Skip to content

fix: fail fast on missing Publishing secrets in Java publish workflow#2

Closed
Pijukatel wants to merge 1 commit into
masterfrom
claude/kind-bardeen-jvh3q7
Closed

fix: fail fast on missing Publishing secrets in Java publish workflow#2
Pijukatel wants to merge 1 commit into
masterfrom
claude/kind-bardeen-jvh3q7

Conversation

@Pijukatel

Copy link
Copy Markdown
Collaborator

What & why

The Publish Java client workflow failed on a manual dispatch (run 28849397103, dry run) deep inside Maven:

[INFO] Signer 'gpg' is signing 4 files with key default
gpg: directory '/home/runner/.gnupg' created
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.2.4:sign (sign-artifacts)

Root cause. maven-gpg-plugin's sign-artifacts execution is bound to the release profile's verify phase (pom.xml), so signing runs on both the dry run (mvn -Prelease verify) and the real publish (mvn -Prelease deploy). actions/setup-java imports the GPG key only when secrets.MAVEN_GPG_PRIVATE_KEY is non-empty; that secret is not provisioned in the Publishing environment, so no secret key was in the keyring at signing time (a fresh /home/runner/.gnupg is created during the sign step). The workflow's old credential guard validated only the three MAVEN_CENTRAL_* secrets and was skipped on dry runs, so the missing GPG secret was never caught early.

Changes

  • .github/workflows/java-publish.yml — Replace the late, dry-run-skipped Require Maven Central credentials step with an early Require publishing secrets step (runs before the build). It validates the GPG signing secrets (MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE) on every run (signing happens in both dry-run and real publish) and the three MAVEN_CENTRAL_* secrets only on a real (non-dry) publish, failing with an explicit ::error::Missing Publishing environment secret(s): <names> message.
  • Version bump 0.1.0 → 0.1.1 across pom.xml, Version.CLIENT_VERSION, README.md, and a new CHANGELOG.md entry.

No client API surface or OpenAPI spec changes.

⚠️ Operational follow-up (not fixable from code)

This makes the failure fast and explicit, but publishing will keep failing until an admin provisions MAVEN_GPG_PRIVATE_KEY and MAVEN_GPG_PASSPHRASE in the repository's Publishing GitHub environment. Provisioning environment secrets is an admin action outside the codebase.

Testing

  • Workflow YAML validated (parses; guard idiom verified safe under bash -eo pipefail).
  • Full integration suite green against the live API: 92 tests, 0 failures.

Generated by Claude Code

The publish workflow signed artifacts (maven-gpg-plugin, bound to the
release profile's verify phase) on both dry runs and real publishes, but
its credential guard validated only the Maven Central secrets and was
skipped on dry runs. A missing GPG signing key therefore surfaced deep in
Maven as an opaque "gpg: no default secret key: No secret key" error.

Add an early "Require publishing secrets" step that validates the GPG
signing secrets (MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE) on every run
and the Maven Central credentials on real publishes only, failing with an
explicit message naming the missing secret(s). Bump client version to
0.1.1.
@Pijukatel Pijukatel closed this Jul 7, 2026
@Pijukatel Pijukatel deleted the claude/kind-bardeen-jvh3q7 branch July 8, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants