Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly switch to Sonatype token authentication #23

Merged
merged 1 commit into from
Jun 20, 2024
Merged

Explicitly switch to Sonatype token authentication #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions .github/workflows/reusable-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,9 @@ on:
default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
required: false # ...but if you're not the Guardian, you'll want to set this explicitly
type: string
SONATYPE_USERNAME:
description: 'Sonatype username'
default: 'guardian.automated.maven.release' # Only for use by the Guardian!
required: false # Must be supplied if used by a non-Guardian project
type: string
secrets:
SONATYPE_PASSWORD:
description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
SONATYPE_TOKEN:
description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
required: true
PGP_PRIVATE_KEY:
description:
Expand Down Expand Up @@ -416,9 +411,10 @@ jobs:
cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
- name: Release
env:
SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
run: |
export SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
export SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
Comment on lines +416 to +417
Copy link
Member Author

@rtyley rtyley Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two lines (using BASH Shell Parameter Expansion to chop the user:pass token string into user & pass) will no longer be necessary if xerial/sbt-sonatype#464 is merged & released.

Note that export is crucial here - without it, sbt "sonatypeBundleRelease" doesn't receive the SONATYPE_USERNAME & SONATYPE_PASSWORD. This is because exported variables get passed on to child processes, not-exported variables do not - and sbt runs as a child process.

sbt "sonatypeBundleRelease"

github-release:
Expand Down
24 changes: 20 additions & 4 deletions docs/credentials/generating-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,25 @@
Normally you'll be using [shared organisation-wide credentials](supplying-credentials.md),
but if you need to rotate those credentials, or just create some new ones for your organisation:

## Updating a Sonatype OSSRH user's password

See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).
## Updating a Sonatype OSSRH Token username & password

As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
Sonatype is actively discouraging the legacy username & password method of authentication, recommending
[token authentication](https://central.sonatype.org/publish/generate-token/)
(see link for token-regenerating instructions).

Note these points:

* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
secret strings.
* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
**a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
is hosted on.
**Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
use must be generated [there](https://oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
account.

## Generating a new PGP key

Expand All @@ -26,4 +42,4 @@ See [GitHub's instructions](https://docs.github.com/en/apps/creating-github-apps
release workflow, see [Setting up the GitHub App](github-app.md) first.

**Guardian developers:** Here's a direct link to our GitHub App settings page, where you can generate a new private key:
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
2 changes: 1 addition & 1 deletion docs/credentials/supplying-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ has _access_ to those secrets.
to grant repos access to the necessary Organisation secrets - you need to raise a PR (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
which will grant access to these:

* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is covered by https://github.com/guardian/github-secret-access/pull/55.

* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`
* `AUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`

Expand Down