Update signing keys (#133)
* Use GitHub Actions * Update codesigning keys
This commit is contained in:
parent
2bfb02b446
commit
d3eec22e46
12 changed files with 180 additions and 50 deletions
41
.github/README.org
vendored
Normal file
41
.github/README.org
vendored
Normal file
|
@ -0,0 +1,41 @@
|
|||
* Deploying using Github Actions
|
||||
|
||||
** Actions definition: workflow/sonatype-deploy.yml
|
||||
|
||||
When a GitHub Release is created, usually from a tag, this action will trigger.
|
||||
|
||||
Using JDK8 the software will be packaged, including running any tests.
|
||||
|
||||
Then the Deploy script will sign the created artifacts then deploy them according to the distributionManagement configuration in the `pom.xml`.
|
||||
|
||||
** Deploy Script
|
||||
|
||||
Uses a signing key provided from the GitHub Actions Secrets as an environment variable to sign the artifact(s) before they are then deployed.
|
||||
|
||||
*** Inputs
|
||||
|
||||
**** DEPLOY_PROJECTS (optional)
|
||||
|
||||
An optional list of modules in a multi-module project to be deployed. If this value is not specified, then all projects will be deployed.
|
||||
|
||||
** Maven Configuration
|
||||
|
||||
Picks up the credentials from Environment variables for authenticating both with GPG and with the target deployment server (e.g. sonatype-nexus).
|
||||
|
||||
*** Inputs
|
||||
|
||||
**** NEXUS_USERNAME
|
||||
|
||||
The username for your account on the deployment server.
|
||||
|
||||
**** NEXUS_PASSWORD
|
||||
|
||||
The password for your account on the deployement server.
|
||||
|
||||
**** GPG_KEYNAME
|
||||
|
||||
The key to use when signing.
|
||||
|
||||
**** GPG_PASSPHRASE
|
||||
|
||||
The passphrase to unlock the key to use when signing.
|
BIN
.github/codesigning.asc.gpg
vendored
Normal file
BIN
.github/codesigning.asc.gpg
vendored
Normal file
Binary file not shown.
43
.github/deploy.sh
vendored
Normal file
43
.github/deploy.sh
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Decrypts the signing key in .github/codesigning.asc.enc
|
||||
# Imports that key
|
||||
# Uses .github/settings.xml and the release profile to deploy
|
||||
|
||||
echo "deploy.sh: Starting..."
|
||||
|
||||
(
|
||||
cd .github
|
||||
|
||||
echo "Retrieving GPG Private KEY"
|
||||
gpg --quiet \
|
||||
--batch \
|
||||
--yes \
|
||||
--decrypt \
|
||||
--passphrase="${GPG_PASSPHRASE}" \
|
||||
--output codesigning.asc \
|
||||
codesigning.asc.gpg
|
||||
|
||||
echo "Loading signing key"
|
||||
gpg --batch \
|
||||
--fast-import codesigning.asc
|
||||
)
|
||||
|
||||
if test -z ${DEPLOY_PROJECTS}
|
||||
then
|
||||
PROJECTS=""
|
||||
echo "Deploying Projects: all"
|
||||
else
|
||||
PROJECTS="-pl ${DEPLOY_PROJECTS}"
|
||||
echo "Deploying Projects: $DEPLOY_PROJECTS"
|
||||
fi
|
||||
|
||||
echo "Releasing..."
|
||||
mvn ${PROJECTS} \
|
||||
--settings .github/settings.xml \
|
||||
-Dskip-Tests=true \
|
||||
-P release \
|
||||
-B \
|
||||
deploy
|
||||
|
||||
echo "deploy.sh: Done."
|
28
.github/settings.xml
vendored
Normal file
28
.github/settings.xml
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0">
|
||||
<servers>
|
||||
<server>
|
||||
<id>sonatype-nexus-snapshots</id>
|
||||
<username>${env.NEXUS_USERNAME}</username>
|
||||
<password>${env.NEXUS_PASSWORD}</password>
|
||||
</server>
|
||||
<server>
|
||||
<id>sonatype-nexus-staging</id>
|
||||
<username>${env.NEXUS_USERNAME}</username>
|
||||
<password>${env.NEXUS_PASSWORD}</password>
|
||||
</server>
|
||||
</servers>
|
||||
<profiles>
|
||||
<profile>
|
||||
<id>gpg-sign</id>
|
||||
<activation>
|
||||
<activeByDefault>true</activeByDefault>
|
||||
</activation>
|
||||
<properties>
|
||||
<gpg.executable>gpg</gpg.executable>
|
||||
<gpg.keyname>${env.GPG_KEYNAME}</gpg.keyname>
|
||||
<gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
|
||||
</properties>
|
||||
</profile>
|
||||
</profiles>
|
||||
</settings>
|
22
.github/workflows/maven-build.yml
vendored
Normal file
22
.github/workflows/maven-build.yml
vendored
Normal file
|
@ -0,0 +1,22 @@
|
|||
# This workflow will build a Java project with Maven
|
||||
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
|
||||
|
||||
name: Java CI with Maven
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: '*'
|
||||
pull_request:
|
||||
branches: '*'
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up JDK 1.8
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 1.8
|
||||
- name: Build with Maven
|
||||
run: mvn -B package --file pom.xml
|
24
.github/workflows/sonatype-deploy.yml
vendored
Normal file
24
.github/workflows/sonatype-deploy.yml
vendored
Normal file
|
@ -0,0 +1,24 @@
|
|||
name: Deploy to Sonatype Nexus
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up JDK 1.8
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: 1.8
|
||||
- name: Build with Maven
|
||||
run: mvn -B package
|
||||
- name: Nexus Repo Publish
|
||||
run: sh .github/deploy.sh
|
||||
env:
|
||||
NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
|
||||
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
|
||||
GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
|
||||
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,3 +1,4 @@
|
|||
.idea/
|
||||
*.iml
|
||||
target/
|
||||
codesigning.asc
|
||||
|
|
3
.gitmodules
vendored
Normal file
3
.gitmodules
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
[submodule ".travis-support"]
|
||||
path = .travis-support
|
||||
url = https://github.com/kemitix/kemitix-travis-support.git
|
1
.travis-support
Submodule
1
.travis-support
Submodule
|
@ -0,0 +1 @@
|
|||
Subproject commit de2613446f361e33b2651c3916660838d536ed0e
|
16
.travis.yml
Normal file
16
.travis.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
sudo: false
|
||||
language: java
|
||||
services:
|
||||
docker
|
||||
jdk:
|
||||
- openjdk8
|
||||
cache:
|
||||
directories:
|
||||
- "$HOME/.m2"
|
||||
install: true
|
||||
script: "mvn clean install"
|
||||
deploy:
|
||||
provider: script
|
||||
script: sh .travis-support/deploy.sh
|
||||
on:
|
||||
branch: master
|
|
@ -1,49 +0,0 @@
|
|||
final String publicRepo = 'https://github.com/kemitix/'
|
||||
final String mvn = "mvn --batch-mode --update-snapshots --errors"
|
||||
|
||||
pipeline {
|
||||
agent any
|
||||
stages {
|
||||
stage('Install') {
|
||||
steps {
|
||||
withMaven(maven: 'maven', jdk: 'JDK 1.8') {
|
||||
sh "${mvn} -DskipTests install"
|
||||
}
|
||||
}
|
||||
}
|
||||
stage('Deploy (published release branch)') {
|
||||
when {
|
||||
expression {
|
||||
(isReleaseBranch() &&
|
||||
isPublished(publicRepo) &&
|
||||
notSnapshot())
|
||||
}
|
||||
}
|
||||
steps {
|
||||
withMaven(maven: 'maven', jdk: 'JDK 1.8') {
|
||||
sh "${mvn} --activate-profiles release deploy"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isReleaseBranch() {
|
||||
return branchStartsWith('release/')
|
||||
}
|
||||
|
||||
private boolean branchStartsWith(final String branchName) {
|
||||
startsWith(env.GIT_BRANCH, branchName)
|
||||
}
|
||||
|
||||
private boolean isPublished(final String repo) {
|
||||
startsWith(env.GIT_URL, repo)
|
||||
}
|
||||
|
||||
private static boolean startsWith(final String value, final String match) {
|
||||
value != null && value.startsWith(match)
|
||||
}
|
||||
|
||||
private boolean notSnapshot() {
|
||||
return !(readMavenPom(file: 'pom.xml').version).contains("SNAPSHOT")
|
||||
}
|
2
pom.xml
2
pom.xml
|
@ -36,7 +36,7 @@
|
|||
<properties>
|
||||
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
|
||||
<java.version>1.8</java.version>
|
||||
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
|
||||
<maven-javadoc-plugin.version>3.2.0</maven-javadoc-plugin.version>
|
||||
<maven-source-plugin.version>3.2.1</maven-source-plugin.version>
|
||||
<maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
|
||||
<maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version>
|
||||
|
|
Loading…
Reference in a new issue