fix: update publish flow

- use environment variable names instead of actual values in setup-java - make actual values accessible only at deploy step - add configuration to `maven-gpg-plugin` to ensure passphrase is provided directly from an environment variable
ButterCMS · Aug 21, 2024 · 7beed0f · 7beed0f
1 parent cc21571
commit 7beed0f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -27,13 +27,17 @@ jobs:
         cache: 'maven'
         cache-dependency-path: ./pom.xml
         server-id: ossrh  # This id should match with the id in your pom.xml or settings.xml
-        server-username: ${{ secrets.OSSRH_USERNAME }}
-        server-password: ${{ secrets.OSSRH_TOKEN }}
-        gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
-        gpg-passphrase: ${{ secrets.GPG_PWD }}
+        server-username: OSSRH_USERNAME # Env variable for username in deploy (Passes the environment variable name, not the value)
+        server-password: OSSRH_TOKEN # Env variable for token in deploy
+        gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+        gpg-passphrase: GPG_PWD  # Env variable for GPG private key passphrase
 
     - name: Build with Maven Wrapper
       run: ./mvnw clean install
 
     - name: Deploy to Apache Maven
       run: ./mvnw deploy -P release -Dgpg.skip=false # Using the profile `release` for using the necessary dependencies
+      env:
+        OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
+        GPG_PWD: ${{ secrets.GPG_PWD }}
diff --git a/pom.xml b/pom.xml
@@ -107,6 +107,13 @@
                                 <goals>
                                     <goal>sign</goal>
                                 </goals>
+                                <configuration>
+                                    <!-- Ensuring passphrase is provided directly from an environment variable -->
+                                    <gpgArguments>
+                                        <arg>--pinentry-mode</arg>
+                                        <arg>loopback</arg>
+                                    </gpgArguments>
+                                </configuration>
                             </execution>
                         </executions>
                     </plugin>