Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly switch to Sonatype token authentication #23

Merged
merged 1 commit into from
Jun 20, 2024

Conversation

rtyley
Copy link
Member

@rtyley rtyley commented Jan 16, 2024

This PR fixes #39, updating gha-scala-library-release-workflow to take a single colon-separated composite API token (username:password) for auth, rather than the old Nexus UI username & password combination, which is now rejected by Sonatype.

Changes required to repos using gha-scala-library-release-workflow

All repos need to update their .github/workflows/release.yml to use the workflow's new SONATYPE_TOKEN parameter (the old SONATYPE_PASSWORD parameter has been dropped):

Before

SONATYPE_PASSWORD: ${{ secrets.AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD }}

After

SONATYPE_TOKEN: ${{ secrets.AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN }}

Updating many projects at once

As in #36, it was possible to update many of the ~30 projects using gha-scala-library-release-workflow using a switch-release-yml-to-token-auth.sh script that I hammered together:

cd ~/code/github-secret-access ; grep MAVEN_RELEASE_CREDENTIALS access.ts | grep ": "  | cut -d'"' -f2  > ../release-repos.txt

./switch-release-yml-to-token-auth.sh release-repos.txt

Testing

An example of a successful release with this change (at commit 23a148a) is:

https://github.com/guardian/etag-caching/actions/runs/9588801840

See also

rtyley added a commit to rtyley/sample-project-using-gha-scala-library-release-workflow that referenced this pull request Jan 16, 2024
@rtyley rtyley force-pushed the use-sonatype-token-rather-than-username-password-auth branch 5 times, most recently from 69174f1 to 8bd424a Compare January 18, 2024 12:31
rtyley added a commit to guardian/etag-caching that referenced this pull request Jan 18, 2024
@rtyley rtyley force-pushed the use-sonatype-token-rather-than-username-password-auth branch 3 times, most recently from a9d0967 to 8663357 Compare January 23, 2024 16:09
@rtyley rtyley force-pushed the use-sonatype-token-rather-than-username-password-auth branch from 8663357 to 10a173c Compare June 19, 2024 16:21
rtyley added a commit to guardian/etag-caching that referenced this pull request Jun 19, 2024
@rtyley rtyley force-pushed the use-sonatype-token-rather-than-username-password-auth branch 2 times, most recently from 2aa00e8 to 3cf313f Compare June 19, 2024 21:57
Token auth is now mandatory:

xerial/sbt-sonatype#464 (comment)

In January 2024, Sonatype started actively discouraging the legacy
username & password method of authentication, recommending token
authentication instead:

* https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests
* https://central.sonatype.org/publish/generate-token/

In this new scheme, the token is still split into a username/password
format, and both are randomised strings, making the username portion
a meaningful secret (ie one that can be revoked) and so worthy of being
treated as a secret.
@rtyley rtyley force-pushed the use-sonatype-token-rather-than-username-password-auth branch from 3cf313f to 23a148a Compare June 19, 2024 22:25
Comment on lines +416 to +417
export SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
export SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
Copy link
Member Author

@rtyley rtyley Jun 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two lines (using BASH Shell Parameter Expansion to chop the user:pass token string into user & pass) will no longer be necessary if xerial/sbt-sonatype#464 is merged & released.

Note that export is crucial here - without it, sbt "sonatypeBundleRelease" doesn't receive the SONATYPE_USERNAME & SONATYPE_PASSWORD. This is because exported variables get passed on to child processes, not-exported variables do not - and sbt runs as a child process.

* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rtyley added a commit to guardian/etag-caching that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/etag-caching that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/etag-caching that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/identity-test-users that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/atom-maker that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/commercial-shared that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/content-api-models that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/content-atom that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/content-api-client-aws that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/content-api-firehose-client that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/content-api-scala-client that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/play-secret-rotation that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/redirect-resolver that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/scrooge-extras that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/tags-thrift-schema that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/targeting-client that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/thrift-serializer that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/guardian-configuration that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/janus-app that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/mobile-logstash-encoder that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/mobile-n10n that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/pan-domain-authentication that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/simple-configuration that referenced this pull request Jun 20, 2024
rtyley added a commit to guardian/source-apps that referenced this pull request Jun 20, 2024
@rtyley rtyley marked this pull request as ready for review June 20, 2024 08:07
@rtyley rtyley requested a review from waisingyiu June 20, 2024 08:07
Copy link

@waisingyiu waisingyiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thank you Roberto!

@rtyley rtyley merged commit 59122ef into main Jun 20, 2024
rtyley added a commit to rtyley/sample-project-using-gha-scala-library-release-workflow that referenced this pull request Jun 26, 2024
rtyley added a commit to rtyley/sample-project-using-gha-scala-library-release-workflow that referenced this pull request Jun 26, 2024
rtyley added a commit to scanamo/scanamo that referenced this pull request Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Sonatype release API auth now requires API token, rejects Nexus UI username & password
2 participants