Support GPG
See original GitHub issueReleasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin.
This is a bit of a headache right now in GitHub actions as you have to create a step in your workflow that:
- takes a GitHub secret containing your private key and writes it to a file:
echo $GPG_PRIVATE_KEY > private.asc
- imports the gpg key:
gpg --import --batch private.asc
And to utilize the GPG key, you then have to pass it in as a maven argument:
-Dgpg.passphrase=$GPG_PASSPHRASE
This is definitely workable (see link for an example workflow) but it’s more tedious than needed. It’s also not ideal to pass passwords around using the command line even though GitHub Actions sanitizes them. Since setup-java already creates a settings.xml file that is preconfigured to publish to Maven Central, it would be nice if gpg could also be added to the settings.xml file.
The usage would look something like the following:
- name: Set up Apache Maven Central
uses: actions/setup-java@v1
with: # running setup-java again overwrites the settings.xml
java-version: 1.8
server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
server-username: MAVEN_USERNAME # env variable for username in deploy
server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # gpg private key to import
gpg-passphrase: GPG_PASSPHRASE # env variable for gpg signing in deploy
- name: Publish to Apache Maven Central
run: mvn deploy
env:
MAVEN_USERNAME: maven_username123
MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
And the generated settings.xml would look something like:
<servers>
<server>
<id>maven</id>
<username>${env.MAVEN_USERNAME}</username>
<password>${env.MAVEN_CENTRAL_TOKEN}</password>
</server>
<profiles>
<profile>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
</properties>
</profile>
<profiles>
</servers>
Since gpg is not supported by setup-java, other developers have had to step in to fill the void. samuelmeuli/action-maven-publish was created specifically to fill this gap but it overrides the settings.xml file to do so. It would better if the official setup-java action supported this, especially as some developers/organizations are uncomfortable with third-party actions.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:11
- Comments:9 (3 by maintainers)
Top GitHub Comments
With #63 merged in, I’ve created a new release (
v1.4.0
) and I’ve updated thev1
tag to point to the latest changes: https://github.com/actions/setup-java/releasesThanks for the contribution @jaredpetersen ❤️ Folks will love this!
A slightly different angle: the “Publishing packages to the Maven Central Repository and GitHub Packages” section of the Actions docs strongly suggests that setting an OSSRH username/password with the
setup-java
action and then runningmaven deploy
is enough to successfully publish packages to the central repository, but it doesn’t really work out that way in practice.I recognize that issues with the documentation are likely best reported elsewhere, but I do think part of the overall issue falls within the scope of this action. In the docs,
setup-java
is the main vehicle for the “Set up Java for publishing to Maven Central Repository” and that certainly sets an expectation that it can perform all of the steps needed to prepare for publication. To the extent that it doesn’t actually cover all of the prerequisites, I think the current state of affairs goes a little beyond “could be more convenient” and actually veers into “creates confusion.”Certainly, part of the solution is to update the docs to address artifact signing. I recognize it’s jumping ahead a couple of steps, but it seems to me that the thing the docs should be able to say is “provide your key and passphrase to
setup-java
and then runmvn deploy
,” and so I wanted to lobby for prioritizing this issue a little higher than it might be otherwise.Thanks!