From 1919efdafb8cada1bcae20331fc9eba0c46a6f10 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 13:47:08 +0200 Subject: [PATCH 01/26] use manual GPG configuration --- .github/workflows/maven-release.yml | 47 ++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 11 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 775df4a..ebc0c80 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -15,9 +15,33 @@ jobs: with: maven-version: 3.9.6 + # Handle importing GPG private key to the local keyring and manually configure Maven to use GPG passphrase + # pom.xml is required to have the Maven GPG plugin configured + - name: Import GPG key + run: | + # Create gnupg directory with correct permissions + mkdir -p ~/.gnupg/ + chmod 700 ~/.gnupg/ + + # Configure GPG to use non-interactive mode + echo "use-agent" > ~/.gnupg/gpg.conf + echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf + echo "batch" >> ~/.gnupg/gpg.conf + echo "no-tty" >> ~/.gnupg/gpg.conf + + # Configure GPG agent + echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf + + # Import the GPG key + echo "${{ secrets.GPG_SECRET_KEY }}" | gpg --batch --import + + # Trust the key + echo -n "${{ secrets.GPG_PASSPHRASE }}" | gpg --passphrase-fd 0 --pinentry-mode loopback --batch --yes --trust-model always --command-fd 0 --change-trustdb << EOF + 5 + y + EOF + - name: Set up JDK - # Handles importing GPG private key to the local keyring and configures Maven to use GPG passphrase - # if pom.xml has the Maven GPG plugin configured uses: actions/setup-java@v5 with: distribution: 'temurin' @@ -25,17 +49,18 @@ jobs: server-id: ossrh # Must match server ID in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - # The private key is not required as a standard environment variable - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - # Parameters for handling GPG in headless CI/CD - gpg-passphrase-args: --pinentry-mode=loopback --no-tty --batch + # No need for GPG config here as we do it manually above - name: Deploy to Maven Central env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASS }} - GPG_TTY: "" # Tell GPG not to use terminal - # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy \ No newline at end of file + GPG_TTY: $(tty) + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + run: | + # Export the passphrase for Maven GPG Plugin + echo $GPG_PASSPHRASE | gpg --passphrase-fd 0 --pinentry-mode loopback --batch --yes --sign --output /dev/null --armor <<< "test" + # Tell GPG not to use terminal + export GPG_TTY="" + # Use batch mode: no interactive prompts, cleaner logs + mvn --batch-mode clean deploy -Dgpg.passphrase="${GPG_PASSPHRASE}" From cf951eeb1246cfadbb83b57df5bc7111d6d7a6de Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 13:59:50 +0200 Subject: [PATCH 02/26] use gpg.passphrase parameter in the simplified version of the workflow --- .github/workflows/maven-release.yml | 43 ++++------------------------- 1 file changed, 6 insertions(+), 37 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index ebc0c80..9dc459c 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -1,7 +1,7 @@ name: Maven Deploy on: - workflow_dispatch: # Manual trigger without inputs + workflow_dispatch: jobs: deploy: @@ -15,32 +15,6 @@ jobs: with: maven-version: 3.9.6 - # Handle importing GPG private key to the local keyring and manually configure Maven to use GPG passphrase - # pom.xml is required to have the Maven GPG plugin configured - - name: Import GPG key - run: | - # Create gnupg directory with correct permissions - mkdir -p ~/.gnupg/ - chmod 700 ~/.gnupg/ - - # Configure GPG to use non-interactive mode - echo "use-agent" > ~/.gnupg/gpg.conf - echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf - echo "batch" >> ~/.gnupg/gpg.conf - echo "no-tty" >> ~/.gnupg/gpg.conf - - # Configure GPG agent - echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf - - # Import the GPG key - echo "${{ secrets.GPG_SECRET_KEY }}" | gpg --batch --import - - # Trust the key - echo -n "${{ secrets.GPG_PASSPHRASE }}" | gpg --passphrase-fd 0 --pinentry-mode loopback --batch --yes --trust-model always --command-fd 0 --change-trustdb << EOF - 5 - y - EOF - - name: Set up JDK uses: actions/setup-java@v5 with: @@ -49,18 +23,13 @@ jobs: server-id: ossrh # Must match server ID in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - # No need for GPG config here as we do it manually above + gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} + gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Deploy to Maven Central env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} - GPG_TTY: $(tty) - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | - # Export the passphrase for Maven GPG Plugin - echo $GPG_PASSPHRASE | gpg --passphrase-fd 0 --pinentry-mode loopback --batch --yes --sign --output /dev/null --armor <<< "test" - # Tell GPG not to use terminal - export GPG_TTY="" - # Use batch mode: no interactive prompts, cleaner logs - mvn --batch-mode clean deploy -Dgpg.passphrase="${GPG_PASSPHRASE}" + MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + # Use batch mode: no interactive prompts, cleaner logs + run: mvn --batch-mode clean deploy -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" From b56c79069140219957941020a45fae40847cd891 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 14:10:27 +0200 Subject: [PATCH 03/26] add GPG plugin configuration --- .github/workflows/maven-release.yml | 4 +++- pom.xml | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 9dc459c..74675b6 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -1,7 +1,7 @@ name: Maven Deploy on: - workflow_dispatch: + workflow_dispatch: # Manual trigger without inputs jobs: deploy: @@ -23,6 +23,7 @@ jobs: server-id: ossrh # Must match server ID in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD + # The private key is not required as a standard environment variable gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE @@ -31,5 +32,6 @@ jobs: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_TTY: "" # Tell GPG not to use a terminal # Use batch mode: no interactive prompts, cleaner logs run: mvn --batch-mode clean deploy -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" diff --git a/pom.xml b/pom.xml index 942ac78..151994c 100644 --- a/pom.xml +++ b/pom.xml @@ -211,6 +211,13 @@ org.apache.maven.plugins maven-gpg-plugin ${maven-gpg-plugin.version} + + + + --pinentry-mode + loopback + + sign-artifacts From a30312f0bc6bd0e8dfcbc1b6ccf4720ef27aac0f Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 14:19:29 +0200 Subject: [PATCH 04/26] update Maven GPG plugin configuration --- pom.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pom.xml b/pom.xml index 151994c..6a69bec 100644 --- a/pom.xml +++ b/pom.xml @@ -217,6 +217,8 @@ --pinentry-mode loopback + + false From 44a7461c9e6f67ebe1ee35f0f3d6b8011243aafc Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 14:26:49 +0200 Subject: [PATCH 05/26] update Maven GPG plugin version and configuration --- pom.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 6a69bec..c0d0711 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ 1.7.0 3.5.0 3.3.1 - 1.6 + 3.1.0 9.2.0 4.13.2 @@ -212,13 +212,14 @@ maven-gpg-plugin ${maven-gpg-plugin.version} - + --pinentry-mode loopback + --batch + --yes + --no-tty - - false From 8b61838d16d5d81a6cf831f3d0ed1bcc12fc80ed Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 14:44:20 +0200 Subject: [PATCH 06/26] add GPG agent configuration to the workflow --- .github/workflows/maven-release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 74675b6..b75ceb9 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -27,6 +27,12 @@ jobs: gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE + # Enable loopback pinentry in GPG agent configuration, restart the GPG agent to pick up the change + - name: Configure GPG + run: | + echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf + gpgconf --kill gpg-agent + - name: Deploy to Maven Central env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} From f7a20924f1ecb33f24ef76f3a494438e80513e65 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 15:22:35 +0200 Subject: [PATCH 07/26] add gpg passphrase parameter to the maven gpg plugin --- .github/workflows/maven-release.yml | 3 +++ pom.xml | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index b75ceb9..96eae7f 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -15,6 +15,9 @@ jobs: with: maven-version: 3.9.6 + - name: Build with Maven + run: mvn -B package + - name: Set up JDK uses: actions/setup-java@v5 with: diff --git a/pom.xml b/pom.xml index c0d0711..9222d6b 100644 --- a/pom.xml +++ b/pom.xml @@ -23,12 +23,12 @@ 3.5.0 3.3.1 3.1.0 - 9.2.0 4.13.2 1.18.42 5.14.0 3.27.6 + @@ -216,6 +216,8 @@ --pinentry-mode loopback + --passphrase + ${gpg.passphrase} --batch --yes --no-tty From 2b0d9c81fbac5684c1c219381ebdd8bae2f74189 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 15:29:46 +0200 Subject: [PATCH 08/26] remove gpg passphrase parameter --- .github/workflows/maven-release.yml | 2 +- pom.xml | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 96eae7f..32337c0 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -43,4 +43,4 @@ jobs: MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_TTY: "" # Tell GPG not to use a terminal # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" + run: mvn --batch-mode clean deploy diff --git a/pom.xml b/pom.xml index 9222d6b..2fb9f9c 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,6 @@ 1.18.42 5.14.0 3.27.6 - @@ -216,8 +215,6 @@ --pinentry-mode loopback - --passphrase - ${gpg.passphrase} --batch --yes --no-tty From 6822e5b8ea74778b8d82ac9ad872dbc3306418f5 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 15:54:59 +0200 Subject: [PATCH 09/26] pre-cache the passphrase in the GPG agent before Maven runs --- .github/workflows/maven-release.yml | 15 +++++++++++++-- pom.xml | 5 +---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 32337c0..192eb2c 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -30,11 +30,22 @@ jobs: gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE - # Enable loopback pinentry in GPG agent configuration, restart the GPG agent to pick up the change - - name: Configure GPG + - name: Configure GPG and cache passphrase + env: + MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | + # Configure GPG agent echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf + echo "default-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf + echo "max-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf gpgconf --kill gpg-agent + gpg-connect-agent /bye + + # Get the key grip (fingerprint used by gpg-agent) + KEYGRIP=$(gpg --with-keygrip --list-secret-keys | grep "Keygrip" | head -n 1 | awk '{print $3}') + + # Cache the passphrase in the agent + echo "$MAVEN_GPG_PASSPHRASE" | /usr/lib/gnupg2/gpg-preset-passphrase --preset $KEYGRIP - name: Deploy to Maven Central env: diff --git a/pom.xml b/pom.xml index 2fb9f9c..101a596 100644 --- a/pom.xml +++ b/pom.xml @@ -211,13 +211,10 @@ maven-gpg-plugin ${maven-gpg-plugin.version} - + --pinentry-mode loopback - --batch - --yes - --no-tty From 106a17eb35b85d78a67eabfe6ce3c55b1e75604b Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 16:06:02 +0200 Subject: [PATCH 10/26] add debug output --- .github/workflows/maven-release.yml | 60 ++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 192eb2c..4eabf4b 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -34,18 +34,68 @@ jobs: env: MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | - # Configure GPG agent + echo "::group::Initial GPG state" + echo "=== Checking GPG version ===" + gpg --version + + echo "=== Listing secret keys ===" + gpg --list-secret-keys + + echo "=== Current GPG home directory ===" + ls -la ~/.gnupg/ + echo "::endgroup::" + + echo "::group::Configuring GPG agent" + echo "=== Creating gpg-agent.conf ===" echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf echo "default-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf echo "max-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf + + echo "=== Contents of gpg-agent.conf ===" + cat ~/.gnupg/gpg-agent.conf + + echo "=== Checking if gpg.conf exists ===" + if [ -f ~/.gnupg/gpg.conf ]; then + echo "gpg.conf exists:" + cat ~/.gnupg/gpg.conf + else + echo "gpg.conf does not exist" + fi + + echo "=== Restarting GPG agent ===" gpgconf --kill gpg-agent gpg-connect-agent /bye - # Get the key grip (fingerprint used by gpg-agent) - KEYGRIP=$(gpg --with-keygrip --list-secret-keys | grep "Keygrip" | head -n 1 | awk '{print $3}') + echo "=== Checking GPG agent status ===" + gpg-connect-agent 'keyinfo --list' /bye + echo "::endgroup::" + + echo "::group::Test signing to cache passphrase" + echo "=== Performing test signing ===" + echo "test" | gpg --pinentry-mode loopback --passphrase "${MAVEN_GPG_PASSPHRASE}" --armor --detach-sign --output test.sig + + if [ $? -eq 0 ]; then + echo "Test signing successful - passphrase is now cached in agent" + echo "=== Contents of test signature ===" + cat test.sig | head -n 3 + rm -f test.sig + else + echo "Test signing failed!" + exit 1 + fi + echo "::endgroup::" + + echo "::group::Verify GPG can sign without explicit passphrase" + echo "=== Testing if agent has cached passphrase ===" + echo "test2" | gpg --pinentry-mode loopback --armor --detach-sign --output test2.sig - # Cache the passphrase in the agent - echo "$MAVEN_GPG_PASSPHRASE" | /usr/lib/gnupg2/gpg-preset-passphrase --preset $KEYGRIP + if [ $? -eq 0 ]; then + echo "Signing without passphrase works - agent has it cached!" + rm -f test2.sig + else + echo "Signing without passphrase failed - agent may not have cached it" + fi + echo "::endgroup::" - name: Deploy to Maven Central env: From 57425ee5febefddd8644edfb6afccf466ea8bbc7 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 16:18:06 +0200 Subject: [PATCH 11/26] pipe the passphrase via stdin --- .github/workflows/maven-release.yml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 4eabf4b..f806d67 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -36,24 +36,23 @@ jobs: run: | echo "::group::Initial GPG state" echo "=== Checking GPG version ===" - gpg --version + gpg --version | head -n 1 echo "=== Listing secret keys ===" gpg --list-secret-keys - - echo "=== Current GPG home directory ===" - ls -la ~/.gnupg/ echo "::endgroup::" echo "::group::Configuring GPG agent" echo "=== Creating gpg-agent.conf ===" - echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf - echo "default-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf - echo "max-cache-ttl 7200" >> ~/.gnupg/gpg-agent.conf + cat > ~/.gnupg/gpg-agent.conf < Date: Wed, 22 Oct 2025 16:28:40 +0200 Subject: [PATCH 12/26] check passphrase for emptyness, add debug output --- .github/workflows/maven-release.yml | 55 ++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index f806d67..2267129 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -34,6 +34,15 @@ jobs: env: MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | + echo "::group::Checking passphrase" + if [ -z "${MAVEN_GPG_PASSPHRASE}" ]; then + echo "❌ ERROR: MAVEN_GPG_PASSPHRASE is empty!" + exit 1 + else + echo "✅ MAVEN_GPG_PASSPHRASE is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" + fi + echo "::endgroup::" + echo "::group::Initial GPG state" echo "=== Checking GPG version ===" gpg --version | head -n 1 @@ -52,39 +61,51 @@ jobs: echo "=== Contents of gpg-agent.conf ===" cat ~/.gnupg/gpg-agent.conf - - echo "=== Checking if gpg.conf exists ===" - if [ -f ~/.gnupg/gpg.conf ]; then - echo "gpg.conf exists:" - cat ~/.gnupg/gpg.conf - else - echo "gpg.conf does not exist" - fi echo "=== Restarting GPG agent ===" gpgconf --kill gpg-agent gpg-connect-agent /bye - - echo "=== Checking GPG agent status ===" - gpg-connect-agent 'keyinfo --list' /bye echo "::endgroup::" echo "::group::Test signing to cache passphrase" - echo "=== Performing test signing (using passphrase-fd) ===" - echo "test" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --armor --detach-sign --output test.sig <<< "${MAVEN_GPG_PASSPHRASE}" + echo "=== Method 1: Using passphrase via stdin (file descriptor 3) ===" + gpg --pinentry-mode loopback --passphrase-fd 3 --batch --yes --armor --detach-sign --output test.sig 3<<< "${MAVEN_GPG_PASSPHRASE}" <<< "test" if [ $? -eq 0 ]; then - echo "Test signing successful - passphrase is now cached in agent" + echo "Test signing successful with fd 3!" rm -f test.sig else - echo "Test signing failed!" - exit 1 + echo "Method 1 failed, trying method 2..." + + echo "=== Method 2: Using echo to pipe passphrase ===" + echo "${MAVEN_GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --armor --detach-sign --output test.sig <<< "test" + + if [ $? -eq 0 ]; then + echo "Test signing successful with method 2!" + rm -f test.sig + else + echo "Method 2 failed, trying method 3..." + + echo "=== Method 3: Using temporary file ===" + echo "${MAVEN_GPG_PASSPHRASE}" > /tmp/gpg_pass + chmod 600 /tmp/gpg_pass + gpg --pinentry-mode loopback --passphrase-file /tmp/gpg_pass --batch --yes --armor --detach-sign --output test.sig <<< "test" + + if [ $? -eq 0 ]; then + echo "Test signing successful with passphrase file!" + rm -f test.sig /tmp/gpg_pass + else + echo "All methods failed!" + rm -f /tmp/gpg_pass + exit 1 + fi + fi fi echo "::endgroup::" echo "::group::Verify GPG can sign without explicit passphrase" echo "=== Testing if agent has cached passphrase ===" - echo "test2" | gpg --pinentry-mode loopback --batch --yes --armor --detach-sign --output test2.sig + gpg --pinentry-mode loopback --batch --yes --armor --detach-sign --output test2.sig <<< "test2" if [ $? -eq 0 ]; then echo "Signing without passphrase works - agent has it cached!" From c0099206ce06ce3f5c7853964f338d2e3083c943 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 16:29:05 +0200 Subject: [PATCH 13/26] check passphrase for emptyness, add debug output --- .github/workflows/maven-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 2267129..7a32bc9 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -36,10 +36,10 @@ jobs: run: | echo "::group::Checking passphrase" if [ -z "${MAVEN_GPG_PASSPHRASE}" ]; then - echo "❌ ERROR: MAVEN_GPG_PASSPHRASE is empty!" + echo "ERROR: MAVEN_GPG_PASSPHRASE is empty!" exit 1 else - echo "✅ MAVEN_GPG_PASSPHRASE is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" + echo "MAVEN_GPG_PASSPHRASE is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" fi echo "::endgroup::" From c4ee353785f563f83d6b874f83deefe0fa3fe06b Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 18:16:48 +0200 Subject: [PATCH 14/26] check that passprase is cached --- .github/workflows/maven-release.yml | 104 ++++++++-------------------- pom.xml | 2 +- 2 files changed, 30 insertions(+), 76 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 7a32bc9..bcf79bf 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -15,9 +15,6 @@ jobs: with: maven-version: 3.9.6 - - name: Build with Maven - run: mvn -B package - - name: Set up JDK uses: actions/setup-java@v5 with: @@ -32,94 +29,51 @@ jobs: - name: Configure GPG and cache passphrase env: - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASS }} run: | - echo "::group::Checking passphrase" + echo "=== Checking passphrase is set ===" if [ -z "${MAVEN_GPG_PASSPHRASE}" ]; then echo "ERROR: MAVEN_GPG_PASSPHRASE is empty!" exit 1 - else - echo "MAVEN_GPG_PASSPHRASE is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" fi - echo "::endgroup::" - - echo "::group::Initial GPG state" - echo "=== Checking GPG version ===" - gpg --version | head -n 1 - - echo "=== Listing secret keys ===" - gpg --list-secret-keys - echo "::endgroup::" + echo "Passphrase is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" - echo "::group::Configuring GPG agent" - echo "=== Creating gpg-agent.conf ===" - cat > ~/.gnupg/gpg-agent.conf <> ~/.gnupg/gpg-agent.conf cat ~/.gnupg/gpg-agent.conf - echo "=== Restarting GPG agent ===" + echo "=== Killing GPG agent ===" gpgconf --kill gpg-agent - gpg-connect-agent /bye - echo "::endgroup::" - echo "::group::Test signing to cache passphrase" - echo "=== Method 1: Using passphrase via stdin (file descriptor 3) ===" - gpg --pinentry-mode loopback --passphrase-fd 3 --batch --yes --armor --detach-sign --output test.sig 3<<< "${MAVEN_GPG_PASSPHRASE}" <<< "test" + echo "=== Signing pom.xml to cache passphrase ===" + echo "${MAVEN_GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --no-tty --armor --detach-sign pom.xml if [ $? -eq 0 ]; then - echo "Test signing successful with fd 3!" - rm -f test.sig + echo "Initial signing successful" + rm -f pom.xml.asc else - echo "Method 1 failed, trying method 2..." - - echo "=== Method 2: Using echo to pipe passphrase ===" - echo "${MAVEN_GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --armor --detach-sign --output test.sig <<< "test" - - if [ $? -eq 0 ]; then - echo "Test signing successful with method 2!" - rm -f test.sig - else - echo "Method 2 failed, trying method 3..." - - echo "=== Method 3: Using temporary file ===" - echo "${MAVEN_GPG_PASSPHRASE}" > /tmp/gpg_pass - chmod 600 /tmp/gpg_pass - gpg --pinentry-mode loopback --passphrase-file /tmp/gpg_pass --batch --yes --armor --detach-sign --output test.sig <<< "test" - - if [ $? -eq 0 ]; then - echo "Test signing successful with passphrase file!" - rm -f test.sig /tmp/gpg_pass - else - echo "All methods failed!" - rm -f /tmp/gpg_pass - exit 1 - fi - fi + echo "Initial signing failed!" + exit 1 fi - echo "::endgroup::" - echo "::group::Verify GPG can sign without explicit passphrase" - echo "=== Testing if agent has cached passphrase ===" - gpg --pinentry-mode loopback --batch --yes --armor --detach-sign --output test2.sig <<< "test2" + echo "=== Verifying GPG agent is running ===" + gpg-connect-agent 'getinfo pid' /bye + + echo "=== Testing if passphrase is cached (signing without passphrase) ===" + gpg --pinentry-mode loopback --batch --yes --no-tty --armor --detach-sign pom.xml if [ $? -eq 0 ]; then - echo "Signing without passphrase works - agent has it cached!" - rm -f test2.sig + echo "SUCCESS: Passphrase is cached in GPG agent!" + rm -f pom.xml.asc else - echo "Signing without passphrase failed - agent may not have cached it" + echo "WARNING: Passphrase may not be cached, but continuing" + echo "Maven will attempt to use the passphrase directly" fi - echo "::endgroup::" - - - name: Deploy to Maven Central - env: - MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_TTY: "" # Tell GPG not to use a terminal - # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy +# +# - name: Deploy to Maven Central +# env: +# MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} +# MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} +# GPG_TTY: no-tty +# # Use batch mode: no interactive prompts, cleaner logs +# run: mvn --batch-mode clean deploy \ No newline at end of file diff --git a/pom.xml b/pom.xml index 101a596..d6ec35d 100644 --- a/pom.xml +++ b/pom.xml @@ -211,10 +211,10 @@ maven-gpg-plugin ${maven-gpg-plugin.version} - --pinentry-mode loopback + --no-tty From 2f199125df97a1577dca899dc588d317f5a4574e Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 18:57:59 +0200 Subject: [PATCH 15/26] remove debug output --- .github/workflows/maven-release.yml | 57 +++++++---------------------- 1 file changed, 13 insertions(+), 44 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index bcf79bf..6fa9833 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -20,60 +20,29 @@ jobs: with: distribution: 'temurin' java-version: '17' - server-id: ossrh # Must match server ID in settings.xml/pom.xml + server-id: ossrh # Must match server id in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD # The private key is not required as a standard environment variable gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE - - name: Configure GPG and cache passphrase + - name: Configure GPG env: MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASS }} run: | - echo "=== Checking passphrase is set ===" - if [ -z "${MAVEN_GPG_PASSPHRASE}" ]; then - echo "ERROR: MAVEN_GPG_PASSPHRASE is empty!" - exit 1 - fi - echo "Passphrase is set (length: ${#MAVEN_GPG_PASSPHRASE} characters)" - - echo "=== Configuring GPG agent ===" + # Allow GPG agent to accept loopback pinentry, kill gpg-agent echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf - cat ~/.gnupg/gpg-agent.conf - - echo "=== Killing GPG agent ===" gpgconf --kill gpg-agent - echo "=== Signing pom.xml to cache passphrase ===" + # Cache passphrase by signing pom.xml (actual signing will take place during deploy), gpg-agent is restarted echo "${MAVEN_GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --no-tty --armor --detach-sign pom.xml - - if [ $? -eq 0 ]; then - echo "Initial signing successful" - rm -f pom.xml.asc - else - echo "Initial signing failed!" - exit 1 - fi - - echo "=== Verifying GPG agent is running ===" - gpg-connect-agent 'getinfo pid' /bye - - echo "=== Testing if passphrase is cached (signing without passphrase) ===" - gpg --pinentry-mode loopback --batch --yes --no-tty --armor --detach-sign pom.xml - - if [ $? -eq 0 ]; then - echo "SUCCESS: Passphrase is cached in GPG agent!" - rm -f pom.xml.asc - else - echo "WARNING: Passphrase may not be cached, but continuing" - echo "Maven will attempt to use the passphrase directly" - fi -# -# - name: Deploy to Maven Central -# env: -# MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} -# MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} -# GPG_TTY: no-tty -# # Use batch mode: no interactive prompts, cleaner logs -# run: mvn --batch-mode clean deploy \ No newline at end of file + rm -f pom.xml.asc + + - name: Deploy to Maven Central + env: + MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} + GPG_TTY: no-tty + # Use batch mode: no interactive prompts, cleaner logs + run: mvn --batch-mode clean deploy \ No newline at end of file From 1be1b48070d003b7e05faf547823abad4547e0e6 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 21:06:57 +0200 Subject: [PATCH 16/26] use cached passphrase --- .github/workflows/maven-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 6fa9833..8fbb50f 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -25,7 +25,6 @@ jobs: server-password: MAVEN_PASSWORD # The private key is not required as a standard environment variable gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Configure GPG env: From 700f1fd4b94501e7cc23880c70d7784f8f6e1792 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 21:14:44 +0200 Subject: [PATCH 17/26] update maven gpg plugin configuration --- pom.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/pom.xml b/pom.xml index d6ec35d..8f98c8f 100644 --- a/pom.xml +++ b/pom.xml @@ -211,6 +211,7 @@ maven-gpg-plugin ${maven-gpg-plugin.version} + --pinentry-mode loopback From d0eabad3ce61fcdb2a69fb72c94e46d824b4a850 Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 21:22:06 +0200 Subject: [PATCH 18/26] transfer passphrase to Maven as system property --- .github/workflows/maven-release.yml | 2 +- pom.xml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 8fbb50f..ed5bfaa 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -44,4 +44,4 @@ jobs: MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} GPG_TTY: no-tty # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy \ No newline at end of file + run: mvn --batch-mode clean deploy -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" \ No newline at end of file diff --git a/pom.xml b/pom.xml index 8f98c8f..d6ec35d 100644 --- a/pom.xml +++ b/pom.xml @@ -211,7 +211,6 @@ maven-gpg-plugin ${maven-gpg-plugin.version} - --pinentry-mode loopback From 78264452683cf56d1dec366e9dc1964a4ac2c4dc Mon Sep 17 00:00:00 2001 From: agrgr Date: Wed, 22 Oct 2025 22:24:19 +0200 Subject: [PATCH 19/26] create settings-security.xml --- .github/workflows/maven-release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index ed5bfaa..9f854fb 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -26,6 +26,15 @@ jobs: # The private key is not required as a standard environment variable gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} + - name: Create settings-security.xml + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings-security.xml < + {jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=} + + EOF + - name: Configure GPG env: MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASS }} From fbb25c8fc2ed9b00f9448650e4b4a0d11f0e5508 Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 12:19:59 +0200 Subject: [PATCH 20/26] use setup-gpg shared workflow --- .github/workflows/maven-release.yml | 31 ++++++++--------------------- 1 file changed, 8 insertions(+), 23 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 9f854fb..c5e18ec 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -20,32 +20,17 @@ jobs: with: distribution: 'temurin' java-version: '17' +# cache: maven server-id: ossrh # Must match server id in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - # The private key is not required as a standard environment variable - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - - - name: Create settings-security.xml - run: | - mkdir -p ~/.m2 - cat > ~/.m2/settings-security.xml < - {jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=} - - EOF - - name: Configure GPG - env: - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASS }} - run: | - # Allow GPG agent to accept loopback pinentry, kill gpg-agent - echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf - gpgconf --kill gpg-agent - - # Cache passphrase by signing pom.xml (actual signing will take place during deploy), gpg-agent is restarted - echo "${MAVEN_GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --no-tty --armor --detach-sign pom.xml - rm -f pom.xml.asc + - name: setup GPG + uses: aerospike/shared-workflows/devops/setup-gpg@main + with: + gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} + gpg-key-pass: ${{ secrets.GPG_PASS }} + gpg-key-name: "Aerospike" - name: Deploy to Maven Central env: @@ -53,4 +38,4 @@ jobs: MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} GPG_TTY: no-tty # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" \ No newline at end of file + run: mvn --batch-mode clean deploy # -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" \ No newline at end of file From 65be4c7b0660215b5ecdca44d1ae4a9db35885c1 Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 12:29:35 +0200 Subject: [PATCH 21/26] use ghaction-import-gpg --- .github/workflows/maven-release.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index c5e18ec..b4c5960 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -20,17 +20,16 @@ jobs: with: distribution: 'temurin' java-version: '17' -# cache: maven + cache: maven server-id: ossrh # Must match server id in settings.xml/pom.xml server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - - name: setup GPG - uses: aerospike/shared-workflows/devops/setup-gpg@main + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@v6 with: - gpg-private-key: ${{ secrets.GPG_SECRET_KEY }} - gpg-key-pass: ${{ secrets.GPG_PASS }} - gpg-key-name: "Aerospike" + gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} + passphrase: ${{ secrets.GPG_PASS }} - name: Deploy to Maven Central env: From 777e99f1060559bb23baf20900542a1b5885a52b Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 12:38:44 +0200 Subject: [PATCH 22/26] verify Maven settings on CI/CD --- .github/workflows/maven-release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index b4c5960..add7407 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -31,6 +31,11 @@ jobs: gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} passphrase: ${{ secrets.GPG_PASS }} + - name: Verify Maven settings + run: | + echo "Contents of settings.xml:" + cat ~/.m2/settings.xml + - name: Deploy to Maven Central env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} From cfd1060802cdea8e1da2a6304bd4c6169fc4076f Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 13:08:31 +0200 Subject: [PATCH 23/26] set env variables on the job level --- .github/workflows/maven-release.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index add7407..331e236 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -6,6 +6,9 @@ on: jobs: deploy: runs-on: ubuntu-latest + env: + MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} steps: - name: Checkout code uses: actions/checkout@v5 @@ -31,15 +34,11 @@ jobs: gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} passphrase: ${{ secrets.GPG_PASS }} - - name: Verify Maven settings + - name: Verify environment variables run: | - echo "Contents of settings.xml:" - cat ~/.m2/settings.xml + echo "MAVEN_USERNAME is set: $([ -n "$MAVEN_USERNAME" ] && echo 'yes' || echo 'no')" + echo "MAVEN_PASSWORD is set: $([ -n "$MAVEN_PASSWORD" ] && echo 'yes' || echo 'no')" - name: Deploy to Maven Central - env: - MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} - GPG_TTY: no-tty # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy # -Dgpg.passphrase="${MAVEN_GPG_PASSPHRASE}" \ No newline at end of file + run: mvn --batch-mode clean deploy \ No newline at end of file From b628ceaa5e9ed1368577adc31708720aafbfd95a Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 13:44:58 +0200 Subject: [PATCH 24/26] test Nexus credentials --- .github/workflows/maven-release.yml | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 331e236..d5752ee 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -6,9 +6,6 @@ on: jobs: deploy: runs-on: ubuntu-latest - env: - MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} steps: - name: Checkout code uses: actions/checkout@v5 @@ -34,11 +31,25 @@ jobs: gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} passphrase: ${{ secrets.GPG_PASS }} - - name: Verify environment variables + - name: Test Nexus credentials + env: + MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} run: | - echo "MAVEN_USERNAME is set: $([ -n "$MAVEN_USERNAME" ] && echo 'yes' || echo 'no')" - echo "MAVEN_PASSWORD is set: $([ -n "$MAVEN_PASSWORD" ] && echo 'yes' || echo 'no')" + echo "Testing authentication to Sonatype..." + curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" \ + -I https://oss.sonatype.org/service/local/status + + echo "" + echo "'401 Unauthorized' above -> credentials are invalid" + echo "'200 OK' -> credentials work but Maven isn't using them correctly" - name: Deploy to Maven Central - # Use batch mode: no interactive prompts, cleaner logs - run: mvn --batch-mode clean deploy \ No newline at end of file + env: + MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} + run: | + # Use batch mode: no interactive prompts, cleaner logs + mvn --batch-mode deploy \ + -s .github/maven-settings.xml \ + -Possrh \ No newline at end of file From 2cbe27fdf7ec7a0cea16ef0c2e505a1534c86173 Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 14:04:42 +0200 Subject: [PATCH 25/26] create settings.xml and test --- .github/workflows/maven-release.yml | 42 +++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index d5752ee..774a915 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -31,18 +31,44 @@ jobs: gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} passphrase: ${{ secrets.GPG_PASS }} - - name: Test Nexus credentials +# - name: Test Nexus credentials +# env: +# MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} +# MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} +# run: | +# echo "Testing authentication to Sonatype..." +# curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" \ +# -I https://oss.sonatype.org/service/local/status +# +# echo "" +# echo "'401 Unauthorized' above -> credentials are invalid" +# echo "'200 OK' -> credentials work but Maven isn't using them correctly" + + - name: Create settings.xml with credentials + env: + MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml < + + + ossrh + ${MAVEN_USERNAME} + ${MAVEN_PASSWORD} + + + + EOF + + - name: Test credentials env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} run: | - echo "Testing authentication to Sonatype..." - curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" \ - -I https://oss.sonatype.org/service/local/status - - echo "" - echo "'401 Unauthorized' above -> credentials are invalid" - echo "'200 OK' -> credentials work but Maven isn't using them correctly" + # Test with actual values (not ${env.} placeholders) + curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" -I https://oss.sonatype.org/service/local/status - name: Deploy to Maven Central env: From 92dc885c5dcebf6e193cb760994464ec049a2bd7 Mon Sep 17 00:00:00 2001 From: agrgr Date: Thu, 23 Oct 2025 14:14:07 +0200 Subject: [PATCH 26/26] cleanup --- .github/workflows/maven-release.yml | 38 +++++++++-------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 774a915..280be57 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -21,9 +21,6 @@ jobs: distribution: 'temurin' java-version: '17' cache: maven - server-id: ossrh # Must match server id in settings.xml/pom.xml - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - name: Import GPG key uses: crazy-max/ghaction-import-gpg@v6 @@ -31,20 +28,7 @@ jobs: gpg_private_key: ${{ secrets.GPG_SECRET_KEY }} passphrase: ${{ secrets.GPG_PASS }} -# - name: Test Nexus credentials -# env: -# MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} -# MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} -# run: | -# echo "Testing authentication to Sonatype..." -# curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" \ -# -I https://oss.sonatype.org/service/local/status -# -# echo "" -# echo "'401 Unauthorized' above -> credentials are invalid" -# echo "'200 OK' -> credentials work but Maven isn't using them correctly" - - - name: Create settings.xml with credentials + - name: Configure Maven settings env: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} @@ -67,15 +51,15 @@ jobs: MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} run: | - # Test with actual values (not ${env.} placeholders) - curl -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" -I https://oss.sonatype.org/service/local/status + echo "Testing Sonatype authentication..." + STATUS=$(curl -s -o /dev/null -w "%{http_code}" -u "${MAVEN_USERNAME}:${MAVEN_PASSWORD}" https://oss.sonatype.org/service/local/status) + + if [ "$STATUS" = "200" ]; then + echo "Credentials are valid" + else + echo "Authentication failed (HTTP $STATUS)" + exit 1 + fi - name: Deploy to Maven Central - env: - MAVEN_USERNAME: ${{ secrets.AEROSPIKE_SA_CICD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.AEROSPIKE_SA_CICD_PASSWORD }} - run: | - # Use batch mode: no interactive prompts, cleaner logs - mvn --batch-mode deploy \ - -s .github/maven-settings.xml \ - -Possrh \ No newline at end of file + run: mvn --batch-mode deploy \ No newline at end of file