Closed scordio closed 2 years ago
I have to upload my private GPG key to github? Sounds not so good.
You have removed the profile to sign the artifacts. Where will the artifacts now get signed? Without it the OSS repository will reject them.
I have to upload my private GPG key to github? Sounds not so good.
That's pretty much standard secret management, see more at https://docs.github.com/en/actions/security-guides/encrypted-secrets.
An important aspect is that GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow.
You have removed the profile to sign the artifacts. Where will the artifacts now get signed? Without it the OSS repository will reject them.
That was a duplicate, already declared in the release profile: https://github.com/siom79/japicmp/blob/62c69c4d9199eaef8173841803fad2590c9046b7/pom.xml#L518-L531
How do I specify the version to release?
By default, the maven-release-plugin
takes the version you have in the POM and removes the snapshot part, i.e.: 0.15.7 would be the current result.
If you want a different version, the POM should be updated in advance or the release workflow could be enhanced to accept parameters.
BTW I see that the release failed during the build of japicmp-ant-task
with
org.apache.tools.ant.BuildException: Dependencies not found in Maven cache
Do you know already why? Otherwise I can look at it.
I have found the issue.
But it took me 10 tries to get it working. ;) The final point missing was to align the repository id in the distributionManagement of the root pom with the server-id in the release.yml. Otherwise you just get a authorization failure.
Thanks again for setting everything up.
Great catch and sorry for missing that!
Once merged, the release can be triggered via manual action under the workflow page.
The version should be set before triggering the release as no special parameter is exposed (the released version will be the one set in the POM and the next development version will have the patch number increased).
The following secrets should be added to the repository configuration:
GPG_PASSPHRASE
GPG_PRIVATE_KEY
OSSRH_TOKEN
OSSRH_USERNAME