Add artifact signing to CI workflow & publish signature files in snap…

…shot releases.
matthew16550 · Dec 8, 2021 · 6f90758 · 6f90758
1 parent 1d6d3e8
commit 6f90758
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 26 deletions.
diff --git a/.github/scripts/release.sh b/.github/scripts/release.sh
@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 set -ex
 
-mv plantuml.jar         "plantuml-${POM_VERSION}.jar"
-mv plantuml-javadoc.jar "plantuml-${POM_VERSION}-javadoc.jar"
-mv plantuml-sources.jar "plantuml-${POM_VERSION}-sources.jar"
-
-gh release create --target "${GITHUB_SHA}" "${TAG}" \
-  "plantuml-${POM_VERSION}.jar" \
-  "plantuml-${POM_VERSION}-javadoc.jar" \
-  "plantuml-${POM_VERSION}-sources.jar"
+RELEASE_DIR="target/github_release"
+
+mkdir "${RELEASE_DIR}"
+
+ln -s "../plantuml.jar"             "${RELEASE_DIR}/plantuml-${POM_VERSION}.jar"
+ln -s "../plantuml-javadoc.jar"     "${RELEASE_DIR}/plantuml-${POM_VERSION}-javadoc.jar"
+ln -s "../plantuml-sources.jar"     "${RELEASE_DIR}/plantuml-${POM_VERSION}-sources.jar"
+# we do not release the .pom or .asc signature files here, they will be added in a later PR
+
+gh release create \
+  --target "${GITHUB_SHA}" \
+  --title "${TAG}" \
+  "${TAG}" ${RELEASE_DIR}/*
 
 echo "::notice title=::Released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} 🎉"
diff --git a/.github/scripts/release_snapshot.sh b/.github/scripts/release_snapshot.sh
@@ -3,28 +3,42 @@ set -ex
 
 TAG="snapshot"
 DATE_TIME_UTC=$(date -u +"%F at %T (UTC)")
+RELEASE_DIR="target/github_release"
 
 gh release delete "${TAG}" -y || true
 
 git tag --force "${TAG}"
 
 git push --force origin "${TAG}"
 
-mv plantuml.jar         plantuml-SNAPSHOT.jar
-mv plantuml-javadoc.jar plantuml-SNAPSHOT-javadoc.jar
-mv plantuml-sources.jar plantuml-SNAPSHOT-sources.jar
-echo -n "${DATE_TIME_UTC}" > plantuml-SNAPSHOT-timestamp.lock
+mkdir "${RELEASE_DIR}"
+
+ln -s "../plantuml.pom"             "${RELEASE_DIR}/plantuml-SNAPSHOT.pom"
+ln -s "../plantuml.jar"             "${RELEASE_DIR}/plantuml-SNAPSHOT.jar"
+ln -s "../plantuml-javadoc.jar"     "${RELEASE_DIR}/plantuml-SNAPSHOT-javadoc.jar"
+ln -s "../plantuml-sources.jar"     "${RELEASE_DIR}/plantuml-SNAPSHOT-sources.jar"
+
+if [[ -e "target/plantuml.pom.asc" ]]; then
+  # signatures are optional so forked repos can release snapshots without needing a gpg signing key
+  ln -s "../plantuml.pom.asc"         "${RELEASE_DIR}/plantuml-SNAPSHOT.pom.asc"
+  ln -s "../plantuml.jar.asc"         "${RELEASE_DIR}/plantuml-SNAPSHOT.jar.asc"
+  ln -s "../plantuml-javadoc.jar.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT-javadoc.jar.asc"
+  ln -s "../plantuml-sources.jar.asc" "${RELEASE_DIR}/plantuml-SNAPSHOT-sources.jar.asc"
+fi
+
+echo -n "${DATE_TIME_UTC}" > "${RELEASE_DIR}/plantuml-SNAPSHOT.timestamp.lock"
 
 cat <<-EOF >notes.txt
   This is a pre-release of [the latest development work](https://github.com/plantuml/plantuml/commits/).
   ⚠️  **It is not ready for general use** ⚠️
   ⏱  _Snapshot taken the ${DATE_TIME_UTC}_
 EOF
 
-gh release create --prerelease --target "${GITHUB_SHA}" --title "${TAG}" --notes-file notes.txt "${TAG}" \
-  plantuml-SNAPSHOT.jar \
-  plantuml-SNAPSHOT-javadoc.jar \
-  plantuml-SNAPSHOT-sources.jar \
-  plantuml-SNAPSHOT-timestamp.lock
+gh release create \
+  --prerelease \
+  --target "${GITHUB_SHA}" \
+  --title "${TAG}" \
+  --notes-file notes.txt \
+  "${TAG}" ${RELEASE_DIR}/*
 
 echo "::notice title=release snapshot::Snapshot released at ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${TAG} and taken the ${DATE_TIME_UTC}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,7 @@ on:
   push:
     branches:
       - master
+      - sign-snapshots
     paths-ignore:
       - '*.md'
       - 'docs/**'
@@ -56,7 +57,7 @@ jobs:
             echo "::set-output name=do_release::true"
             echo "::set-output name=pom_version::${REF#v}"  # pom_version is the tag without the 'v' prefix
 
-          elif [[ "${GITHUB_EVENT_NAME}" =~ push|workflow_dispatch && "${REF}" == "refs/heads/master" ]]; then
+          elif [[ "${GITHUB_EVENT_NAME}" =~ push|workflow_dispatch && "${REF}" == "refs/heads/sign-snapshots" ]]; then
             echo "::notice title=::This run will release a snapshot"
             echo "::set-output name=do_snapshot_release::true"
 
@@ -78,6 +79,8 @@ jobs:
             os: ubuntu-20.04
             java_version: 8
     runs-on: ${{ matrix.os }}
+    env:
+      SIGN_ARTIFACTS: ${{ secrets.ARTIFACT_SIGNING_KEY != '' }}
     steps:
       - name: Checkout the repository
         uses: actions/checkout@v2
@@ -107,17 +110,45 @@ jobs:
       - name: Test
         run: mvn --batch-mode test
 
-      - name: Package
-        if: matrix.release_from_this_build
-        run: mvn --batch-mode -DfinalName=plantuml -Dmaven.test.skip=true package
+      # The repeated "matrix.release_from_this_build" checks are messy, but I have not found a simple way to avoid them
+      # See https://github.com/actions/runner/issues/662
+
+      - name: Setup gpg
+        if: matrix.release_from_this_build && env.ARTIFACT_SIGNING_KEY
+        id: gpg
+        env:
+          ARTIFACT_SIGNING_KEY: ${{ secrets.ARTIFACT_SIGNING_KEY }}
+        run: |
+          echo "Importing key ..."
+          echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --import --import-options import-show
 
-      - name: Upload jar artifacts
+          echo "Getting key id ..."
+          key_id="$(echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')"
+          echo "::set-output name=key_id::${key_id}"
+
+      - name: Create artifacts
+        if: matrix.release_from_this_build
+        env:
+          GPG_KEYNAME: ${{ steps.gpg.outputs.key_id }}
+          GPG_PASSPHRASE: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
+        run: |
+          mvn --batch-mode \
+            "-DfinalName=plantuml" \
+            "-Dgpg.keyname=${GPG_KEYNAME}" \
+            "-Dgpg.passphrase=${GPG_PASSPHRASE}" \
+            "-Dmaven.test.skip=true" \
+            verify
+
+      - name: Upload artifacts
         if: matrix.release_from_this_build
         uses: actions/upload-artifact@v2
         with:
           # Using github.run_number here to reduce confusion when downloading & comparing artifacts from several builds  
-          name: ${{ github.run_number }}-jars
-          path: target/*.jar
+          name: ${{ github.run_number }}-artifacts
+          path: |
+            target/*.asc
+            target/*.jar
+            target/*.pom
 
   release:
     needs: [ workflow_config, build ]
@@ -127,10 +158,11 @@ jobs:
       - name: Checkout the repository
         uses: actions/checkout@v2
 
-      - name: Download jar artifacts
+      - name: Download artifacts
         uses: actions/download-artifact@v2
         with:
-          name: ${{ github.run_number }}-jars
+          name: ${{ github.run_number }}-artifacts
+          path: target
 
       - name: Create snapshot release
         if: needs.workflow_config.outputs.do_snapshot_release == 'true'

diff --git a/docs/releasing.md b/docs/releasing.md
@@ -10,10 +10,21 @@ Tags [cannot][3] be part of a pull request, so you need to push directly to the
 
 The release will only happen if the username making the push is matched in the CI `Configure job` step.
 
+# Artifact Signing
+
+The CI workflow will sign artifacts if the `ARTIFACT_SIGNING_KEY` [GitHub secret][4] is present.  This should be a
+private GPG key as described [here][5].  The passphrase is stored in the `ARTIFACT_SIGNING_PASSPHRASE` secret.
+
+Currently, the signature files are only published as part of the [snapshot][6] releases.
+In future, they will be part of the versioned releases as well.
+
 # Releases Elsewhere 
 
 PlantUML is released to other places, currently that happens outside of GitHub and is not documented here.
 
 [1]: https://github.com/plantuml/plantuml/releases
 [2]: https://github.com/plantuml/plantuml/actions/workflows/ci.yml
 [3]: https://stackoverflow.com/questions/12278660/adding-tags-to-a-pull-request
+[4]: https://docs.github.com/en/actions/security-guides/encrypted-secrets
+[5]: https://central.sonatype.org/publish/requirements/gpg/#generating-a-key-pair
+[6]: https://github.com/plantuml/plantuml/releases/tag/snapshot
diff --git a/pom.xml b/pom.xml
@@ -55,6 +55,7 @@
   <url>https://plantuml.com</url>
 
   <parent>
+    <!-- TODO remove oss-parent https://central.sonatype.org/publish/publish-maven/#deprecated-oss-parent -->
     <groupId>org.sonatype.oss</groupId>
     <artifactId>oss-parent</artifactId>
     <version>7</version>
@@ -308,5 +309,32 @@
         </dependency>
       </dependencies>
     </profile>
+
+    <profile>
+      <id>sign-artifacts</id>
+      <activation>
+        <property>
+          <name>env.SIGN_ARTIFACTS</name>
+          <value>true</value>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>3.0.1</version>
+            <executions>
+              <execution>
+                <id>sign-artifacts</id>
+                <phase>verify</phase>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>