From 62bb1ebd59c8668798d21be9d7a98cdbf9a57ba0 Mon Sep 17 00:00:00 2001
From: Steve Ebersole <steve@hibernate.org>
Date: Thu, 12 Dec 2024 09:43:53 -0600
Subject: [PATCH] [#1095] Sign the artifacts for Sonatype

---
 ci/release/Jenkinsfile          |  6 +-
 ci/snapshot-publish.Jenkinsfile |  4 +-
 publish.gradle                  | 97 ++++++++++++++++++++++++++++-----
 3 files changed, 89 insertions(+), 18 deletions(-)

diff --git a/ci/release/Jenkinsfile b/ci/release/Jenkinsfile
index bb4315fb8..5fe408354 100644
--- a/ci/release/Jenkinsfile
+++ b/ci/release/Jenkinsfile
@@ -168,8 +168,8 @@ pipeline {
 						withCredentials([
 							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
 							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
-							file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
-							string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE')
+							file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
+							string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
 						]) {
 							sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
 								// set release version
@@ -202,7 +202,7 @@ pipeline {
 							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
 							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
 							file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
-							string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE'),
+							string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE')
 							gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
 						]) {
 							sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
diff --git a/ci/snapshot-publish.Jenkinsfile b/ci/snapshot-publish.Jenkinsfile
index c95f6663f..83fd95a4a 100644
--- a/ci/snapshot-publish.Jenkinsfile
+++ b/ci/snapshot-publish.Jenkinsfile
@@ -32,8 +32,8 @@ pipeline {
 			steps {
 				withCredentials([
 					usernamePassword(credentialsId: 'ossrh.sonatype.org', usernameVariable: 'hibernatePublishUsername', passwordVariable: 'hibernatePublishPassword'),
-					string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_PASS'),
-					file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_KEYRING')
+					file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
+					string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
 				]) {
 					sh '''./gradlew clean publish \
 						-PhibernatePublishUsername=$hibernatePublishUsername \
diff --git a/publish.gradle b/publish.gradle
index 3c48e1298..39e0e16b2 100644
--- a/publish.gradle
+++ b/publish.gradle
@@ -1,13 +1,14 @@
+apply plugin: 'java'
 apply plugin: 'maven-publish'
+apply plugin: 'signing'
 
-tasks.register( 'sourcesJar', Jar ) {
-    from sourceSets.main.allJava
-    archiveClassifier = 'sources'
-}
+// Java / publishing
 
-tasks.register( 'javadocJar', Jar ) {
-    from javadoc
-    archiveClassifier = 'javadoc'
+java {
+    // include javadoc and sources jar in the Java component
+    // 		- classes jar included by default
+    withJavadocJar()
+    withSourcesJar()
 }
 
 jar {
@@ -35,14 +36,9 @@ javadoc {
 
 publishing {
     publications {
-        logger.lifecycle "Publishing groupId: '" + project.group + "', version: '" + project.version + "'"
-
         publishedArtifacts(MavenPublication) {
-            groupId = project.group
-            version = project.version
             from components.java
-            artifact sourcesJar
-            artifact javadocJar
+
             pom {
                 name = project.mavenPomName
                 description = project.description
@@ -80,3 +76,78 @@ publishing {
         }
     }
 }
+
+
+// signing
+
+var signingExtension = project.getExtensions().getByType(SigningExtension) as SigningExtension
+
+// create a `signPublications` "grouping" task which will execute all Sign tasks
+def signPublicationsTask = tasks.register('signPublications')
+tasks.named( "publishPublishedArtifactsPublicationToSonatypeRepository" ) {
+    dependsOn signPublicationsTask
+}
+
+gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
+    boolean wasSigningRequested = false
+    boolean wasPublishingRequested = false
+    List<Sign> signingTasks = []
+
+    graph.allTasks.each {task ->
+        logger.lifecycle( "Checking task : $task" )
+        if ( task instanceof Sign ) {
+            logger.lifecycle( "    - Task is Sign" )
+            signingTasks.add( task )
+            wasSigningRequested = true
+        }
+        else if ( task instanceof PublishToMavenRepository ) {
+            logger.lifecycle( "    - Task is PublishToMavenRepository" )
+            wasPublishingRequested = true
+        }
+    }
+
+    if ( wasPublishingRequested ) {
+        logger.lifecycle "Publishing groupId: '" + project.group + "', version: '" + project.version + "'"
+    }
+
+    if ( wasSigningRequested || wasPublishingRequested ) {
+        // signing was explicitly requested and/or we are publishing to Sonatype OSSRH
+        // 		- we need the signing to happen
+        signingExtension.required = true
+
+        var signingKey = resolveSigningKey()
+        var signingPassword = resolveSigningPassphrase()
+        signingExtension.useInMemoryPgpKeys( signingKey, signingPassword )
+        signingExtension.sign publishing.publications.publishedArtifacts
+
+        signPublicationsTask.get().dependsOn( signingTasks )
+    }
+    else {
+        // signing was not explicitly requested and we are not publishing to OSSRH,
+        // 		- disable all Sign tasks
+        signingTasks.each { enabled = false }
+    }
+}
+
+
+static String resolveSigningKey() {
+    var key = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY" )
+    if ( key != null ) {
+        return key
+    }
+
+    var keyFile = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY_PATH" )
+    if ( keyFile != null ) {
+        return new File( keyFile ).text
+    }
+
+    throw new RuntimeException( "Cannot perform signing without GPG details." )
+}
+
+static String resolveSigningPassphrase() {
+    var passphrase = System.getenv().get( "SIGNING_GPG_PASSPHRASE" )
+    if ( passphrase == null ) {
+        throw new RuntimeException( "Cannot perform signing without GPG details." )
+    }
+    return passphrase
+}