Skip to content

Commit

Permalink
Test artifacts signature in CI
Browse files Browse the repository at this point in the history
Signs artifacts using same process as during a release
using a test key.
  • Loading branch information
abelsromero committed Jan 10, 2024
1 parent 69d2ff6 commit 32ddd03
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 40 deletions.
51 changes: 45 additions & 6 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,31 @@ jobs:
- name: Build & Test
run: mvn -B clean javadoc:jar
signature:
name: Sign artifacts
environment: test
env:
GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
ARTIFACTS_DIR: target/artifacts
GPG_KEYNAME: AD1FC1D8A84C23D92DC1377D519F6A9DA113C4F3
GPG_PASSPHRASE: 1234567890
GPG_PRIVATE_KEY: |
-----BEGIN PGP PRIVATE KEY BLOCK-----
lIYEZZNGnRYJKwYBBAHaRw8BAQdACk2kGg4AXHMDO4yyfUgVoxNkdgwH5JeU4RKC
oWiJ8T7+BwMCsLucYGxSgqf/wrrRjmsWthIvcmSGikVBbmURXvygOSEAVvM6/dqW
exlh52f1W38SeQV1lteQjNUP5qc+F7y4eD8wqQQ3MRf6C3lTciMHr7RAYXNjaWlk
b2N0b3ItbWF2ZW4tcGx1Z2luIHRlc3RpbmcgPGFzY2lpZG9jdG9yLXRlc3RpbmdA
ZmFrZS5tYWlsPoiZBBMWCgBBFiEErR/B2KhMI9ktwTd9UZ9qnaETxPMFAmWTRp0C
GwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQUZ9qnaETxPPJ
BgD/Zrvgxa74ectHRj+lOF1Tc+u47B5RraAbGsDRcVRzYJABALWXYMywNLObobpU
pvNBnCyBYWwrW/+o1D3FI6aDzhgBnIsEZZNGnRIKKwYBBAGXVQEFAQEHQLdLXbH0
Q6wiP0b/QF+gJfXDNcJCWu4yAYO3WrdhyddmAwEIB/4HAwI8l2WaMrWsVP9cRuJg
ifCy3/n6Sk2DSC4028DJRCFx99oQx85dwDysmLMCccL/Od/X5RR9X4c9mCP9ZI2V
i9Fp7zcNKGCy7TafFoS2w5RTiH4EGBYKACYWIQStH8HYqEwj2S3BN31Rn2qdoRPE
8wUCZZNGnQIbDAUJBaOagAAKCRBRn2qdoRPE86XrAPwPakum1coasOY7U2mNbky3
X1Exlurk0IMFiW/GJkNcjgD+PkU7pXgRSy2YEl7ZWswheLvlQQT0PsyNSfkWS201
/ww=
=BCbM
-----END PGP PRIVATE KEY BLOCK-----
strategy:
fail-fast: false
matrix:
Expand All @@ -82,12 +102,31 @@ jobs:
- 3.9.6
runs-on: ${{ matrix.os }}
steps:
- name: Prepare signature
run: echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch
- name: debug
run: |
echo "${{ env.GPG_KEYNAME }}"
echo "${{ env.GPG_PASSPHRASE }}"
echo "${{ env.GPG_PRIVATE_KEY }}"
- name: Prepare key
run: echo -e "${{ env.GPG_PRIVATE_KEY }}" | gpg --import --batch
- name: List kys
run: gpg --list-keys
- uses: s4u/[email protected]
with:
java-distribution: 'temurin'
java-version: ${{ matrix.java }}
maven-version: ${{ matrix.maven }}
- name: Build & Test
run: mvn -B clean install -Psign -DskipTests
run: mvn -B clean install -Prelease -DskipTests
- name: Collect artifacts
run: |
mkdir -p $ARTIFACTS_DIR
cp -r $HOME/.m2/repository/org/asciidoctor/asciidoctor-maven-* $ARTIFACTS_DIR
cp -r $HOME/.m2/repository/org/asciidoctor/*-doxia-module $ARTIFACTS_DIR
- name: Verify JAR signatures
run: find $ARTIFACTS_DIR -type f -name "*.jar" -exec gpg --verify "{}.asc" \;
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: signed-artifacts
path: ${{ env.ARTIFACTS_DIR }}
1 change: 1 addition & 0 deletions CHANGELOG.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ Build / Infrastructure::
* Use latest maven-plugin-tools and remove Dependabot exclusion (CI test ensure backward compatibility) (#717)
* Use latest Maven Doxia and remove Dependabot exclusion (CI test ensure backward compatibility) (#719)
* Use latest Maven and remove Dependabot exclusion (CI test ensure backward compatibility) (#722)
* Test artifact's signature with Maven in CI (#736)

Maintenance::
* Replace use of reflection by direct JavaExtensionRegistry calls to register extensions (#596)
Expand Down
41 changes: 7 additions & 34 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -234,42 +234,15 @@
</build>

<profiles>
<profile>
<id>sign</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<configuration>
<executable>gpg2</executable>
<keyname>${env.GPG_KEYNAME}</keyname>
<passphrase>${env.GPG_PASSPHRASE}</passphrase>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<!--
To release to bintray, add your credentials to ~/.m2/settings.xml and run:
To release, define environment variables:
export GPG_KEYNAME=""
export GPG_PASSPHRASE=""
Then, run
$ mvn deploy
-->
<id>release-profile</id>
<id>release</id>
<build>
<plugins>
<plugin>
Expand Down Expand Up @@ -304,8 +277,8 @@
<artifactId>maven-gpg-plugin</artifactId>
<configuration>
<executable>gpg2</executable>
<keyname>${gpg.keyname}</keyname>
<passphrase>${gpg.passphrase}</passphrase>
<keyname>${env.GPG_KEYNAME}</keyname>
<passphrase>${env.GPG_PASSPHRASE}</passphrase>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
Expand Down

0 comments on commit 32ddd03

Please sign in to comment.