Clarify credential environment variable inputs (#1134)
* Clarify credential environment variable inputs Rename credential-related inputs to make their environment-variable semantics explicit while preserving deprecated aliases with migration warnings. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 70a3daa8-dbc9-4eb0-a57b-df198a459315 * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -38,9 +38,9 @@ jobs:
|
|||||||
distribution: 'adopt'
|
distribution: 'adopt'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven
|
server-id: maven
|
||||||
server-username: MAVEN_USERNAME
|
server-username-env-var: MAVEN_USERNAME
|
||||||
server-password: MAVEN_CENTRAL_TOKEN
|
server-password-env-var: MAVEN_CENTRAL_TOKEN
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
gpg-passphrase-env-var: MAVEN_GPG_PASSPHRASE
|
||||||
- name: Validate settings.xml
|
- name: Validate settings.xml
|
||||||
run: |
|
run: |
|
||||||
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
||||||
@@ -93,9 +93,9 @@ jobs:
|
|||||||
distribution: 'adopt'
|
distribution: 'adopt'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven
|
server-id: maven
|
||||||
server-username: MAVEN_USERNAME
|
server-username-env-var: MAVEN_USERNAME
|
||||||
server-password: MAVEN_CENTRAL_TOKEN
|
server-password-env-var: MAVEN_CENTRAL_TOKEN
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
gpg-passphrase-env-var: MAVEN_GPG_PASSPHRASE
|
||||||
- name: Validate settings.xml is overwritten
|
- name: Validate settings.xml is overwritten
|
||||||
run: |
|
run: |
|
||||||
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
||||||
@@ -131,10 +131,10 @@ jobs:
|
|||||||
distribution: 'adopt'
|
distribution: 'adopt'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven
|
server-id: maven
|
||||||
server-username: MAVEN_USERNAME
|
server-username-env-var: MAVEN_USERNAME
|
||||||
server-password: MAVEN_CENTRAL_TOKEN
|
server-password-env-var: MAVEN_CENTRAL_TOKEN
|
||||||
overwrite-settings: false
|
overwrite-settings: false
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
gpg-passphrase-env-var: MAVEN_GPG_PASSPHRASE
|
||||||
- name: Validate that settings.xml is not overwritten
|
- name: Validate that settings.xml is not overwritten
|
||||||
run: |
|
run: |
|
||||||
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
$xmlPath = Join-Path $HOME ".m2" "settings.xml"
|
||||||
@@ -164,9 +164,9 @@ jobs:
|
|||||||
distribution: 'adopt'
|
distribution: 'adopt'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven
|
server-id: maven
|
||||||
server-username: MAVEN_USERNAME
|
server-username-env-var: MAVEN_USERNAME
|
||||||
server-password: MAVEN_CENTRAL_TOKEN
|
server-password-env-var: MAVEN_CENTRAL_TOKEN
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
gpg-passphrase-env-var: MAVEN_GPG_PASSPHRASE
|
||||||
settings-path: ${{ runner.temp }}
|
settings-path: ${{ runner.temp }}
|
||||||
- name: Validate settings.xml location
|
- name: Validate settings.xml location
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -23,11 +23,13 @@ This action allows you to work with Java and Scala projects.
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> V6 is still in development (`main` branch) and is not yet recommended for production workflows.
|
> V6 is still in development (`main` branch) and is not yet recommended for production workflows.
|
||||||
|
|
||||||
- **Migrated to ESM** to enable support for the latest `@actions/*` package versions. This is an internal implementation change only. No changes are required to your workflow configuration, and the action's behavior is unchanged. Existing workflows continue to work as before.
|
- **Migrated to ESM** to enable support for the latest `@actions/*` package versions. This is an internal implementation change.
|
||||||
|
|
||||||
## Breaking changes in V6
|
## Breaking changes in V6
|
||||||
|
|
||||||
- **The GPG passphrase is now passed to the Maven GPG Plugin through an environment variable (`gpg.passphraseEnvName`) instead of the deprecated `gpg.passphrase` server in `settings.xml`.** The `gpg-passphrase` input and its default (`GPG_PASSPHRASE`) are unchanged, so if you already set that environment variable in your build step your workflow keeps working. However, this now requires `maven-gpg-plugin` **3.2.0 or newer**; older versions do not honor `gpg.passphraseEnvName` and, because the `gpg.passphrase` server is no longer written, will not pick up the passphrase. Upgrade the plugin to 3.2.0+.
|
- **Renamed inputs that accept environment-variable names** to make it clear that their values are not credentials. Replace `server-username`, `server-password`, and `gpg-passphrase` with `server-username-env-var`, `server-password-env-var`, and `gpg-passphrase-env-var`, respectively. The old names remain as deprecated aliases and emit a warning when used.
|
||||||
|
|
||||||
|
- **The GPG passphrase is now passed to the Maven GPG Plugin through an environment variable (`gpg.passphraseEnvName`) instead of the deprecated `gpg.passphrase` server in `settings.xml`.** Set the environment variable name with `gpg-passphrase-env-var`, which defaults to `GPG_PASSPHRASE`. This requires `maven-gpg-plugin` **3.2.0 or newer**; older versions do not honor `gpg.passphraseEnvName` and, because the `gpg.passphrase` server is no longer written, will not pick up the passphrase. Upgrade the plugin to 3.2.0+.
|
||||||
|
|
||||||
See [GPG](docs/advanced-usage.md#gpg) for details.
|
See [GPG](docs/advanced-usage.md#gpg) for details.
|
||||||
|
|
||||||
@@ -75,15 +77,15 @@ For more details, see the full release notes on the [releases page](https://git
|
|||||||
|
|
||||||
- `server-id`: ID of the distributionManagement repository in the pom.xml file. Default is `github`.
|
- `server-id`: ID of the distributionManagement repository in the pom.xml file. Default is `github`.
|
||||||
|
|
||||||
- `server-username`: Environment variable name for the username for authentication to the Apache Maven repository. Default is GITHUB\_ACTOR.
|
- `server-username-env-var`: Environment variable name for the username for authentication to the Apache Maven repository. Default is GITHUB\_ACTOR.
|
||||||
|
|
||||||
- `server-password`: Environment variable name for password or token for authentication to the Apache Maven repository. Default is GITHUB\_TOKEN.
|
- `server-password-env-var`: Environment variable name for password or token for authentication to the Apache Maven repository. Default is GITHUB\_TOKEN.
|
||||||
|
|
||||||
- `settings-path`: Maven related setting to point to the directory where the settings.xml file will be written. Default is \~/.m2.
|
- `settings-path`: Maven related setting to point to the directory where the settings.xml file will be written. Default is \~/.m2.
|
||||||
|
|
||||||
- `gpg-private-key`: GPG private key to import. Default is empty string.
|
- `gpg-private-key`: GPG private key to import. Default is empty string.
|
||||||
|
|
||||||
- `gpg-passphrase`: Environment variable name for the GPG private key passphrase. Default is GPG\_PASSPHRASE.
|
- `gpg-passphrase-env-var`: Environment variable name for the GPG private key passphrase. Default is GPG\_PASSPHRASE.
|
||||||
|
|
||||||
- `mvn-toolchain-id`: Name of Maven Toolchain ID if the default name of `${distribution}_${java-version}` is not wanted.
|
- `mvn-toolchain-id`: Name of Maven Toolchain ID if the default name of `${distribution}_${java-version}` is not wanted.
|
||||||
|
|
||||||
|
|||||||
@@ -270,4 +270,55 @@ describe('auth tests', () => {
|
|||||||
expectedSettings
|
expectedSettings
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('uses deprecated input aliases and warns', () => {
|
||||||
|
const mockGetInput = core.getInput as jest.MockedFunction<
|
||||||
|
typeof core.getInput
|
||||||
|
>;
|
||||||
|
const mockWarning = core.warning as jest.MockedFunction<
|
||||||
|
typeof core.warning
|
||||||
|
>;
|
||||||
|
mockGetInput.mockImplementation(name =>
|
||||||
|
name === 'server-username' ? 'LEGACY_USERNAME' : ''
|
||||||
|
);
|
||||||
|
|
||||||
|
expect(
|
||||||
|
auth.getInputWithDeprecatedAlias(
|
||||||
|
'server-username-env-var',
|
||||||
|
'server-username',
|
||||||
|
'GITHUB_ACTOR'
|
||||||
|
)
|
||||||
|
).toBe('LEGACY_USERNAME');
|
||||||
|
expect(mockWarning).toHaveBeenCalledWith(
|
||||||
|
"The 'server-username' input is deprecated and may be removed in a future release. Please use 'server-username-env-var' instead."
|
||||||
|
);
|
||||||
|
|
||||||
|
mockGetInput.mockReset();
|
||||||
|
mockWarning.mockReset();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('prefers the replacement input over its deprecated alias', () => {
|
||||||
|
const mockGetInput = core.getInput as jest.MockedFunction<
|
||||||
|
typeof core.getInput
|
||||||
|
>;
|
||||||
|
mockGetInput.mockImplementation(name => {
|
||||||
|
const inputs: Record<string, string> = {
|
||||||
|
'server-password-env-var': 'NEW_PASSWORD',
|
||||||
|
'server-password': 'LEGACY_PASSWORD'
|
||||||
|
};
|
||||||
|
return inputs[name] || '';
|
||||||
|
});
|
||||||
|
|
||||||
|
expect(
|
||||||
|
auth.getInputWithDeprecatedAlias(
|
||||||
|
'server-password-env-var',
|
||||||
|
'server-password',
|
||||||
|
'GITHUB_TOKEN'
|
||||||
|
)
|
||||||
|
).toBe('NEW_PASSWORD');
|
||||||
|
expect(core.warning).toHaveBeenCalled();
|
||||||
|
|
||||||
|
mockGetInput.mockReset();
|
||||||
|
(core.warning as jest.Mock).mockReset();
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
+12
-5
@@ -46,16 +46,20 @@ inputs:
|
|||||||
file. Default is `github`'
|
file. Default is `github`'
|
||||||
required: false
|
required: false
|
||||||
default: 'github'
|
default: 'github'
|
||||||
server-username:
|
server-username-env-var:
|
||||||
description: 'Environment variable name for the username for authentication
|
description: 'Environment variable name for the username for authentication
|
||||||
to the Apache Maven repository. Default is $GITHUB_ACTOR'
|
to the Apache Maven repository. Default is $GITHUB_ACTOR'
|
||||||
required: false
|
required: false
|
||||||
default: 'GITHUB_ACTOR'
|
server-username:
|
||||||
server-password:
|
description: 'Deprecated alias for server-username-env-var'
|
||||||
|
required: false
|
||||||
|
server-password-env-var:
|
||||||
description: 'Environment variable name for password or token for
|
description: 'Environment variable name for password or token for
|
||||||
authentication to the Apache Maven repository. Default is $GITHUB_TOKEN'
|
authentication to the Apache Maven repository. Default is $GITHUB_TOKEN'
|
||||||
required: false
|
required: false
|
||||||
default: 'GITHUB_TOKEN'
|
server-password:
|
||||||
|
description: 'Deprecated alias for server-password-env-var'
|
||||||
|
required: false
|
||||||
settings-path:
|
settings-path:
|
||||||
description: 'Path to where the settings.xml file will be written. Default is ~/.m2.'
|
description: 'Path to where the settings.xml file will be written. Default is ~/.m2.'
|
||||||
required: false
|
required: false
|
||||||
@@ -67,8 +71,11 @@ inputs:
|
|||||||
description: 'GPG private key to import. Default is empty string.'
|
description: 'GPG private key to import. Default is empty string.'
|
||||||
required: false
|
required: false
|
||||||
default: ''
|
default: ''
|
||||||
|
gpg-passphrase-env-var:
|
||||||
|
description: 'Environment variable name for the GPG private key passphrase. Defaults to GPG_PASSPHRASE when gpg-private-key is set.'
|
||||||
|
required: false
|
||||||
gpg-passphrase:
|
gpg-passphrase:
|
||||||
description: 'Environment variable name for the GPG private key passphrase. Defaults to GPG_PASSPHRASE when gpg-private-key is set; ignored otherwise.'
|
description: 'Deprecated alias for gpg-passphrase-env-var'
|
||||||
required: false
|
required: false
|
||||||
cache:
|
cache:
|
||||||
description: 'Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".'
|
description: 'Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".'
|
||||||
|
|||||||
Vendored
+8
-3
@@ -95928,12 +95928,17 @@ const INPUT_PROBLEM_MATCHER = 'problem-matcher';
|
|||||||
const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||||
const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||||
const INPUT_SERVER_ID = 'server-id';
|
const INPUT_SERVER_ID = 'server-id';
|
||||||
const INPUT_SERVER_USERNAME = 'server-username';
|
const INPUT_SERVER_USERNAME_ENV_VAR = 'server-username-env-var';
|
||||||
const INPUT_SERVER_PASSWORD = 'server-password';
|
const INPUT_SERVER_PASSWORD_ENV_VAR = 'server-password-env-var';
|
||||||
|
const INPUT_SERVER_USERNAME_DEPRECATED = 'server-username';
|
||||||
|
const INPUT_SERVER_PASSWORD_DEPRECATED = 'server-password';
|
||||||
const INPUT_SETTINGS_PATH = 'settings-path';
|
const INPUT_SETTINGS_PATH = 'settings-path';
|
||||||
const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
||||||
const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
||||||
const INPUT_GPG_PASSPHRASE = 'gpg-passphrase';
|
const INPUT_GPG_PASSPHRASE_ENV_VAR = 'gpg-passphrase-env-var';
|
||||||
|
const INPUT_GPG_PASSPHRASE_DEPRECATED = 'gpg-passphrase';
|
||||||
|
const INPUT_DEFAULT_SERVER_USERNAME = 'GITHUB_ACTOR';
|
||||||
|
const INPUT_DEFAULT_SERVER_PASSWORD = 'GITHUB_TOKEN';
|
||||||
const INPUT_DEFAULT_GPG_PRIVATE_KEY = (/* unused pure expression or super */ null && (undefined));
|
const INPUT_DEFAULT_GPG_PRIVATE_KEY = (/* unused pure expression or super */ null && (undefined));
|
||||||
const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
||||||
// The default name of the environment variable the maven-gpg-plugin reads the
|
// The default name of the environment variable the maven-gpg-plugin reads the
|
||||||
|
|||||||
Vendored
+28
-16
@@ -73287,12 +73287,17 @@ const INPUT_PROBLEM_MATCHER = 'problem-matcher';
|
|||||||
const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||||
const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||||
const INPUT_SERVER_ID = 'server-id';
|
const INPUT_SERVER_ID = 'server-id';
|
||||||
const INPUT_SERVER_USERNAME = 'server-username';
|
const INPUT_SERVER_USERNAME_ENV_VAR = 'server-username-env-var';
|
||||||
const INPUT_SERVER_PASSWORD = 'server-password';
|
const INPUT_SERVER_PASSWORD_ENV_VAR = 'server-password-env-var';
|
||||||
|
const INPUT_SERVER_USERNAME_DEPRECATED = 'server-username';
|
||||||
|
const INPUT_SERVER_PASSWORD_DEPRECATED = 'server-password';
|
||||||
const INPUT_SETTINGS_PATH = 'settings-path';
|
const INPUT_SETTINGS_PATH = 'settings-path';
|
||||||
const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
||||||
const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
||||||
const INPUT_GPG_PASSPHRASE = 'gpg-passphrase';
|
const INPUT_GPG_PASSPHRASE_ENV_VAR = 'gpg-passphrase-env-var';
|
||||||
|
const INPUT_GPG_PASSPHRASE_DEPRECATED = 'gpg-passphrase';
|
||||||
|
const INPUT_DEFAULT_SERVER_USERNAME = 'GITHUB_ACTOR';
|
||||||
|
const INPUT_DEFAULT_SERVER_PASSWORD = 'GITHUB_TOKEN';
|
||||||
const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined;
|
const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined;
|
||||||
const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
||||||
// The default name of the environment variable the maven-gpg-plugin reads the
|
// The default name of the environment variable the maven-gpg-plugin reads the
|
||||||
@@ -127359,34 +127364,41 @@ async function verifyPackageSignature(archivePath, signatureUrl, publicKeyConten
|
|||||||
|
|
||||||
async function configureAuthentication() {
|
async function configureAuthentication() {
|
||||||
const id = getInput(INPUT_SERVER_ID);
|
const id = getInput(INPUT_SERVER_ID);
|
||||||
const username = getInput(INPUT_SERVER_USERNAME);
|
const usernameEnvVar = getInputWithDeprecatedAlias(INPUT_SERVER_USERNAME_ENV_VAR, INPUT_SERVER_USERNAME_DEPRECATED, INPUT_DEFAULT_SERVER_USERNAME);
|
||||||
const password = getInput(INPUT_SERVER_PASSWORD);
|
const passwordEnvVar = getInputWithDeprecatedAlias(INPUT_SERVER_PASSWORD_ENV_VAR, INPUT_SERVER_PASSWORD_DEPRECATED, INPUT_DEFAULT_SERVER_PASSWORD);
|
||||||
const settingsDirectory = getInput(INPUT_SETTINGS_PATH) ||
|
const settingsDirectory = getInput(INPUT_SETTINGS_PATH) ||
|
||||||
external_path_.join(external_os_.homedir(), M2_DIR);
|
external_path_.join(external_os_.homedir(), M2_DIR);
|
||||||
const overwriteSettings = util_getBooleanInput(INPUT_OVERWRITE_SETTINGS, true);
|
const overwriteSettings = util_getBooleanInput(INPUT_OVERWRITE_SETTINGS, true);
|
||||||
const gpgPrivateKey = getInput(INPUT_GPG_PRIVATE_KEY) ||
|
const gpgPrivateKey = getInput(INPUT_GPG_PRIVATE_KEY) ||
|
||||||
INPUT_DEFAULT_GPG_PRIVATE_KEY;
|
INPUT_DEFAULT_GPG_PRIVATE_KEY;
|
||||||
const gpgPassphrase = getInput(INPUT_GPG_PASSPHRASE) ||
|
const gpgPassphraseEnvVar = getInputWithDeprecatedAlias(INPUT_GPG_PASSPHRASE_ENV_VAR, INPUT_GPG_PASSPHRASE_DEPRECATED, gpgPrivateKey ? INPUT_DEFAULT_GPG_PASSPHRASE : undefined);
|
||||||
(gpgPrivateKey ? INPUT_DEFAULT_GPG_PASSPHRASE : undefined);
|
|
||||||
if (gpgPrivateKey) {
|
if (gpgPrivateKey) {
|
||||||
core_setSecret(gpgPrivateKey);
|
core_setSecret(gpgPrivateKey);
|
||||||
}
|
}
|
||||||
await createAuthenticationSettings(id, username, password, settingsDirectory, overwriteSettings, gpgPassphrase);
|
await createAuthenticationSettings(id, usernameEnvVar, passwordEnvVar, settingsDirectory, overwriteSettings, gpgPassphraseEnvVar);
|
||||||
if (gpgPrivateKey) {
|
if (gpgPrivateKey) {
|
||||||
info('Importing private gpg key');
|
info('Importing private gpg key');
|
||||||
const keyFingerprint = (await importKey(gpgPrivateKey)) || '';
|
const keyFingerprint = (await importKey(gpgPrivateKey)) || '';
|
||||||
saveState(STATE_GPG_PRIVATE_KEY_FINGERPRINT, keyFingerprint);
|
saveState(STATE_GPG_PRIVATE_KEY_FINGERPRINT, keyFingerprint);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
async function createAuthenticationSettings(id, username, password, settingsDirectory, overwriteSettings, gpgPassphrase = undefined) {
|
function getInputWithDeprecatedAlias(inputName, deprecatedInputName, defaultValue) {
|
||||||
|
const value = getInput(inputName);
|
||||||
|
const deprecatedValue = getInput(deprecatedInputName);
|
||||||
|
if (deprecatedValue) {
|
||||||
|
warning(`The '${deprecatedInputName}' input is deprecated and may be removed in a future release. Please use '${inputName}' instead.`);
|
||||||
|
}
|
||||||
|
return value || deprecatedValue || defaultValue || '';
|
||||||
|
}
|
||||||
|
async function createAuthenticationSettings(id, usernameEnvVar, passwordEnvVar, settingsDirectory, overwriteSettings, gpgPassphraseEnvVar = undefined) {
|
||||||
info(`Creating ${MVN_SETTINGS_FILE} with server-id: ${id}`);
|
info(`Creating ${MVN_SETTINGS_FILE} with server-id: ${id}`);
|
||||||
// when an alternate m2 location is specified use only that location (no .m2 directory)
|
// when an alternate m2 location is specified use only that location (no .m2 directory)
|
||||||
// otherwise use the home/.m2/ path
|
// otherwise use the home/.m2/ path
|
||||||
await mkdirP(settingsDirectory);
|
await mkdirP(settingsDirectory);
|
||||||
await write(settingsDirectory, generate(id, username, password, gpgPassphrase), overwriteSettings);
|
await write(settingsDirectory, generate(id, usernameEnvVar, passwordEnvVar, gpgPassphraseEnvVar), overwriteSettings);
|
||||||
}
|
}
|
||||||
// only exported for testing purposes
|
// only exported for testing purposes
|
||||||
function generate(id, username, password, gpgPassphrase) {
|
function generate(id, usernameEnvVar, passwordEnvVar, gpgPassphraseEnvVar) {
|
||||||
const xmlObj = {
|
const xmlObj = {
|
||||||
settings: {
|
settings: {
|
||||||
'@xmlns': 'http://maven.apache.org/SETTINGS/1.0.0',
|
'@xmlns': 'http://maven.apache.org/SETTINGS/1.0.0',
|
||||||
@@ -127397,8 +127409,8 @@ function generate(id, username, password, gpgPassphrase) {
|
|||||||
server: [
|
server: [
|
||||||
{
|
{
|
||||||
id: id,
|
id: id,
|
||||||
username: `\${env.${username}}`,
|
username: `\${env.${usernameEnvVar}}`,
|
||||||
password: `\${env.${password}}`
|
password: `\${env.${passwordEnvVar}}`
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -127410,13 +127422,13 @@ function generate(id, username, password, gpgPassphrase) {
|
|||||||
// otherwise the plugin already reads the right variable and no extra settings
|
// otherwise the plugin already reads the right variable and no extra settings
|
||||||
// are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails
|
// are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails
|
||||||
// when the plugin's `bestPractices` mode is enabled.
|
// when the plugin's `bestPractices` mode is enabled.
|
||||||
if (gpgPassphrase &&
|
if (gpgPassphraseEnvVar &&
|
||||||
gpgPassphrase !== MAVEN_GPG_PASSPHRASE_DEFAULT_ENV) {
|
gpgPassphraseEnvVar !== MAVEN_GPG_PASSPHRASE_DEFAULT_ENV) {
|
||||||
xmlObj.settings.profiles = {
|
xmlObj.settings.profiles = {
|
||||||
profile: {
|
profile: {
|
||||||
id: GPG_PASSPHRASE_PROFILE_ID,
|
id: GPG_PASSPHRASE_PROFILE_ID,
|
||||||
properties: {
|
properties: {
|
||||||
'gpg.passphraseEnvName': gpgPassphrase
|
'gpg.passphraseEnvName': gpgPassphraseEnvVar
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|||||||
+11
-11
@@ -598,8 +598,8 @@ jobs:
|
|||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
|
server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
|
||||||
server-username: MAVEN_USERNAME # env variable for username in deploy
|
server-username-env-var: MAVEN_USERNAME # env variable for username in deploy
|
||||||
server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
|
server-password-env-var: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
|
||||||
|
|
||||||
- name: Publish to Apache Maven Central
|
- name: Publish to Apache Maven Central
|
||||||
run: mvn deploy -Dgpg.signer=bc # requires maven-gpg-plugin >= 3.2.0 (bc signer support)
|
run: mvn deploy -Dgpg.signer=bc # requires maven-gpg-plugin >= 3.2.0 (bc signer support)
|
||||||
@@ -660,9 +660,9 @@ See the help docs on [Publishing a Package](https://help.github.com/en/github/ma
|
|||||||
|
|
||||||
#### Legacy / alternative: let setup-java import the key
|
#### Legacy / alternative: let setup-java import the key
|
||||||
|
|
||||||
If you prefer signing with the `gpg` executable (for example because you are using `maven-gpg-plugin` older than 3.2.0), you can let setup-java import the key instead by providing the `gpg-private-key` and `gpg-passphrase` inputs. The private key is written to a file in the runner's temp directory, imported into the GPG keychain, and the file is promptly removed before proceeding with the rest of the setup process. A cleanup step removes the imported private key from the GPG keychain after the job completes regardless of the job status. This ensures that the private key is no longer accessible on self-hosted runners and cannot "leak" between jobs (hosted runners are always clean instances).
|
If you prefer signing with the `gpg` executable (for example because you are using `maven-gpg-plugin` older than 3.2.0), you can let setup-java import the key instead by providing the `gpg-private-key` and `gpg-passphrase-env-var` inputs. The private key is written to a file in the runner's temp directory, imported into the GPG keychain, and the file is promptly removed before proceeding with the rest of the setup process. A cleanup step removes the imported private key from the GPG keychain after the job completes regardless of the job status. This ensures that the private key is no longer accessible on self-hosted runners and cannot "leak" between jobs (hosted runners are always clean instances).
|
||||||
|
|
||||||
setup-java imports the key independently of the plugin version, but the generated passphrase profile described below uses `gpg.passphraseEnvName`, which requires `maven-gpg-plugin` 3.2.0 or newer. Since `gpg-passphrase` defaults to `GPG_PASSPHRASE`, setup-java writes that profile unless you override the input to `MAVEN_GPG_PASSPHRASE`.
|
setup-java imports the key independently of the plugin version, but the generated passphrase profile described below uses `gpg.passphraseEnvName`, which requires `maven-gpg-plugin` 3.2.0 or newer. Since `gpg-passphrase-env-var` defaults to `GPG_PASSPHRASE`, setup-java writes that profile unless you override the input to `MAVEN_GPG_PASSPHRASE`.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- name: Set up Apache Maven Central
|
- name: Set up Apache Maven Central
|
||||||
@@ -671,10 +671,10 @@ setup-java imports the key independently of the plugin version, but the generate
|
|||||||
distribution: 'temurin'
|
distribution: 'temurin'
|
||||||
java-version: '11'
|
java-version: '11'
|
||||||
server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
|
server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
|
||||||
server-username: MAVEN_USERNAME # env variable for username in deploy
|
server-username-env-var: MAVEN_USERNAME # env variable for username in deploy
|
||||||
server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
|
server-password-env-var: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
|
||||||
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
|
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
|
gpg-passphrase-env-var: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
|
||||||
|
|
||||||
- name: Publish to Apache Maven Central
|
- name: Publish to Apache Maven Central
|
||||||
run: mvn deploy
|
run: mvn deploy
|
||||||
@@ -684,10 +684,10 @@ setup-java imports the key independently of the plugin version, but the generate
|
|||||||
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
|
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
|
||||||
```
|
```
|
||||||
|
|
||||||
The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). It defaults to `GPG_PASSPHRASE`. The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, whose own default is `MAVEN_GPG_PASSPHRASE`.
|
The `gpg-passphrase-env-var` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). It defaults to `GPG_PASSPHRASE`. The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, whose own default is `MAVEN_GPG_PASSPHRASE`.
|
||||||
|
|
||||||
- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`.
|
- If `gpg-passphrase-env-var` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`.
|
||||||
- Otherwise (including the default `GPG_PASSPHRASE`), setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable. For the default `gpg-passphrase: GPG_PASSPHRASE`:
|
- Otherwise (including the default `GPG_PASSPHRASE`), setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable. For the default `gpg-passphrase-env-var: GPG_PASSPHRASE`:
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<profiles>
|
<profiles>
|
||||||
@@ -703,7 +703,7 @@ The `gpg-passphrase` input is the **name of the environment variable** that hold
|
|||||||
</activeProfiles>
|
</activeProfiles>
|
||||||
```
|
```
|
||||||
|
|
||||||
> **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. The `gpg-passphrase` input and its `GPG_PASSPHRASE` default are unchanged, so existing workflows that set the `GPG_PASSPHRASE` environment variable keep working.
|
> **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. Set the environment variable name with `gpg-passphrase-env-var`, which defaults to `GPG_PASSPHRASE`.
|
||||||
|
|
||||||
> **Compatibility note:** Reading the passphrase from an environment variable (`gpg.passphraseEnvName`) requires `maven-gpg-plugin` 3.2.0 or newer. Older versions do not honor this property and will not pick up the passphrase, because setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`. If you are pinned to `maven-gpg-plugin` older than 3.2.0, upgrade to 3.2.0+.
|
> **Compatibility note:** Reading the passphrase from an environment variable (`gpg.passphraseEnvName`) requires `maven-gpg-plugin` 3.2.0 or newer. Older versions do not honor this property and will not pick up the passphrase, because setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`. If you are pinned to `maven-gpg-plugin` older than 3.2.0, upgrade to 3.2.0+.
|
||||||
|
|
||||||
|
|||||||
+47
-20
@@ -12,8 +12,16 @@ import {getBooleanInput} from './util.js';
|
|||||||
|
|
||||||
export async function configureAuthentication() {
|
export async function configureAuthentication() {
|
||||||
const id = core.getInput(constants.INPUT_SERVER_ID);
|
const id = core.getInput(constants.INPUT_SERVER_ID);
|
||||||
const username = core.getInput(constants.INPUT_SERVER_USERNAME);
|
const usernameEnvVar = getInputWithDeprecatedAlias(
|
||||||
const password = core.getInput(constants.INPUT_SERVER_PASSWORD);
|
constants.INPUT_SERVER_USERNAME_ENV_VAR,
|
||||||
|
constants.INPUT_SERVER_USERNAME_DEPRECATED,
|
||||||
|
constants.INPUT_DEFAULT_SERVER_USERNAME
|
||||||
|
);
|
||||||
|
const passwordEnvVar = getInputWithDeprecatedAlias(
|
||||||
|
constants.INPUT_SERVER_PASSWORD_ENV_VAR,
|
||||||
|
constants.INPUT_SERVER_PASSWORD_DEPRECATED,
|
||||||
|
constants.INPUT_DEFAULT_SERVER_PASSWORD
|
||||||
|
);
|
||||||
const settingsDirectory =
|
const settingsDirectory =
|
||||||
core.getInput(constants.INPUT_SETTINGS_PATH) ||
|
core.getInput(constants.INPUT_SETTINGS_PATH) ||
|
||||||
path.join(os.homedir(), constants.M2_DIR);
|
path.join(os.homedir(), constants.M2_DIR);
|
||||||
@@ -24,9 +32,11 @@ export async function configureAuthentication() {
|
|||||||
const gpgPrivateKey =
|
const gpgPrivateKey =
|
||||||
core.getInput(constants.INPUT_GPG_PRIVATE_KEY) ||
|
core.getInput(constants.INPUT_GPG_PRIVATE_KEY) ||
|
||||||
constants.INPUT_DEFAULT_GPG_PRIVATE_KEY;
|
constants.INPUT_DEFAULT_GPG_PRIVATE_KEY;
|
||||||
const gpgPassphrase =
|
const gpgPassphraseEnvVar = getInputWithDeprecatedAlias(
|
||||||
core.getInput(constants.INPUT_GPG_PASSPHRASE) ||
|
constants.INPUT_GPG_PASSPHRASE_ENV_VAR,
|
||||||
(gpgPrivateKey ? constants.INPUT_DEFAULT_GPG_PASSPHRASE : undefined);
|
constants.INPUT_GPG_PASSPHRASE_DEPRECATED,
|
||||||
|
gpgPrivateKey ? constants.INPUT_DEFAULT_GPG_PASSPHRASE : undefined
|
||||||
|
);
|
||||||
|
|
||||||
if (gpgPrivateKey) {
|
if (gpgPrivateKey) {
|
||||||
core.setSecret(gpgPrivateKey);
|
core.setSecret(gpgPrivateKey);
|
||||||
@@ -34,11 +44,11 @@ export async function configureAuthentication() {
|
|||||||
|
|
||||||
await createAuthenticationSettings(
|
await createAuthenticationSettings(
|
||||||
id,
|
id,
|
||||||
username,
|
usernameEnvVar,
|
||||||
password,
|
passwordEnvVar,
|
||||||
settingsDirectory,
|
settingsDirectory,
|
||||||
overwriteSettings,
|
overwriteSettings,
|
||||||
gpgPassphrase
|
gpgPassphraseEnvVar
|
||||||
);
|
);
|
||||||
|
|
||||||
if (gpgPrivateKey) {
|
if (gpgPrivateKey) {
|
||||||
@@ -48,13 +58,30 @@ export async function configureAuthentication() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export function getInputWithDeprecatedAlias(
|
||||||
|
inputName: string,
|
||||||
|
deprecatedInputName: string,
|
||||||
|
defaultValue?: string
|
||||||
|
): string {
|
||||||
|
const value = core.getInput(inputName);
|
||||||
|
const deprecatedValue = core.getInput(deprecatedInputName);
|
||||||
|
|
||||||
|
if (deprecatedValue) {
|
||||||
|
core.warning(
|
||||||
|
`The '${deprecatedInputName}' input is deprecated and may be removed in a future release. Please use '${inputName}' instead.`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
return value || deprecatedValue || defaultValue || '';
|
||||||
|
}
|
||||||
|
|
||||||
export async function createAuthenticationSettings(
|
export async function createAuthenticationSettings(
|
||||||
id: string,
|
id: string,
|
||||||
username: string,
|
usernameEnvVar: string,
|
||||||
password: string,
|
passwordEnvVar: string,
|
||||||
settingsDirectory: string,
|
settingsDirectory: string,
|
||||||
overwriteSettings: boolean,
|
overwriteSettings: boolean,
|
||||||
gpgPassphrase: string | undefined = undefined
|
gpgPassphraseEnvVar: string | undefined = undefined
|
||||||
) {
|
) {
|
||||||
core.info(`Creating ${constants.MVN_SETTINGS_FILE} with server-id: ${id}`);
|
core.info(`Creating ${constants.MVN_SETTINGS_FILE} with server-id: ${id}`);
|
||||||
// when an alternate m2 location is specified use only that location (no .m2 directory)
|
// when an alternate m2 location is specified use only that location (no .m2 directory)
|
||||||
@@ -62,7 +89,7 @@ export async function createAuthenticationSettings(
|
|||||||
await io.mkdirP(settingsDirectory);
|
await io.mkdirP(settingsDirectory);
|
||||||
await write(
|
await write(
|
||||||
settingsDirectory,
|
settingsDirectory,
|
||||||
generate(id, username, password, gpgPassphrase),
|
generate(id, usernameEnvVar, passwordEnvVar, gpgPassphraseEnvVar),
|
||||||
overwriteSettings
|
overwriteSettings
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@@ -70,9 +97,9 @@ export async function createAuthenticationSettings(
|
|||||||
// only exported for testing purposes
|
// only exported for testing purposes
|
||||||
export function generate(
|
export function generate(
|
||||||
id: string,
|
id: string,
|
||||||
username: string,
|
usernameEnvVar: string,
|
||||||
password: string,
|
passwordEnvVar: string,
|
||||||
gpgPassphrase?: string | undefined
|
gpgPassphraseEnvVar?: string | undefined
|
||||||
) {
|
) {
|
||||||
const xmlObj: {[key: string]: any} = {
|
const xmlObj: {[key: string]: any} = {
|
||||||
settings: {
|
settings: {
|
||||||
@@ -85,8 +112,8 @@ export function generate(
|
|||||||
server: [
|
server: [
|
||||||
{
|
{
|
||||||
id: id,
|
id: id,
|
||||||
username: `\${env.${username}}`,
|
username: `\${env.${usernameEnvVar}}`,
|
||||||
password: `\${env.${password}}`
|
password: `\${env.${passwordEnvVar}}`
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -100,14 +127,14 @@ export function generate(
|
|||||||
// are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails
|
// are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails
|
||||||
// when the plugin's `bestPractices` mode is enabled.
|
// when the plugin's `bestPractices` mode is enabled.
|
||||||
if (
|
if (
|
||||||
gpgPassphrase &&
|
gpgPassphraseEnvVar &&
|
||||||
gpgPassphrase !== constants.MAVEN_GPG_PASSPHRASE_DEFAULT_ENV
|
gpgPassphraseEnvVar !== constants.MAVEN_GPG_PASSPHRASE_DEFAULT_ENV
|
||||||
) {
|
) {
|
||||||
xmlObj.settings.profiles = {
|
xmlObj.settings.profiles = {
|
||||||
profile: {
|
profile: {
|
||||||
id: constants.GPG_PASSPHRASE_PROFILE_ID,
|
id: constants.GPG_PASSPHRASE_PROFILE_ID,
|
||||||
properties: {
|
properties: {
|
||||||
'gpg.passphraseEnvName': gpgPassphrase
|
'gpg.passphraseEnvName': gpgPassphraseEnvVar
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|||||||
+8
-3
@@ -12,13 +12,18 @@ export const INPUT_PROBLEM_MATCHER = 'problem-matcher';
|
|||||||
export const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
export const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||||
export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||||
export const INPUT_SERVER_ID = 'server-id';
|
export const INPUT_SERVER_ID = 'server-id';
|
||||||
export const INPUT_SERVER_USERNAME = 'server-username';
|
export const INPUT_SERVER_USERNAME_ENV_VAR = 'server-username-env-var';
|
||||||
export const INPUT_SERVER_PASSWORD = 'server-password';
|
export const INPUT_SERVER_PASSWORD_ENV_VAR = 'server-password-env-var';
|
||||||
|
export const INPUT_SERVER_USERNAME_DEPRECATED = 'server-username';
|
||||||
|
export const INPUT_SERVER_PASSWORD_DEPRECATED = 'server-password';
|
||||||
export const INPUT_SETTINGS_PATH = 'settings-path';
|
export const INPUT_SETTINGS_PATH = 'settings-path';
|
||||||
export const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
export const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings';
|
||||||
export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
|
||||||
export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase';
|
export const INPUT_GPG_PASSPHRASE_ENV_VAR = 'gpg-passphrase-env-var';
|
||||||
|
export const INPUT_GPG_PASSPHRASE_DEPRECATED = 'gpg-passphrase';
|
||||||
|
|
||||||
|
export const INPUT_DEFAULT_SERVER_USERNAME = 'GITHUB_ACTOR';
|
||||||
|
export const INPUT_DEFAULT_SERVER_PASSWORD = 'GITHUB_TOKEN';
|
||||||
export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined;
|
export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined;
|
||||||
export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user