Skip to content

Commit

Permalink
[#2027] Use env-vars for passing secrets used during release
Browse files Browse the repository at this point in the history
  • Loading branch information
sebersole committed Dec 12, 2024
1 parent 62bb1eb commit 8a4c959
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 58 deletions.
18 changes: 2 additions & 16 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,6 @@ group = "org.hibernate.reactive"
// leverage the ProjectVersion which comes from the `local.versions` plugin
version = project.projectVersion.fullName

ext {
if ( !project.hasProperty( 'hibernatePublishUsername' ) ) {
hibernatePublishUsername = null
}
if ( !project.hasProperty( 'hibernatePublishPassword' ) ) {
hibernatePublishPassword = null
}
}

// Versions which need to be aligned across modules; this also
// allows overriding the build using a parameter, which can be
// useful to monitor compatibility for upcoming versions on CI:
Expand All @@ -39,15 +30,10 @@ ext {
logger.lifecycle "Vert.x SQL Client Version: " + project.vertxSqlClientVersion
}

// To release, see task ciRelease in release/build.gradle
// To publish on Sonatype (Maven Central):
// ./gradlew publishToSonatype closeAndReleaseStagingRepository -PhibernatePublishUsername="<YOUR USERNAME>" -PhibernatePublishPassword="<YOUR PASSWORD>"
// Publishing to Sonatype (Maven Central):
nexusPublishing {
repositories {
sonatype {
username = project.hibernatePublishUsername
password = project.hibernatePublishPassword
}
sonatype()
}
}

Expand Down
38 changes: 16 additions & 22 deletions ci/release/Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -165,24 +165,18 @@ pipeline {
configFile(fileId: 'release.config.ssh', targetLocation: "${env.HOME}/.ssh/config"),
configFile(fileId: 'release.config.ssh.knownhosts', targetLocation: "${env.HOME}/.ssh/known_hosts")
]) {
withCredentials([
usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
]) {
sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
// set release version
// update changelog from JIRA
// tags the version
// changes the version to the provided development version
withEnv([
"BRANCH=${env.GIT_BRANCH}",
// Increase the amount of memory for this part since asciidoctor doc rendering consumes a lot of metaspace
"GRADLE_OPTS=-Dorg.gradle.jvmargs='-Dlog4j2.disableJmx -Xmx4g -XX:MaxMetaspaceSize=768m -XX:+HeapDumpOnOutOfMemoryError -Duser.language=en -Duser.country=US -Duser.timezone=UTC -Dfile.encoding=UTF-8'"
]) {
sh ".release/scripts/prepare-release.sh ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION}"
}

sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
// set release version
// update changelog from JIRA
// tags the version
// changes the version to the provided development version
withEnv([
"BRANCH=${env.GIT_BRANCH}",
// Increase the amount of memory for this part since asciidoctor doc rendering consumes a lot of metaspace
"GRADLE_OPTS=-Dorg.gradle.jvmargs='-Dlog4j2.disableJmx -Xmx4g -XX:MaxMetaspaceSize=768m -XX:+HeapDumpOnOutOfMemoryError -Duser.language=en -Duser.country=US -Duser.timezone=UTC -Dfile.encoding=UTF-8'"
]) {
sh ".release/scripts/prepare-release.sh ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION}"
}
}
}
Expand All @@ -199,10 +193,10 @@ pipeline {
configFile(fileId: 'release.config.ssh.knownhosts', targetLocation: "${env.HOME}/.ssh/known_hosts")
]) {
withCredentials([
usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'OSSRH_PASSWORD', usernameVariable: 'OSSRH_USER'),
usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'PLUGIN_PORTAL_PASSWORD', usernameVariable: 'PLUGIN_PORTAL_USERNAME'),
file(credentialsId: 'release.gpg.private-key', variable: 'RELEASE_GPG_PRIVATE_KEY_PATH'),
string(credentialsId: 'release.gpg.passphrase', variable: 'RELEASE_GPG_PASSPHRASE')
// https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername'),
file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
]) {
sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
Expand Down
9 changes: 3 additions & 6 deletions ci/snapshot-publish.Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,12 @@ pipeline {
stage('Publish') {
steps {
withCredentials([
usernamePassword(credentialsId: 'ossrh.sonatype.org', usernameVariable: 'hibernatePublishUsername', passwordVariable: 'hibernatePublishPassword'),
// https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
usernamePassword(credentialsId: 'ossrh.sonatype.org', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword'),
file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE')
]) {
sh '''./gradlew clean publish \
-PhibernatePublishUsername=$hibernatePublishUsername \
-PhibernatePublishPassword=$hibernatePublishPassword \
--no-scan \
'''
sh "./gradlew clean publish --no-scan"
}
}
}
Expand Down
65 changes: 51 additions & 14 deletions publish.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ apply plugin: 'signing'
// Java / publishing

java {
// include javadoc and sources jar in the Java component
// - classes jar included by default
// Configure the Java "software component" to include javadoc and sources jars in addition to the classes jar.
// Ultimately, this component is what makes up the publication for this project.
withJavadocJar()
withSourcesJar()
}
Expand Down Expand Up @@ -36,7 +36,7 @@ javadoc {

publishing {
publications {
publishedArtifacts(MavenPublication) {
register( "publishedArtifacts", MavenPublication) {
from components.java

pom {
Expand Down Expand Up @@ -78,35 +78,39 @@ publishing {
}


// signing
// Signing

var signingExtension = project.getExtensions().getByType(SigningExtension) as SigningExtension

// create a `signPublications` "grouping" task which will execute all Sign tasks
def signPublicationsTask = tasks.register('signPublications')
def signPublicationsTask = tasks.register('signPublications') {
description "Grouping task which executes all Sign tasks"
dependsOn tasks.withType( Sign )
}

tasks.named( "publishPublishedArtifactsPublicationToSonatypeRepository" ) {
// publishing depends on signing
dependsOn signPublicationsTask
}

gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
boolean wasSigningRequested = false
boolean wasPublishingRequested = false
List<Sign> signingTasks = []

graph.allTasks.each {task ->
logger.lifecycle( "Checking task : $task" )
if ( task instanceof Sign ) {
logger.lifecycle( " - Task is Sign" )
signingTasks.add( task )
wasSigningRequested = true
}
else if ( task instanceof PublishToMavenRepository ) {
logger.lifecycle( " - Task is PublishToMavenRepository" )
wasPublishingRequested = true
}
}

if ( wasPublishingRequested ) {
def publishUser = resolvePublishUser()
def publishPass = resolvePublishPass()
if ( publishUser == null || publishPass == null ) {
throw new RuntimeException( "Cannot perform publishing to OSSRH without credentials." )
}
logger.lifecycle "Publishing groupId: '" + project.group + "', version: '" + project.version + "'"
}

Expand All @@ -119,14 +123,47 @@ gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
var signingPassword = resolveSigningPassphrase()
signingExtension.useInMemoryPgpKeys( signingKey, signingPassword )
signingExtension.sign publishing.publications.publishedArtifacts

signPublicationsTask.get().dependsOn( signingTasks )
}
else {
// signing was not explicitly requested and we are not publishing to OSSRH,
// - disable all Sign tasks
signingTasks.each { enabled = false }
tasks.withType( Sign ).each { enabled = false }
}
}

String resolvePublishUser() {
var envVar = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypeUsername" )
if ( envVar != null ) {
return envVar
}

def projectProp = projectPropOrNull( "sonatypeUsername" )
if ( projectProp != null ) {
return projectProp
}

return null
}

String resolvePublishPass() {
var envVar = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypePassword" )
if ( envVar != null ) {
return envVar
}

def projectProp = projectPropOrNull( "sonatypePassword" )
if ( projectProp != null ) {
return projectProp
}

return null
}

String projectPropOrNull(String name) {
if ( project.hasProperty( name ) ) {
return project.findProperty( name )
}
return null;
}


Expand Down

0 comments on commit 8a4c959

Please sign in to comment.