search

gradle / plugin-portal-requests

Gradle Plugin Portal issues and requests.
https://plugins.gradle.org/
12 stars 8 forks source link

Support Sigstore JSON in com.gradle.plugin-publish #238

Closed ryandens closed 2 months ago

ryandens commented 2 months ago

Current Behavior

Version 1.2.0 of the com.gradle.plugin-publish added support for publishing sigstore signatures to the Gradle Plugin Portal.

However, version 0.8.0 of the dev.sigstore.sign-base changed the default extension of the signature file from .sigstore to .sigstore.json via this change

As a result, the following error message is logged when running publishPlugins with --validate-only

Ignoring unknown artifact with type "jar.sigstore.json" and classifier "null".
You can only upload normal jars, sources jars, javadoc jars and groovydoc jars
with or without signatures to the Plugin Portal at this time.

I toyed around with configuring the sigstore plugin in a different fashion to preserve the old file extension, but was ultimately unsuccessful

Expected Behavior

I expected the publish plugin to publish the sigstore.json files added to the maven publication being released to the plugin portal.

I noticed the class com.gradle.publish.protocols.v1.models.publish.ArtifactTypeCodec has the pom.sigstore, module.sigstore, and jar.sigstore extensions added to the allowedExtensions list on the class.

Adding the corresponding .json versions of these files would be really helpful for plugin authors signing gradle plugin artifacts with sigstore!

Context (optional)

No response

Steps to Reproduce

  1. Add the dev.sigstore.sign plugin to a plugin project (I tried it out on the javaagent-gradle-plugin)

  2. Add a task dependency

    tasks.publishPlugins {
dependsOn(
    publishing.publications.map {
            publication ->
        tasks.named<SigstoreSignFilesTask>("sigstoreSign${publication.name.capitalized()}Publication")
    },
)
}

  3. Validate the plugin gw publishPlugins --validate-only --no-configuration-cache

Gradle version

8.10

Build scan URL (optional)

https://scans.gradle.com/s/zayuw5cr7xamk

Your Environment (optional)

gw --version

------------------------------------------------------------
Gradle 8.10
------------------------------------------------------------

Build time:    2024-08-14 11:07:45 UTC
Revision:      fef2edbed8af1022cefaf44d4c0514c5f89d7b78

Kotlin:        1.9.24
Groovy:        3.0.22
Ant:           Apache Ant(TM) version 1.10.14 compiled on August 16 2023
Launcher JVM:  21.0.3 (Eclipse Adoptium 21.0.3+9-LTS)
Daemon JVM:    /Users/ryandens/.sdkman/candidates/java/21.0.3-tem (no JDK specified, using current Java home)
OS:            Mac OS X 14.6.1 aarch64
ov7a commented 2 months ago

This will be fixed in publish plugin 1.3.0, which is planned to be released soon.

ljacomet commented 2 months ago

And the plugin is released.

ryandens commented 2 months ago

Thank you for the quick fix and relocating the issue!