From 737a18e80da1ef3ac5b73332215869867cd298a6 Mon Sep 17 00:00:00 2001 From: Roberto Tyley Date: Tue, 16 Jan 2024 11:55:21 +0000 Subject: [PATCH] Explicitly switch to Sonatype token authentication As of January 2024, Sonatype is actively discouraging the legacy username & password method of authentication, recommending token authentication instead: * https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests * https://central.sonatype.org/publish/generate-token/ In this new scheme, the token is still split into a username/password format, and both are randomised strings, making the username portion a meaningful secret (ie one that can be revoked) and so worthy of being treated as a secret. Consequently, in this change username is now a GitHub workflow 'secret' parameter, rather than a simple input. --- .github/workflows/reusable-release.yml | 15 ++++++--------- docs/credentials/generating-credentials.md | 20 ++++++++++++++++++-- docs/credentials/supplying-credentials.md | 9 +++++++-- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index b232abe..78c302d 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -13,14 +13,9 @@ on: default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using required: false # ...but if you're not the Guardian, you'll want to set this explicitly type: string - SONATYPE_USERNAME: - description: 'Sonatype username' - default: 'guardian.automated.maven.release' # Only for use by the Guardian! - required: false # Must be supplied if used by a non-Guardian project - type: string secrets: - SONATYPE_PASSWORD: - description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts' + SONATYPE_TOKEN: + description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/' required: true PGP_PRIVATE_KEY: description: @@ -328,9 +323,11 @@ jobs: cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt) - name: Release env: - SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }} run: | + SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62 + SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}" + echo "Credential lengths... username=${#SONATYPE_USERNAME} password=${#SONATYPE_PASSWORD}" sbt "sonatypeBundleRelease" github-release: diff --git a/docs/credentials/generating-credentials.md b/docs/credentials/generating-credentials.md index b6a73b9..7461556 100644 --- a/docs/credentials/generating-credentials.md +++ b/docs/credentials/generating-credentials.md @@ -16,6 +16,22 @@ should be plaintext, not BASE64-encoded. gpg --armor --export-secret-key [insert key fingerprint here] | pbcopy ``` -## Updating a Sonatype OSSRH user's password +## Updating a Sonatype OSSRH Token username & password -See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/). \ No newline at end of file +As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests), +Sonatype is actively discouraging the legacy username & password method of authentication, recommending +[token authentication](https://central.sonatype.org/publish/generate-token/) +(see link for token-regenerating instructions). + +Note these points: + +* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable + secret strings. +* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and + **a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`, + you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you + use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile** + is hosted on. + **Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we + use must be generated [there](https://s01.oss.sonatype.org/), logged in with the `guardian.automated.maven.release` + account. diff --git a/docs/credentials/supplying-credentials.md b/docs/credentials/supplying-credentials.md index fa61621..75d96c4 100644 --- a/docs/credentials/supplying-credentials.md +++ b/docs/credentials/supplying-credentials.md @@ -14,8 +14,13 @@ has _access_ to those secrets. ### Guardian-specific access **Guardian developers:** We use [`guardian/github-secret-access`](https://github.com/guardian/github-secret-access) -to grant repos access to the `AUTOMATED_MAVEN_RELEASE_PGP_SECRET` & `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD` -secrets - you need to raise a PR there (like [this example PR](https://github.com/guardian/github-secret-access/pull/24)) +to grant repos access to these secrets: + +* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN` +* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET` + +You need to raise a PR on the `guardian/github-secret-access` repo (like +[this example PR](https://github.com/guardian/github-secret-access/pull/24)) to grant your repo access to the organisation-wide secrets. ### Generating new credentials