From b66ddc82db55795def160d89e30e0bcba0a4b347 Mon Sep 17 00:00:00 2001 From: Julien HENRY Date: Fri, 30 Apr 2021 17:26:20 +0200 Subject: [PATCH] Sign artifacts --- .github/workflows/release.yml | 48 ++++++++++++++++++++++++++++++----- azure-pipelines.yml | 9 ++++++- 2 files changed, 50 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f9b2d0f80..4209e3c11f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,23 +23,59 @@ jobs: slack_channel: sonarlint-java env: ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} - BINTRAY_USER: ${{ secrets.BINTRAY_USER }} - BINTRAY_TOKEN: ${{ secrets.BINTRAY_TOKEN }} BURGRX_USER: ${{ secrets.BURGRX_USER }} BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }} - CENTRAL_USER: ${{ secrets.CENTRAL_USER }} - CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }} GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }} RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }} SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }} # Put your action repo here - uses: SonarSource/gh-action_LT_release@v2 + uses: SonarSource/gh-action_release/main@v3 - name: Check outputs if: always() run: | echo "${{ steps.sl_release.outputs.releasability }}" echo "${{ steps.sl_release.outputs.release }}" + maven-central-sync: + runs-on: ubuntu-latest + needs: + - sonar_release + steps: + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v1 + - name: JFrog config + run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only + env: + ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} + - name: Get the version + id: get_version + run: | + IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}" + echo ::set-output name=build::"${build}" + - name: Create local repository directory + id: local_repo + run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)" + - name: Download Artifacts + uses: SonarSource/gh-action_release/download-build@v3 + with: + build-number: ${{ steps.get_version.outputs.build }} + local-repo-dir: ${{ steps.local_repo.outputs.dir }} + - name: Maven Central Sync + id: maven-central-sync + continue-on-error: true + uses: SonarSource/gh-action_release/maven-central-sync@v3 + with: + local-repo-dir: ${{ steps.local_repo.outputs.dir }} + env: + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + - name: Notify on failure + if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }} + uses: 8398a7/action-slack@v3 + with: + status: failure + fields: repo,author,eventName + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }} \ No newline at end of file diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2f8a773afe..320bd12f22 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -53,6 +53,11 @@ stages: name: jks inputs: secureFile: 'SonarSource-2019-2021.jks' + - task: DownloadSecureFile@1 + displayName: 'Download the sign key' + name: pgpSignKey + inputs: + secureFile: 'sign-key.asc' - template: update-maven-version-steps.yml parameters: mavenSettingsFilePath: $(mavenSettings.secureFilePath) @@ -62,6 +67,7 @@ stages: env: ARTIFACTORY_DEPLOY_USERNAME: $(ARTIFACTORY_DEPLOY_USERNAME) ARTIFACTORY_DEPLOY_PASSWORD: $(ARTIFACTORY_DEPLOY_PASSWORD) + PGP_PASSPHRASE: $(PGP_PASSPHRASE) GIT_SHA1: $(Build.SourceVersion) GITHUB_BRANCH: $(fixedBranch) inputs: @@ -69,7 +75,8 @@ stages: options: >- $(commonMavenArguments) --settings $(mavenSettings.secureFilePath) - -Prelease + -Prelease,sign + -Dsign.keyFile=$(pgpSignKey.secureFilePath) -Djarsigner.skip=false -Dsonarsource.keystore.path=$(jks.secureFilePath) -Dsonarsource.keystore.password=$(jksPassword)