diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 88f43b76..49c48dd4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -66,11 +66,31 @@ jobs: - name: Build & Test run: mvn -B clean javadoc:jar signature: + name: Sign artifacts environment: test env: - GPG_KEYNAME: ${{ secrets.GPG_KEYNAME }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + ARTIFACTS_DIR: target/artifacts + GPG_KEYNAME: AD1FC1D8A84C23D92DC1377D519F6A9DA113C4F3 + GPG_PASSPHRASE: 1234567890 + GPG_PRIVATE_KEY: | + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lIYEZZNGnRYJKwYBBAHaRw8BAQdACk2kGg4AXHMDO4yyfUgVoxNkdgwH5JeU4RKC + oWiJ8T7+BwMCsLucYGxSgqf/wrrRjmsWthIvcmSGikVBbmURXvygOSEAVvM6/dqW + exlh52f1W38SeQV1lteQjNUP5qc+F7y4eD8wqQQ3MRf6C3lTciMHr7RAYXNjaWlk + b2N0b3ItbWF2ZW4tcGx1Z2luIHRlc3RpbmcgPGFzY2lpZG9jdG9yLXRlc3RpbmdA + ZmFrZS5tYWlsPoiZBBMWCgBBFiEErR/B2KhMI9ktwTd9UZ9qnaETxPMFAmWTRp0C + GwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQUZ9qnaETxPPJ + BgD/Zrvgxa74ectHRj+lOF1Tc+u47B5RraAbGsDRcVRzYJABALWXYMywNLObobpU + pvNBnCyBYWwrW/+o1D3FI6aDzhgBnIsEZZNGnRIKKwYBBAGXVQEFAQEHQLdLXbH0 + Q6wiP0b/QF+gJfXDNcJCWu4yAYO3WrdhyddmAwEIB/4HAwI8l2WaMrWsVP9cRuJg + ifCy3/n6Sk2DSC4028DJRCFx99oQx85dwDysmLMCccL/Od/X5RR9X4c9mCP9ZI2V + i9Fp7zcNKGCy7TafFoS2w5RTiH4EGBYKACYWIQStH8HYqEwj2S3BN31Rn2qdoRPE + 8wUCZZNGnQIbDAUJBaOagAAKCRBRn2qdoRPE86XrAPwPakum1coasOY7U2mNbky3 + X1Exlurk0IMFiW/GJkNcjgD+PkU7pXgRSy2YEl7ZWswheLvlQQT0PsyNSfkWS201 + /ww= + =BCbM + -----END PGP PRIVATE KEY BLOCK----- strategy: fail-fast: false matrix: @@ -82,12 +102,31 @@ jobs: - 3.9.6 runs-on: ${{ matrix.os }} steps: - - name: Prepare signature - run: echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch + - name: debug + run: | + echo "${{ env.GPG_KEYNAME }}" + echo "${{ env.GPG_PASSPHRASE }}" + echo "${{ env.GPG_PRIVATE_KEY }}" + - name: Prepare key + run: echo -e "${{ env.GPG_PRIVATE_KEY }}" | gpg --import --batch + - name: List kys + run: gpg --list-keys - uses: s4u/setup-maven-action@v1.11.0 with: java-distribution: 'temurin' java-version: ${{ matrix.java }} maven-version: ${{ matrix.maven }} - name: Build & Test - run: mvn -B clean install -Psign -DskipTests + run: mvn -B clean install -Prelease -DskipTests + - name: Collect artifacts + run: | + mkdir -p $ARTIFACTS_DIR + cp -r $HOME/.m2/repository/org/asciidoctor/asciidoctor-maven-* $ARTIFACTS_DIR + cp -r $HOME/.m2/repository/org/asciidoctor/*-doxia-module $ARTIFACTS_DIR + - name: Verify JAR signatures + run: find $ARTIFACTS_DIR -type f -name "*.jar" -exec gpg --verify "{}.asc" \; + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: signed-artifacts + path: ${{ env.ARTIFACTS_DIR }} diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 23584fb2..cc6d1879 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -61,6 +61,7 @@ Build / Infrastructure:: * Use latest maven-plugin-tools and remove Dependabot exclusion (CI test ensure backward compatibility) (#717) * Use latest Maven Doxia and remove Dependabot exclusion (CI test ensure backward compatibility) (#719) * Use latest Maven and remove Dependabot exclusion (CI test ensure backward compatibility) (#722) + * Test artifact's signature with Maven in CI (#736) Maintenance:: * Replace use of reflection by direct JavaExtensionRegistry calls to register extensions (#596) diff --git a/pom.xml b/pom.xml index 6893b1e4..7dd945f3 100644 --- a/pom.xml +++ b/pom.xml @@ -234,42 +234,15 @@ - - sign - - - - org.apache.maven.plugins - maven-gpg-plugin - - gpg2 - ${env.GPG_KEYNAME} - ${env.GPG_PASSPHRASE} - - --pinentry-mode - loopback - - - - - sign-artifacts - verify - - sign - - - - - - - - release-profile + release @@ -304,8 +277,8 @@ maven-gpg-plugin gpg2 - ${gpg.keyname} - ${gpg.passphrase} + ${env.GPG_KEYNAME} + ${env.GPG_PASSPHRASE} --pinentry-mode loopback