GHA Snapshot publishing

[aSemy]

Publish a snapshot version to Sonatype on every successful build on master branch.

Fixes #910

This requires setting GitHub secrets - see .github/workflows/publish.yml

I'm marking this as a draft as I'm not sure if the GHA is defined correctly, particularly the Gradle variables - the periods might need to be removed from signing.keyId etc. I've renamed the variables:

• signing.keyId -> signingKeyId
• signing.password -> signingPassword
• signing.secretKeyRingFile -> signingSecretKeyRingFile

[Raibaz]

Thanks!

A couple of notes: according to this doc, i guess you're right and periods need to be removed.

Also, apparently I cannot set the secrets in the repo, so I'm afraid we need to summon @oleksiyp

[aSemy]

The Gradle secrets ${{ secrets.GRADLE_SIGNING_KEY_ID }} can't have periods, but what about the environment variables they're assigned to? ORG_GRADLE_PROJECT_signing.key? For simplicity I'll rename the environment variables to match.

[luongvo]

@Raibaz Could you please resume reviewing this soon? 👋

[Raibaz]

PR LGTM, but I can't set the secrets :(

[oleksiyp]

Do you need my help?

[oleksiyp]

Please check this guide https://central.sonatype.org/publish/publish-gradle/.
I have doubts that this is right URL.
I will try to deal with required secrets and set them in GH settings:

• secrets.GRADLE_SIGNING_KEY_ID
• secrets.GRADLE_SIGNING_PASSWORD
• secrets.GRADLE_SIGNING_SECRET_KEY_RING_FILE
• secrets.OSS_SONATYPE_USERNAME
• secrets.OSS_SONATYPE_PASSWORD

[aSemy]

Thanks @oleksiyp!

Would you consider granting @Raibaz co-ownership? Then he could also manage the secrets.

I have doubts that this is right URL.

MockK was published before 2021 so still uses the 'legacy host', but the docs mostly use the new URLs.

Note: As of February 2021, all new projects began being provisioned on https://s01.oss.sonatype.org/. If your project is not provisioned on https://s01.oss.sonatype.org/, you will want to reference the legacy host https://oss.sonatype.org/.

The current MockK config uses the same URL and it works okay

mockk/buildSrc/src/main/kotlin/buildsrc/convention/mockk-publishing.gradle.kts

Lines 15 to 21 in 1419517

	val sonatypeRepositoryReleaseUrl: Provider<String> = provider {
	if (version.toString().endsWith("SNAPSHOT")) {
	"https://oss.sonatype.org/content/repositories/snapshots/"
	} else {
	"https://oss.sonatype.org/service/local/staging/deploy/maven2/"
	}
	}

[oleksiyp]

Not sure you will need other secrets... and not sure you need them for something else... security is always compromise of comfort. So no 😄 but remember that I am still alive and happy to help 😄

[oleksiyp]

Afterall if @Raibaz feels that more access is required happy to understand the reasoning and cooperate.

There is a bigger issue where to spend $4k on https://opencollective.com/mockk. Previously I thought it was too small an amount to spend paying contributors... but now it is not that obvious

[Raibaz]

I'm perfectly fine with the access I have now, I don't think I need more :)

After all, this should be a one-shot operation and we should be ok with secrets now, I don't think I'll need access to change them anytime soon.

[oleksiyp]

@Raibaz @aSemy

I added a few secrets

Please note there is no way to delimit release access and snapshot access... so this is my creds. I ask you to be careful with build scripts PR review so that nobody does "echo $KEY" stuff. I believe it should be protected somehow, but I never tried to use such a hack in GH actions. In Jenkins such a hack is easy peasy, to be honest

Also, @aSemy, note that local run suppose you have a file with keyring, while I cannot import binary files into GH action secret field.
So you will need to adopt "import to gpg" somehow

- name: Configure GPG Key
  run: |
    echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
  env:
    GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}

https://stackoverflow.com/questions/61096521/how-to-use-gpg-key-in-github-actions

Especially for that purpose name secret is a "signing key", and not a "signing key ring file".
You may count that the private signing key unencrypted in PEM format is stored there.
The same reason "password" is not set, coz anyway you would need first to import to gpg.

Also, note I am going to go to Paris tomorrow and will not have access to the laptop where the original key is stored. GH does not allow to read values as well, so hope what I set is enough.

Feel free to ask any questions.

[aSemy]

thanks @oleksiyp, I will take a look! I think there's a way of 'mounting' a GitHub Secret as a file...

There are a number of protections for GitHub Secrets, but there's a couple more that could be done

• prevent PRs from creating/approving PRs
• Require that any PR that edits a GitHub Workflow must be reviewed and approved by CODEOWNERS

These require configuration at the project and/or org level, so it's up to you to implement them @oleksiyp :)

[Raibaz]

Thanks a lot @oleksiyp!

I think once we put in place the two protections that @aSemy suggested we should be fine.

[Raibaz]

@aSemy do you happen to have any updates on this?

[aSemy]

@Raibaz Thanks for the reminder, I'll pick this up again, hopefully by the end of the week. Since I last looked at this I set up automatic publishing for one of my libraries, so I've got a better idea of how things work now.

[aSemy]

@Raibaz as far as I can tell, this PR should be ready to go. Because I don't have access to the secrets or Sonatype Nexus I can't tell if it will work though, and I also won't be able to debug it. I think it's best if you or @oleksiyp pick it up, since you'll be able to more easily see what's going on. It might take some more tweaking. If there's any problems, then let me know and I can try and help out.