Title: Support GPG · Issue #43 · actions/setup-java · GitHub
Open Graph Title: Support GPG · Issue #43 · actions/setup-java
X Title: Support GPG · Issue #43 · actions/setup-java
Description: Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin. This is a bit of a headache right now in GitHub actions as you have to cr...
Open Graph Description: Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin. This is a bit of a headache right...
X Description: Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin. This is a bit of a headache right...
Opengraph URL: https://github.com/actions/setup-java/issues/43
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Support GPG","articleBody":"Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/).\r\n\r\nThis is a bit of a headache right now in GitHub actions as you have to create a step in your workflow that:\r\n1. takes a GitHub secret containing your private key and writes it to a file:\r\n `echo $GPG_PRIVATE_KEY \u003e private.asc`\r\n2. imports the gpg key:\r\n `gpg --import --batch private.asc`\r\n\r\nAnd to utilize the GPG key, you then have to pass it in as a maven argument:\r\n`-Dgpg.passphrase=$GPG_PASSPHRASE`\r\n\r\nThis is definitely workable (see [link](https://github.com/jaredpetersen/actions-testbed/blob/f23733ce957e28ed0b329a3a6d5f5b96b7720253/.github/workflows/release.yml#L15-L28) for an example workflow) but it's more tedious than needed. It's also not ideal to pass passwords around using the command line even though GitHub Actions sanitizes them. Since setup-java already creates a settings.xml file that is preconfigured to publish to Maven Central, it would be nice if gpg could also be added to the settings.xml file.\r\n\r\nThe usage would look something like the following:\r\n```\r\n- name: Set up Apache Maven Central\r\n uses: actions/setup-java@v1\r\n with: # running setup-java again overwrites the settings.xml\r\n java-version: 1.8\r\n server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml\r\n server-username: MAVEN_USERNAME # env variable for username in deploy\r\n server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy\r\n gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # gpg private key to import\r\n gpg-passphrase: GPG_PASSPHRASE # env variable for gpg signing in deploy\r\n- name: Publish to Apache Maven Central\r\n run: mvn deploy \r\n env:\r\n MAVEN_USERNAME: maven_username123\r\n MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}\r\n GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}\r\n```\r\n\r\nAnd the generated settings.xml would look something like:\r\n```xml\r\n\u003cservers\u003e\r\n \u003cserver\u003e\r\n \u003cid\u003emaven\u003c/id\u003e\r\n \u003cusername\u003e${env.MAVEN_USERNAME}\u003c/username\u003e\r\n \u003cpassword\u003e${env.MAVEN_CENTRAL_TOKEN}\u003c/password\u003e\r\n \u003c/server\u003e\r\n \u003cprofiles\u003e\r\n \u003cprofile\u003e\r\n \u003cactivation\u003e\r\n \u003cactiveByDefault\u003etrue\u003c/activeByDefault\u003e\r\n \u003c/activation\u003e\r\n \u003cproperties\u003e\r\n \u003cgpg.passphrase\u003e${env.GPG_PASSPHRASE}\u003c/gpg.passphrase\u003e\r\n \u003c/properties\u003e\r\n \u003c/profile\u003e\r\n \u003cprofiles\u003e\r\n\u003c/servers\u003e\r\n```\r\n\r\nSince gpg is not supported by setup-java, other developers have had to step in to fill the void. [samuelmeuli/action-maven-publish](https://github.com/samuelmeuli/action-maven-publish) was created specifically to fill this gap but it overrides the settings.xml file to do so. It would better if the official setup-java action supported this, especially as some developers/organizations are uncomfortable with third-party actions.\r\n","author":{"url":"https://github.com/jaredpetersen","@type":"Person","name":"jaredpetersen"},"datePublished":"2020-01-18T00:31:39.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":9},"url":"https://github.com/43/setup-java/issues/43"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:875cf0d2-b538-e69d-729e-182cf427f13e |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | B4AA:11597D:DC60DA:13687C2:6A4F5251 |
| html-safe-nonce | 7537af9ada22c4c4c8e0c9a3a47fb3200b25f23ae77fd7d2906f6e4f22874145 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNEFBOjExNTk3RDpEQzYwREE6MTM2ODdDMjo2QTRGNTI1MSIsInZpc2l0b3JfaWQiOiI2NjMyNTk4ODI4ODMzNzg4NDk3IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | c2de1332840e93440252a40232e5b6f65b280f20ceead19e2681d476fcb14b41 |
| hovercard-subject-tag | issue:551692698 |
| github-keyboard-shortcuts | repository,issues,actions,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/actions/setup-java/43/issue_layout |
| twitter:image | https://opengraph.githubassets.com/e68b5ac12dbe369610b72e1e6ce8ffb8be04ab01244b28e4558e43de43db4395/actions/setup-java/issues/43 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/e68b5ac12dbe369610b72e1e6ce8ffb8be04ab01244b28e4558e43de43db4395/actions/setup-java/issues/43 |
| og:image:alt | Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin. This is a bit of a headache right... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | jaredpetersen |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| go-import | github.com/actions/setup-java git https://github.com/actions/setup-java.git |
| octolytics-dimension-user_id | 44036562 |
| octolytics-dimension-user_login | actions |
| octolytics-dimension-repository_id | 196057608 |
| octolytics-dimension-repository_nwo | actions/setup-java |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 196057608 |
| octolytics-dimension-repository_network_root_nwo | actions/setup-java |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 4b249b445842943ed31549e027f57a8ade9881ed |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width