Explicitly switch to Sonatype token authentication

As of January 2024, Sonatype is actively discouraging the legacy username & password method of authentication, recommending token authentication instead: * https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests * https://central.sonatype.org/publish/generate-token/ In this new scheme, the token is still split into a username/password format, and both are randomised strings, making the username portion a meaningful secret (ie one that can be revoked) and so worthy of being treated as a secret. Consequently, in this change username is now a GitHub workflow 'secret' parameter, rather than a simple input.
guardian · Jan 18, 2024 · 69174f1 · 69174f1
1 parent 58cfc06
commit 69174f1
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 14 deletions.
diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
@@ -13,14 +13,9 @@ on:
         default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
         required: false # ...but if you're not the Guardian, you'll want to set this explicitly
         type: string
-      SONATYPE_USERNAME:
-        description: 'Sonatype username'
-        default: 'guardian.automated.maven.release' # Only for use by the Guardian!
-        required: false # Must be supplied if used by a non-Guardian project
-        type: string
     secrets:
-      SONATYPE_PASSWORD:
-        description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
+      SONATYPE_TOKEN:
+        description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
         required: true
       PGP_PRIVATE_KEY:
         description:
@@ -328,9 +323,10 @@ jobs:
           cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
       - name: Release
         env:
-          SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
-          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-        run: |
+          SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
+        run:
+          SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
+          SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
           sbt "sonatypeBundleRelease"
 
   github-release:

diff --git a/docs/credentials/generating-credentials.md b/docs/credentials/generating-credentials.md
@@ -16,6 +16,22 @@ should be plaintext, not BASE64-encoded.
 gpg --armor --export-secret-key [insert key fingerprint here] | pbcopy
 ```
 
-## Updating a Sonatype OSSRH user's password
+## Updating a Sonatype OSSRH Token username & password
 
-See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).
+As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
+Sonatype is actively discouraging the legacy username & password method of authentication, recommending
+[token authentication](https://central.sonatype.org/publish/generate-token/)
+(see link for token-regenerating instructions).
+
+Note these points:
+
+* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
+  secret strings.
+* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
+  **a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
+  you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
+  use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
+  is hosted on.  
+  **Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
+  use must be generated [there](https://s01.oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
+  account.
diff --git a/docs/credentials/supplying-credentials.md b/docs/credentials/supplying-credentials.md
@@ -14,8 +14,13 @@ has _access_ to those secrets.
 ### Guardian-specific access
 
 **Guardian developers:** We use [`guardian/github-secret-access`](https://github.com/guardian/github-secret-access)
-to grant repos access to the `AUTOMATED_MAVEN_RELEASE_PGP_SECRET` & `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
-secrets - you need to raise a PR there (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
+to grant repos access to these secrets:
+
+* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
+* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`
+
+You need to raise a PR on the `guardian/github-secret-access` repo (like
+[this example PR](https://github.com/guardian/github-secret-access/pull/24))
 to grant your repo access to the organisation-wide secrets.
 
 ### Generating new credentials