switch to central portal and sign in CI

pschichtel · pschichtel · commit d031f07a2c36 · 2025-08-03T21:11:04.000+02:00
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -9,23 +9,25 @@ on:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
+    environment: sonatype-central
     steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - name: Set up JDK
-      uses: actions/setup-java@v3
-      with:
-        java-version: '11'
-        distribution: 'temurin'
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
-    - name: Build
-      run: ./gradlew --no-configuration-cache --no-parallel mavenCentralDeploy "-PsonatypeUsername=$SONATYPE_USERNAME" "-PsonatypePassword=$SONATYPE_PASSWORD"
-      env:
-        SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-        SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: gradle
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+      - name: Build
+        run: ./gradlew --no-configuration-cache --no-parallel mavenCentralDeploy
+        env:
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_mavenCentralSnapshotsUsername: ${{ secrets.SONATYPE_USERNAME }}
+          ORG_GRADLE_PROJECT_mavenCentralSnapshotsPassword: ${{ secrets.SONATYPE_PASSWORD }}
+          MAVEN_CENTRAL_PORTAL_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          MAVEN_CENTRAL_PORTAL_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
diff --git a/conventions/build.gradle.kts b/conventions/build.gradle.kts
@@ -9,6 +9,7 @@ repositories {
 
 dependencies {
     api(plugin("tel.schich.dockcross", version = "0.2.3"))
+    implementation("io.github.zenhelix.maven-central-publish:io.github.zenhelix.maven-central-publish.gradle.plugin:0.8.0")
 }
 
 fun plugin(id: String, version: String) = "$id:$id.gradle.plugin:$version"
diff --git a/conventions/src/main/kotlin/tel.schich.javacan.convention.published.gradle.kts b/conventions/src/main/kotlin/tel.schich.javacan.convention.published.gradle.kts
@@ -1,7 +1,10 @@
+import io.github.zenhelix.gradle.plugin.extension.PublishingType
+
 plugins {
     id("tel.schich.javacan.convention.base")
     signing
     `maven-publish`
+    id("io.github.zenhelix.maven-central-publish")
 }
 
 val ci = System.getenv("CI") != null
@@ -11,7 +14,40 @@ java {
     withJavadocJar()
 }
 
+private fun Project.getSecret(name: String): Provider<String> = provider {
+    val env = System.getenv(name)
+        ?.ifBlank { null }
+    if (env != null) {
+        return@provider env
+    }
+
+    val propName = name.split("_")
+        .map { it.lowercase() }
+        .joinToString(separator = "") { word ->
+            word.replaceFirstChar { it.uppercase() }
+        }
+        .replaceFirstChar { it.lowercase() }
+
+    property(propName) as String
+}
+
+mavenCentralPortal {
+    credentials {
+        username = project.getSecret("MAVEN_CENTRAL_PORTAL_USERNAME")
+        password = project.getSecret("MAVEN_CENTRAL_PORTAL_PASSWORD")
+    }
+    publishingType = PublishingType.AUTOMATIC
+}
+
 publishing {
+    repositories {
+        maven {
+            name = "mavenCentralSnapshots"
+            url = uri("https://central.sonatype.com/repository/maven-snapshots/")
+            credentials(PasswordCredentials::class)
+        }
+    }
+
     publications {
         register<MavenPublication>("maven") {
             artifactId = "javacan-${project.name}"
@@ -44,9 +80,25 @@ publishing {
     }
 }
 
-if (!ci) {
-    signing {
-        useGpgCmd()
-        sign(publishing.publications)
+private val signingKey = System.getenv("SIGNING_KEY")?.ifBlank { null }?.trim()
+private val signingKeyPassword = System.getenv("SIGNING_KEY_PASSWORD")?.ifBlank { null }?.trim() ?: ""
+
+when {
+    signingKey != null -> {
+        logger.lifecycle("Received a signing key, using in-memory pgp keys!")
+        signing {
+            useInMemoryPgpKeys(signingKey, signingKeyPassword)
+            sign(publishing.publications)
+        }
+    }
+    !ci -> {
+        logger.lifecycle("Not running in CI, using the gpg command!")
+        signing {
+            useGpgCmd()
+            sign(publishing.publications)
+        }
+    }
+    else -> {
+        logger.lifecycle("Not signing artifacts!")
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ repositories {`
`9`	`9`
`10`	`10`	`dependencies {`
`11`	`11`	`api(plugin("tel.schich.dockcross", version = "0.2.3"))`
	`12`	`+ implementation("io.github.zenhelix.maven-central-publish:io.github.zenhelix.maven-central-publish.gradle.plugin:0.8.0")`
`12`	`13`	`}`
`13`	`14`
`14`	`15`	`fun plugin(id: String, version: String) = "$id:$id.gradle.plugin:$version"`