Update signing keys (#133)

* Use GitHub Actions

* Update codesigning keys
This commit is contained in:
Paul Campbell 2020-03-16 15:19:41 +00:00 committed by GitHub
parent 2bfb02b446
commit d3eec22e46
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 180 additions and 50 deletions

41
.github/README.org vendored Normal file
View file

@ -0,0 +1,41 @@
* Deploying using Github Actions
** Actions definition: workflow/sonatype-deploy.yml
When a GitHub Release is created, usually from a tag, this action will trigger.
Using JDK8 the software will be packaged, including running any tests.
Then the Deploy script will sign the created artifacts then deploy them according to the distributionManagement configuration in the `pom.xml`.
** Deploy Script
Uses a signing key provided from the GitHub Actions Secrets as an environment variable to sign the artifact(s) before they are then deployed.
*** Inputs
**** DEPLOY_PROJECTS (optional)
An optional list of modules in a multi-module project to be deployed. If this value is not specified, then all projects will be deployed.
** Maven Configuration
Picks up the credentials from Environment variables for authenticating both with GPG and with the target deployment server (e.g. sonatype-nexus).
*** Inputs
**** NEXUS_USERNAME
The username for your account on the deployment server.
**** NEXUS_PASSWORD
The password for your account on the deployement server.
**** GPG_KEYNAME
The key to use when signing.
**** GPG_PASSPHRASE
The passphrase to unlock the key to use when signing.

BIN
.github/codesigning.asc.gpg vendored Normal file

Binary file not shown.

43
.github/deploy.sh vendored Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env bash
# Decrypts the signing key in .github/codesigning.asc.enc
# Imports that key
# Uses .github/settings.xml and the release profile to deploy
echo "deploy.sh: Starting..."
(
cd .github
echo "Retrieving GPG Private KEY"
gpg --quiet \
--batch \
--yes \
--decrypt \
--passphrase="${GPG_PASSPHRASE}" \
--output codesigning.asc \
codesigning.asc.gpg
echo "Loading signing key"
gpg --batch \
--fast-import codesigning.asc
)
if test -z ${DEPLOY_PROJECTS}
then
PROJECTS=""
echo "Deploying Projects: all"
else
PROJECTS="-pl ${DEPLOY_PROJECTS}"
echo "Deploying Projects: $DEPLOY_PROJECTS"
fi
echo "Releasing..."
mvn ${PROJECTS} \
--settings .github/settings.xml \
-Dskip-Tests=true \
-P release \
-B \
deploy
echo "deploy.sh: Done."

28
.github/settings.xml vendored Normal file
View file

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8" ?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0">
<servers>
<server>
<id>sonatype-nexus-snapshots</id>
<username>${env.NEXUS_USERNAME}</username>
<password>${env.NEXUS_PASSWORD}</password>
</server>
<server>
<id>sonatype-nexus-staging</id>
<username>${env.NEXUS_USERNAME}</username>
<password>${env.NEXUS_PASSWORD}</password>
</server>
</servers>
<profiles>
<profile>
<id>gpg-sign</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg</gpg.executable>
<gpg.keyname>${env.GPG_KEYNAME}</gpg.keyname>
<gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>

22
.github/workflows/maven-build.yml vendored Normal file
View file

@ -0,0 +1,22 @@
# This workflow will build a Java project with Maven
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
name: Java CI with Maven
on:
push:
branches: '*'
pull_request:
branches: '*'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Build with Maven
run: mvn -B package --file pom.xml

24
.github/workflows/sonatype-deploy.yml vendored Normal file
View file

@ -0,0 +1,24 @@
name: Deploy to Sonatype Nexus
on:
release:
types: [created]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Build with Maven
run: mvn -B package
- name: Nexus Repo Publish
run: sh .github/deploy.sh
env:
NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
.idea/ .idea/
*.iml *.iml
target/ target/
codesigning.asc

3
.gitmodules vendored Normal file
View file

@ -0,0 +1,3 @@
[submodule ".travis-support"]
path = .travis-support
url = https://github.com/kemitix/kemitix-travis-support.git

1
.travis-support Submodule

@ -0,0 +1 @@
Subproject commit de2613446f361e33b2651c3916660838d536ed0e

16
.travis.yml Normal file
View file

@ -0,0 +1,16 @@
sudo: false
language: java
services:
docker
jdk:
- openjdk8
cache:
directories:
- "$HOME/.m2"
install: true
script: "mvn clean install"
deploy:
provider: script
script: sh .travis-support/deploy.sh
on:
branch: master

View file

@ -1,49 +0,0 @@
final String publicRepo = 'https://github.com/kemitix/'
final String mvn = "mvn --batch-mode --update-snapshots --errors"
pipeline {
agent any
stages {
stage('Install') {
steps {
withMaven(maven: 'maven', jdk: 'JDK 1.8') {
sh "${mvn} -DskipTests install"
}
}
}
stage('Deploy (published release branch)') {
when {
expression {
(isReleaseBranch() &&
isPublished(publicRepo) &&
notSnapshot())
}
}
steps {
withMaven(maven: 'maven', jdk: 'JDK 1.8') {
sh "${mvn} --activate-profiles release deploy"
}
}
}
}
}
private boolean isReleaseBranch() {
return branchStartsWith('release/')
}
private boolean branchStartsWith(final String branchName) {
startsWith(env.GIT_BRANCH, branchName)
}
private boolean isPublished(final String repo) {
startsWith(env.GIT_URL, repo)
}
private static boolean startsWith(final String value, final String match) {
value != null && value.startsWith(match)
}
private boolean notSnapshot() {
return !(readMavenPom(file: 'pom.xml').version).contains("SNAPSHOT")
}

View file

@ -36,7 +36,7 @@
<properties> <properties>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version> <java.version>1.8</java.version>
<maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version> <maven-javadoc-plugin.version>3.2.0</maven-javadoc-plugin.version>
<maven-source-plugin.version>3.2.1</maven-source-plugin.version> <maven-source-plugin.version>3.2.1</maven-source-plugin.version>
<maven-gpg-plugin.version>1.6</maven-gpg-plugin.version> <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
<maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version> <maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version>