ b/release/publish-launcher-script.sh
@@ -2,12 +2,18 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
 # read the nextflow version
 read -r NF_VERSION<VERSION
 
-# determine publish location
+echo "
+-----------------------------------------------
+-- Publishing nextflow launcher script to S3 --
+-----------------------------------------------
+"
+
+# determine publish location based on release type
 S3_RELEASE_BUCKET=${S3_RELEASE_BUCKET:-'www2.nextflow.io'}
 if [[ "$NF_VERSION" =~ .+(-edge|-EDGE) ]]; then
   S3_RELEASE_DIR="releases/edge"
@@ -15,8 +21,7 @@ else
   S3_RELEASE_DIR="releases/latest"
 fi
 
-
-#publish nextflow script as latest
+# collect the files we need to publish
 files+=(
   'nextflow'
   'nextflow.sha1'
@@ -25,6 +30,7 @@ files+=(
   'VERSION'
 )
 
+# publish them to S3
 for file in "${files[@]}"; do
   filename=$(echo "$file" | tr '[:upper:]' '[:lower:]')
   aws s3 cp "$file" "s3://$S3_RELEASE_BUCKET/$S3_RELEASE_DIR/$filename" \
@@ -33,3 +39,5 @@ for file in "${files[@]}"; do
     --region eu-west-1 \
    --acl public-read
 done
+
+echo "Done"
diff --git a/.github/scripts/tag-release.sh b/release/tag-release.sh
similarity index 58%
rename from .github/scripts/tag-release.sh
rename to release/tag-release.sh
index 39a0da3d88..1400e503bc 100755
--- a/.github/scripts/tag-release.sh
+++ b/release/tag-release.sh
@@ -2,12 +2,18 @@
 set -e
 
 # change to the project root
-cd "$(dirname "$0")/../.."
+cd "$(dirname "$0")/.."
 
 # read the nextflow version
 read -r NF_VERSION<VERSION
 
-# create & push an annotated git tag
+echo "
+----------------------
+-- Creating git tag --
+----------------------
+"
+
+# create & push a git tag
 git tag "v$NF_VERSION"
 git push origin "v$NF_VERSION"
 
diff --git a/release/update-plugins-index.sh b/release/update-plugins-index.sh
new file mode 100755
index 0000000000..5d8de4eccf
--- /dev/null
+++ b/release/update-plugins-index.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+
+# change to the project root
+cd "$(dirname "$0")/.."
+
+echo "
+----------------------------
+-- Updating plugins index --
+----------------------------
+"
+
+./gradlew plugins:publishIndex
+
+echo "Done"