Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support GPG

See original GitHub issue

Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin.

This is a bit of a headache right now in GitHub actions as you have to create a step in your workflow that:

takes a GitHub secret containing your private key and writes it to a file: echo $GPG_PRIVATE_KEY > private.asc
imports the gpg key: gpg --import --batch private.asc

And to utilize the GPG key, you then have to pass it in as a maven argument: -Dgpg.passphrase=$GPG_PASSPHRASE

This is definitely workable (see link for an example workflow) but it’s more tedious than needed. It’s also not ideal to pass passwords around using the command line even though GitHub Actions sanitizes them. Since setup-java already creates a settings.xml file that is preconfigured to publish to Maven Central, it would be nice if gpg could also be added to the settings.xml file.

The usage would look something like the following:

- name: Set up Apache Maven Central
  uses: actions/setup-java@v1
  with: # running setup-java again overwrites the settings.xml
     java-version: 1.8
     server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
     server-username: MAVEN_USERNAME # env variable for username in deploy
     server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
     gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # gpg private key to import
     gpg-passphrase: GPG_PASSPHRASE # env variable for gpg signing in deploy
- name: Publish to Apache Maven Central
  run: mvn deploy 
  env:
    MAVEN_USERNAME: maven_username123
    MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
    GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

And the generated settings.xml would look something like:

<servers>
    <server>
      <id>maven</id>
      <username>${env.MAVEN_USERNAME}</username>
      <password>${env.MAVEN_CENTRAL_TOKEN}</password>
    </server>
    <profiles>
      <profile>
        <activation>
          <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
          <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
        </properties>
      </profile>
    <profiles>
</servers>

Since gpg is not supported by setup-java, other developers have had to step in to fill the void. samuelmeuli/action-maven-publish was created specifically to fill this gap but it overrides the settings.xml file to do so. It would better if the official setup-java action supported this, especially as some developers/organizations are uncomfortable with third-party actions.

Issue Analytics

State:
Created 4 years ago
Reactions:11
Comments:9 (3 by maintainers)

Top GitHub Comments

3reactions

konradpabjancommented, Jul 22, 2020

With #63 merged in, I’ve created a new release (v1.4.0) and I’ve updated the v1 tag to point to the latest changes: https://github.com/actions/setup-java/releases

Thanks for the contribution @jaredpetersen ❤️ Folks will love this!

2reactions

jchamberscommented, Feb 29, 2020

A slightly different angle: the “Publishing packages to the Maven Central Repository and GitHub Packages” section of the Actions docs strongly suggests that setting an OSSRH username/password with the setup-java action and then running maven deploy is enough to successfully publish packages to the central repository, but it doesn’t really work out that way in practice.

I recognize that issues with the documentation are likely best reported elsewhere, but I do think part of the overall issue falls within the scope of this action. In the docs, setup-java is the main vehicle for the “Set up Java for publishing to Maven Central Repository” and that certainly sets an expectation that it can perform all of the steps needed to prepare for publication. To the extent that it doesn’t actually cover all of the prerequisites, I think the current state of affairs goes a little beyond “could be more convenient” and actually veers into “creates confusion.”

Certainly, part of the solution is to update the docs to address artifact signing. I recognize it’s jumping ahead a couple of steps, but it seems to me that the thing the docs should be able to say is “provide your key and passphrase to setup-java and then run mvn deploy,” and so I wanted to lobby for prioritizing this issue a little higher than it might be otherwise.

Thanks!

Top Results From Across the Web

Support - GnuPG

Commercial support: Listing of companies offering commercial support for GnuPG; @gnupg: We sometimes post short messages to Twitter.

GPGTools Support: Welcome

GPGTools, GPG Mail, Support, Customer, Issues, Troubleshooting, Problem, GPGServices, GPG Keychain Access, GKA, MacGPG, MacGPG2, GPGPreferences, MacGPG1, ...

GPG Mail 7 Support Plan

Support Plan. All regular updates for GPG Mail 7. Current major version; Access to hotfix releases outside of the regular update cycle; Professional...

Getting started with GPG (GnuPG) | Enable Sysadmin - Red Hat

GnuPG, also known as GPG, can be used to encrypt files for ... In addition to encrypting and signing data, it provides support...

How can I contact your support team using PGP/GPG email ...

Generally, Kraken Support does not send either PGP signed or PGP encrypted emails.However, we are able to receive plain-text emails that...