Add PGP signing to publications (#403)

* Add PGP signing to publications

Introduce Pretty Good Privacy (PGP) signing to the publication workflows of the project. The signing setup is included in the gradle wiring along with the retrieval of the key details from environment variables. This change is applied in both the publish and hotfix workflows.

* Update key retrieval in build script and workflow file

---------

Co-authored-by: Sebastiano Poggi <rock3r@users.noreply.github.com>

.github/workflows/publish-hotfix.yml

@@ -31,3 +31,5 @@ jobs:
         env:
           MAVEN_SPACE_USERNAME: ${{secrets.MAVEN_SPACE_USERNAME}}
           MAVEN_SPACE_PASSWORD: ${{secrets.MAVEN_SPACE_PASSWORD}}
+          PGP_PASSWORD: ${{secrets.PGP_PASSWORD}}
+          PGP_PRIVATE_KEY: ${{secrets.PGP_PRIVATE_KEY}}

.github/workflows/publish.yml

@@ -60,3 +60,5 @@ jobs:
         env:
           MAVEN_SPACE_USERNAME: ${{secrets.MAVEN_SPACE_USERNAME}}
           MAVEN_SPACE_PASSWORD: ${{secrets.MAVEN_SPACE_PASSWORD}}
+          PGP_PASSWORD: ${{secrets.PGP_PASSWORD}}
+          PGP_PRIVATE_KEY: ${{secrets.PGP_PRIVATE_KEY}}

buildSrc/src/main/kotlin/jewel-publish.gradle.kts

@@ -4,6 +4,7 @@ plugins {
     kotlin("jvm")
     `maven-publish`
     id("org.jetbrains.dokka")
+    signing
 }
 
 val sourcesJar by tasks.registering(Jar::class) {
@@ -18,6 +19,16 @@ val javadocJar by tasks.registering(Jar::class) {
     destinationDirectory = layout.buildDirectory.dir("artifacts")
 }
 
+val publishingExtension = extensions.getByType<PublishingExtension>()
+
+signing {
+    useInMemoryPgpKeys(
+        System.getenv("PGP_PRIVATE_KEY") ?: properties["signing.privateKey"] as String?,
+        System.getenv("PGP_PASSWORD")?: properties["signing.password"] as String?
+    )
+    sign(publishingExtension.publications)
+}
+
 publishing {
     configureJewelRepositories(project)