Rework publishing to Maven Central

Gradle 8.x changed how tasks in buildSrc are evaluated. Thus, move back to plain Gradle properties to provide SonaType credentials to the build. Set those properties via environment variables in GitHub Actions. With this change, the entire `buildSrc/` folder and the file `scripts/publish` became obsolete. While at it, merge two GitHub security-related pipelines. See https://docs.gradle.org/current/userguide/build_environment.html
saschpe · Sep 7, 2023 · 743d4f2 · 743d4f2
1 parent 53949ee
commit 743d4f2
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 99 deletions.
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -40,9 +40,10 @@ jobs:
     if: github.ref == 'refs/heads/main'
     environment: Sonatype
     env:
+      ORG_GRADLE_PROJECT_sonatypePass: ${{ secrets.SONATYPE_API_KEY }}
+      ORG_GRADLE_PROJECT_sonatypeUser: ${{ secrets.SONATYPE_USER }}
       SONATYPE_GPG_KEY: ${{ secrets.SONATYPE_GPG_KEY }}
       SONATYPE_GPG_KEY_PASSWORD: ${{ secrets.SONATYPE_GPG_KEY_PASSWORD }}
-      SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up JDK 17
@@ -56,7 +57,4 @@ jobs:
           name: kase64_build
       - name: Publish to Sonatype (Maven Central)
         shell: bash
-        run: |
-          brew install gnupg
-          ./scripts/secret decrypt --password ${SECRETS_KEY}
-          ./scripts/publish
+        run: ./scripts/publish
diff --git a/.github/workflows/mobsf.yml → .github/workflows/security.yml b/.github/workflows/mobsf.yml → .github/workflows/security.yml
@@ -1,8 +1,8 @@
-name: MobSF
+name: Security
 on: [push]
 
 jobs:
-  mobile-security:
+  mobfs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -20,4 +20,10 @@ jobs:
       - name: Upload mobsfscan report
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif
+
+  gradle-validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: gradle/wrapper-validation-action@v1
diff --git a/kase64/build.gradle.kts b/kase64/build.gradle.kts
@@ -88,14 +88,16 @@ publishing {
         }
     }
 
-    repositories {
-        maven {
-            name = "sonatype"
-            credentials {
-                username = Secrets.Sonatype.user
-                password = Secrets.Sonatype.apiKey
+    if (hasProperty("sonatypeUser") && hasProperty("sonatypePass")) {
+        repositories {
+            maven {
+                name = "sonatype"
+                credentials {
+                    username = property("sonatypeUser") as String
+                    password = property("sonatypePass") as String
+                }
+                url = uri("https://oss.sonatype.org/service/local/staging/deploy/maven2")
             }
-            url = uri("https://oss.sonatype.org/service/local/staging/deploy/maven2")
         }
     }
 }

diff --git a/scripts/publish b/scripts/publish
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Script to publish libary in case a release commit is discovered
+# Script to publish a library in case a release commit is discovered
 #
 
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)

diff --git a/scripts/secret b/scripts/secret