From 88142c825b4e916a75520dffb75484f41797d8b5 Mon Sep 17 00:00:00 2001 From: Abel Salgado Romero Date: Mon, 1 Jan 2024 22:41:00 +0100 Subject: [PATCH] Test artifacts signature in CI Signs artifacts using same process as during a release using a test key. --- .github/workflows/build.yaml | 65 ++++++++++++++++++++++++++++++++++++ CHANGELOG.adoc | 1 + pom.xml | 12 ++++--- 3 files changed, 73 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0afa37cd..49c48dd4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -65,3 +65,68 @@ jobs: maven-version: ${{ matrix.maven }} - name: Build & Test run: mvn -B clean javadoc:jar + signature: + name: Sign artifacts + environment: test + env: + ARTIFACTS_DIR: target/artifacts + GPG_KEYNAME: AD1FC1D8A84C23D92DC1377D519F6A9DA113C4F3 + GPG_PASSPHRASE: 1234567890 + GPG_PRIVATE_KEY: | + -----BEGIN PGP PRIVATE KEY BLOCK----- + + lIYEZZNGnRYJKwYBBAHaRw8BAQdACk2kGg4AXHMDO4yyfUgVoxNkdgwH5JeU4RKC + oWiJ8T7+BwMCsLucYGxSgqf/wrrRjmsWthIvcmSGikVBbmURXvygOSEAVvM6/dqW + exlh52f1W38SeQV1lteQjNUP5qc+F7y4eD8wqQQ3MRf6C3lTciMHr7RAYXNjaWlk + b2N0b3ItbWF2ZW4tcGx1Z2luIHRlc3RpbmcgPGFzY2lpZG9jdG9yLXRlc3RpbmdA + ZmFrZS5tYWlsPoiZBBMWCgBBFiEErR/B2KhMI9ktwTd9UZ9qnaETxPMFAmWTRp0C + GwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQUZ9qnaETxPPJ + BgD/Zrvgxa74ectHRj+lOF1Tc+u47B5RraAbGsDRcVRzYJABALWXYMywNLObobpU + pvNBnCyBYWwrW/+o1D3FI6aDzhgBnIsEZZNGnRIKKwYBBAGXVQEFAQEHQLdLXbH0 + Q6wiP0b/QF+gJfXDNcJCWu4yAYO3WrdhyddmAwEIB/4HAwI8l2WaMrWsVP9cRuJg + ifCy3/n6Sk2DSC4028DJRCFx99oQx85dwDysmLMCccL/Od/X5RR9X4c9mCP9ZI2V + i9Fp7zcNKGCy7TafFoS2w5RTiH4EGBYKACYWIQStH8HYqEwj2S3BN31Rn2qdoRPE + 8wUCZZNGnQIbDAUJBaOagAAKCRBRn2qdoRPE86XrAPwPakum1coasOY7U2mNbky3 + X1Exlurk0IMFiW/GJkNcjgD+PkU7pXgRSy2YEl7ZWswheLvlQQT0PsyNSfkWS201 + /ww= + =BCbM + -----END PGP PRIVATE KEY BLOCK----- + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + java: + - 11 + maven: + - 3.9.6 + runs-on: ${{ matrix.os }} + steps: + - name: debug + run: | + echo "${{ env.GPG_KEYNAME }}" + echo "${{ env.GPG_PASSPHRASE }}" + echo "${{ env.GPG_PRIVATE_KEY }}" + - name: Prepare key + run: echo -e "${{ env.GPG_PRIVATE_KEY }}" | gpg --import --batch + - name: List kys + run: gpg --list-keys + - uses: s4u/setup-maven-action@v1.11.0 + with: + java-distribution: 'temurin' + java-version: ${{ matrix.java }} + maven-version: ${{ matrix.maven }} + - name: Build & Test + run: mvn -B clean install -Prelease -DskipTests + - name: Collect artifacts + run: | + mkdir -p $ARTIFACTS_DIR + cp -r $HOME/.m2/repository/org/asciidoctor/asciidoctor-maven-* $ARTIFACTS_DIR + cp -r $HOME/.m2/repository/org/asciidoctor/*-doxia-module $ARTIFACTS_DIR + - name: Verify JAR signatures + run: find $ARTIFACTS_DIR -type f -name "*.jar" -exec gpg --verify "{}.asc" \; + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: signed-artifacts + path: ${{ env.ARTIFACTS_DIR }} diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 23584fb2..cc6d1879 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -61,6 +61,7 @@ Build / Infrastructure:: * Use latest maven-plugin-tools and remove Dependabot exclusion (CI test ensure backward compatibility) (#717) * Use latest Maven Doxia and remove Dependabot exclusion (CI test ensure backward compatibility) (#719) * Use latest Maven and remove Dependabot exclusion (CI test ensure backward compatibility) (#722) + * Test artifact's signature with Maven in CI (#736) Maintenance:: * Replace use of reflection by direct JavaExtensionRegistry calls to register extensions (#596) diff --git a/pom.xml b/pom.xml index a0cf928f..7dd945f3 100644 --- a/pom.xml +++ b/pom.xml @@ -236,11 +236,13 @@ - release-profile + release @@ -275,8 +277,8 @@ maven-gpg-plugin gpg2 - ${gpg.keyname} - ${gpg.passphrase} + ${env.GPG_KEYNAME} + ${env.GPG_PASSPHRASE} --pinentry-mode loopback