Closed Flowdalic closed 1 year ago
Yeah, that makes sense. I immediately see two actionable tasks:
T.env
.Yes, that would be a good start. +1
Ideally the sonatype credentials are read from a file under ~/.config/
. At least that is how most of my gradle-based projects are setup: IIRC gradle "sources" a file under ~/.config
that potentially contains sonatypeUsername
and sonatypePassword
. Then the project's build script can check if those properties are set, and consume them if so.
And instead of providing the gpg passphrase, the gpg-agent is used. It may be worth to look how gradle did it.
Using gpg-agent
should work out of the box. It does for me.
Mill current has at least some Sonatype related command line options that take credentials as arguments. For example from the
publish
taskUsers even potentially provide their gpg passphrase via command line
Command line arguments are not considerd private in some (most?) operating systems security model. So other users on the same system could easily learn those credentials. Instead, secrets should be obtained via environment variables or (protected) files.