GHA Snapshot publishing #912
Conversation
|
The Gradle secrets |
|
@Raibaz Could you please resume reviewing this soon? 👋 |
|
PR LGTM, but I can't set the secrets :( |
|
Do you need my help? |
| } | ||
|
|
||
| if (!isSnapshotVersion.get()) { | ||
| maven("https://oss.sonatype.org/service/local/staging/deploy/maven2/") { |
There was a problem hiding this comment.
Please check this guide https://central.sonatype.org/publish/publish-gradle/.
I have doubts that this is right URL.
I will try to deal with required secrets and set them in GH settings:
- secrets.GRADLE_SIGNING_KEY_ID
- secrets.GRADLE_SIGNING_PASSWORD
- secrets.GRADLE_SIGNING_SECRET_KEY_RING_FILE
- secrets.OSS_SONATYPE_USERNAME
- secrets.OSS_SONATYPE_PASSWORD
There was a problem hiding this comment.
Thanks @oleksiyp!
Would you consider granting @Raibaz co-ownership? Then he could also manage the secrets.
I have doubts that this is right URL.
MockK was published before 2021 so still uses the 'legacy host', but the docs mostly use the new URLs.
Note: As of February 2021, all new projects began being provisioned on https://s01.oss.sonatype.org/. If your project is not provisioned on https://s01.oss.sonatype.org/, you will want to reference the legacy host https://oss.sonatype.org/.
The current MockK config uses the same URL and it works okay
There was a problem hiding this comment.
Not sure you will need other secrets... and not sure you need them for something else... security is always compromise of comfort. So no 😄 but remember that I am still alive and happy to help 😄
There was a problem hiding this comment.
Afterall if @Raibaz feels that more access is required happy to understand the reasoning and cooperate.
There is a bigger issue where to spend $4k on https://opencollective.com/mockk. Previously I thought it was too small an amount to spend paying contributors... but now it is not that obvious
There was a problem hiding this comment.
I'm perfectly fine with the access I have now, I don't think I need more :)
After all, this should be a one-shot operation and we should be ok with secrets now, I don't think I'll need access to change them anytime soon.
|
I added a few secrets Please note there is no way to delimit release access and snapshot access... so this is my creds. I ask you to be careful with build scripts PR review so that nobody does "echo $KEY" stuff. I believe it should be protected somehow, but I never tried to use such a hack in GH actions. In Jenkins such a hack is easy peasy, to be honest Also, @aSemy, note that local run suppose you have a file with keyring, while I cannot import binary files into GH action secret field. https://stackoverflow.com/questions/61096521/how-to-use-gpg-key-in-github-actions Especially for that purpose name secret is a "signing key", and not a "signing key ring file". Also, note I am going to go to Paris tomorrow and will not have access to the laptop where the original key is stored. GH does not allow to read values as well, so hope what I set is enough. Feel free to ask any questions. |
|
thanks @oleksiyp, I will take a look! I think there's a way of 'mounting' a GitHub Secret as a file... There are a number of protections for GitHub Secrets, but there's a couple more that could be done
These require configuration at the project and/or org level, so it's up to you to implement them @oleksiyp :) |
|
@aSemy do you happen to have any updates on this? |
|
@Raibaz Thanks for the reminder, I'll pick this up again, hopefully by the end of the week. Since I last looked at this I set up automatic publishing for one of my libraries, so I've got a better idea of how things work now. |
aSemy
force-pushed
the
feat/gha_snapshot_publishing
branch
from
7b8db93 to
4853205
Compare
|
@Raibaz as far as I can tell, this PR should be ready to go. Because I don't have access to the secrets or Sonatype Nexus I can't tell if it will work though, and I also won't be able to debug it. I think it's best if you or @oleksiyp pick it up, since you'll be able to more easily see what's going on. It might take some more tweaking. If there's any problems, then let me know and I can try and help out. |
Co-authored-by: Róbert Papp <[email protected]>
Publish a snapshot version to Sonatype on every successful build on master branch.
Fixes #910
This requires setting GitHub secrets - see
.github/workflows/publish.ymlI'm marking this as a draft as I'm not sure if the GHA is defined correctly, particularly the Gradle variables - the periods might need to be removed fromI've renamed the variables:signing.keyIdetc.signing.keyId->signingKeyIdsigning.password->signingPasswordsigning.secretKeyRingFile->signingSecretKeyRingFile