NO_ISSUE: use release shared library

.ci/jenkins/Jenkinsfile.deploy

@@ -127,29 +127,22 @@ pipeline {
                            .withProperty('maven.test.failure.ignore', true)
                            .skipTests(params.SKIP_TESTS)
 
-                        if (isRelease()) {
-                            withCredentials([file(credentialsId: 'asf-release-gpg-signing-key', variable: 'SIGNING_KEY')]) {
-                                withCredentials([file(credentialsId: 'asf-release-gpg-signing-key-password', variable: 'SIGNING_KEY_PASSWORD')]) {
-                                    // copy the key to singkey.gpg file in *plain text* so we can import it
-                                    sh ("cat \"${SIGNING_KEY}\" > \"${WORKSPACE}\"/signkey.gpg")
-                                    // Please do not remove list keys command. When gpg is run for the first time, it may initialize some internals.
-                                    sh ('gpg --list-keys')
-                                    sh ("gpg --batch --pinentry-mode=loopback --passphrase \"${SIGNING_KEY_PASSWORD}\" --import  \"${WORKSPACE}\"/signkey.gpg")
-                                    sh ("rm \"${WORKSPACE}\"/signkey.gpg")
+                        def Closure mavenRunClosure = {
+                            configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) {
+                                mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy")
+                            }
+                        }
 
+                        if (isRelease()) {
+                            release.gpgImportKeyFromFileWithPassword(getReleaseGpgSignKeyCredsId(), getReleaseGpgSignPassphraseCredsId())
+                            withCredentials([string(credentialsId: getReleaseGpgSignPassphraseCredsId(), variable: 'SIGNING_KEY_PASSWORD')]) {
                                     mavenCommand.withProperty('gpg.passphrase', SIGNING_KEY_PASSWORD)
                                         .withProfiles(['apache-release'])
-
                                     // If there are passwords, this needs to be duplicated within the withCredentials block.
-                                    configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) {
-                                        mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy")
-                                    }
+                                    mavenRunClosure()
                                 }
-                            }
                         } else {
-                            configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) {
-                                mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy")
-                            }
+                            mavenRunClosure()
                         }
                     }
                 }
@@ -302,4 +295,12 @@ MavenCommand getMavenCommand(String directory = '') {
 
 boolean isMainStream() {
     return env.DROOLS_STREAM == 'main'
-}
+}
+
+String getReleaseGpgSignKeyCredsId() {
+    return env.RELEASE_GPG_SIGN_KEY_CREDS_ID
+}
+
+String getReleaseGpgSignPassphraseCredsId() {
+    return env.RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID
+}

.ci/jenkins/config/branch.yaml

@@ -94,6 +94,11 @@ cloud:
     registry: quay.io
     namespace: tradisso
     latest_git_branch: main
+release:
+  gpg:
+    sign:
+      key-credentials-id: 'asf-release-gpg-signing-key'
+      passphrase-credentials-id: 'asf-release-gpg-signing-key-passphrase'
 jenkins:
   email_creds_id: DROOLS_CI_NOTIFICATION_EMAILS
   agent:

.ci/jenkins/dsl/jobs.groovy

@@ -322,6 +322,9 @@ void setupDeployJob(JobType jobType) {
         MAVEN_REPO_CREDS_ID: "${MAVEN_ARTIFACTS_UPLOAD_REPOSITORY_CREDS_ID}",
 
         DROOLS_STREAM: Utils.getStream(this),
+
+        RELEASE_GPG_SIGN_KEY_CREDS_ID: Utils.getReleaseGpgSignKeyCredentialsId(this),
+        RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID: Utils.getReleaseGpgSignPassphraseCredentialsId(this)
     ])
     KogitoJobTemplate.createPipelineJob(this, jobParams)?.with {
         parameters {