Update signing keys (#133)

* Use GitHub Actions * Update codesigning keys
2020-03-16 15:19:41 +00:00 · 2020-03-16 15:19:41 +00:00 · d3eec22e46
commit d3eec22e46
parent 2bfb02b446
12 changed files with 180 additions and 50 deletions
--- a/.github/README.org
+++ b/.github/README.org
@ -0,0 +1,41 @@
+* Deploying using Github Actions
+
+** Actions definition: workflow/sonatype-deploy.yml
+
+When a GitHub Release is created, usually from a tag, this action will trigger.
+
+Using JDK8 the software will be packaged, including running any tests.
+
+Then the Deploy script will sign the created artifacts then deploy them according to the distributionManagement configuration in the `pom.xml`.
+
+** Deploy Script
+
+Uses a signing key provided from the GitHub Actions Secrets as an environment variable to sign the artifact(s) before they are then deployed.
+
+*** Inputs
+
+**** DEPLOY_PROJECTS (optional)
+
+An optional list of modules in a multi-module project to be deployed. If this value is not specified, then all projects will be deployed.
+
+** Maven Configuration
+
+Picks up the credentials from Environment variables for authenticating both with GPG and with the target deployment server (e.g. sonatype-nexus).
+
+*** Inputs
+
+**** NEXUS_USERNAME
+
+The username for your account on the deployment server.
+
+**** NEXUS_PASSWORD
+
+The password for your account on the deployement server.
+
+**** GPG_KEYNAME
+
+The key to use when signing.
+
+**** GPG_PASSPHRASE
+
+The passphrase to unlock the key to use when signing.
--- a/.github/codesigning.asc.gpg
+++ b/.github/codesigning.asc.gpg
--- a/.github/deploy.sh
+++ b/.github/deploy.sh
@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Decrypts the signing key in .github/codesigning.asc.enc
+# Imports that key
+# Uses .github/settings.xml and the release profile to deploy
+
+echo "deploy.sh: Starting..."
+
+(
+    cd .github
+
+    echo "Retrieving GPG Private KEY"
+    gpg --quiet \
+        --batch \
+        --yes \
+        --decrypt \
+        --passphrase="${GPG_PASSPHRASE}" \
+        --output codesigning.asc \
+        codesigning.asc.gpg
+
+    echo "Loading signing key"
+    gpg --batch \
+        --fast-import codesigning.asc
+)
+
+if test -z ${DEPLOY_PROJECTS}
+then
+    PROJECTS=""
+    echo "Deploying Projects: all"
+else
+    PROJECTS="-pl ${DEPLOY_PROJECTS}"
+    echo "Deploying Projects: $DEPLOY_PROJECTS"
+fi
+
+echo "Releasing..."
+mvn ${PROJECTS} \
+    --settings .github/settings.xml \
+    -Dskip-Tests=true \
+    -P release \
+    -B \
+    deploy
+
+echo "deploy.sh: Done."
--- a/.github/settings.xml
+++ b/.github/settings.xml
@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0">
+    <servers>
+        <server>
+            <id>sonatype-nexus-snapshots</id>
+            <username>${env.NEXUS_USERNAME}</username>
+            <password>${env.NEXUS_PASSWORD}</password>
+        </server>
+        <server>
+            <id>sonatype-nexus-staging</id>
+            <username>${env.NEXUS_USERNAME}</username>
+            <password>${env.NEXUS_PASSWORD}</password>
+        </server>
+    </servers>
+    <profiles>
+        <profile>
+            <id>gpg-sign</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <gpg.executable>gpg</gpg.executable>
+                <gpg.keyname>${env.GPG_KEYNAME}</gpg.keyname>
+                <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
+            </properties>
+        </profile>
+    </profiles>
+</settings>
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@ -0,0 +1,22 @@
+# This workflow will build a Java project with Maven
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
+
+name: Java CI with Maven
+
+on:
+  push:
+    branches: '*'
+  pull_request:
+    branches: '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up JDK 1.8
+      uses: actions/setup-java@v1
+      with:
+        java-version: 1.8
+    - name: Build with Maven
+      run: mvn -B package --file pom.xml
--- a/.github/workflows/sonatype-deploy.yml
+++ b/.github/workflows/sonatype-deploy.yml
@ -0,0 +1,24 @@
+name: Deploy to Sonatype Nexus
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up JDK 1.8
+      uses: actions/setup-java@v1
+      with:
+        java-version: 1.8
+    - name: Build with Maven
+      run: mvn -B package
+    - name: Nexus Repo Publish
+      run: sh .github/deploy.sh
+      env:
+        NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
+        NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+        GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
+        GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 .idea/
 *.iml
 target/
+codesigning.asc
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
+[submodule ".travis-support"]
+	path = .travis-support
+	url = https://github.com/kemitix/kemitix-travis-support.git
--- a/.travis-support
+++ b/.travis-support
@ -0,0 +1 @@
+Subproject commit de2613446f361e33b2651c3916660838d536ed0e
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,16 @@
+sudo: false
+language: java
+services:
+  docker
+jdk:
+  - openjdk8
+cache:
+  directories:
+    - "$HOME/.m2"
+install: true
+script: "mvn clean install"
+deploy:
+  provider: script
+  script: sh .travis-support/deploy.sh
+  on:
+    branch: master
--- a/Jenkinsfile.groovy
+++ b/Jenkinsfile.groovy
@ -1,49 +0,0 @@
-final String publicRepo = 'https://github.com/kemitix/'
-final String mvn = "mvn --batch-mode --update-snapshots --errors"
-
-pipeline {
-    agent any
-    stages {
-        stage('Install') {
-            steps {
-                withMaven(maven: 'maven', jdk: 'JDK 1.8') {
-                    sh "${mvn} -DskipTests install"
-                }
-            }
-        }
-        stage('Deploy (published release branch)') {
-            when {
-                expression {
-                    (isReleaseBranch() &&
-                            isPublished(publicRepo) &&
-                            notSnapshot())
-                }
-            }
-            steps {
-                withMaven(maven: 'maven', jdk: 'JDK 1.8') {
-                    sh "${mvn} --activate-profiles release deploy"
-                }
-            }
-        }
-    }
-}
-
-private boolean isReleaseBranch() {
-    return branchStartsWith('release/')
-}
-
-private boolean branchStartsWith(final String branchName) {
-    startsWith(env.GIT_BRANCH, branchName)
-}
-
-private boolean isPublished(final String repo) {
-    startsWith(env.GIT_URL, repo)
-}
-
-private static boolean startsWith(final String value, final String match) {
-    value != null && value.startsWith(match)
-}
-
-private boolean notSnapshot() {
-    return !(readMavenPom(file: 'pom.xml').version).contains("SNAPSHOT")
-}
--- a/pom.xml
+++ b/pom.xml
@ -36,7 +36,7 @@
    <properties>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
-        <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>3.2.0</maven-javadoc-plugin.version>
        <maven-source-plugin.version>3.2.1</maven-source-plugin.version>
        <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
        <maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version>
				`@ -0,0 +1 @@`
				`Subproject commit de2613446f361e33b2651c3916660838d536ed0e`