fix: fail fast on missing Publishing secrets in Java publish workflow#2
Closed
Pijukatel wants to merge 1 commit into
Closed
fix: fail fast on missing Publishing secrets in Java publish workflow#2Pijukatel wants to merge 1 commit into
Pijukatel wants to merge 1 commit into
Conversation
The publish workflow signed artifacts (maven-gpg-plugin, bound to the release profile's verify phase) on both dry runs and real publishes, but its credential guard validated only the Maven Central secrets and was skipped on dry runs. A missing GPG signing key therefore surfaced deep in Maven as an opaque "gpg: no default secret key: No secret key" error. Add an early "Require publishing secrets" step that validates the GPG signing secrets (MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE) on every run and the Maven Central credentials on real publishes only, failing with an explicit message naming the missing secret(s). Bump client version to 0.1.1.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
The
Publish Java clientworkflow failed on a manual dispatch (run 28849397103, dry run) deep inside Maven:Root cause.
maven-gpg-plugin'ssign-artifactsexecution is bound to the release profile'sverifyphase (pom.xml), so signing runs on both the dry run (mvn -Prelease verify) and the real publish (mvn -Prelease deploy).actions/setup-javaimports the GPG key only whensecrets.MAVEN_GPG_PRIVATE_KEYis non-empty; that secret is not provisioned in thePublishingenvironment, so no secret key was in the keyring at signing time (a fresh/home/runner/.gnupgis created during the sign step). The workflow's old credential guard validated only the threeMAVEN_CENTRAL_*secrets and was skipped on dry runs, so the missing GPG secret was never caught early.Changes
.github/workflows/java-publish.yml— Replace the late, dry-run-skippedRequire Maven Central credentialsstep with an earlyRequire publishing secretsstep (runs before the build). It validates the GPG signing secrets (MAVEN_GPG_PRIVATE_KEY,MAVEN_GPG_PASSPHRASE) on every run (signing happens in both dry-run and real publish) and the threeMAVEN_CENTRAL_*secrets only on a real (non-dry) publish, failing with an explicit::error::Missing Publishing environment secret(s): <names>message.pom.xml,Version.CLIENT_VERSION,README.md, and a newCHANGELOG.mdentry.No client API surface or OpenAPI spec changes.
This makes the failure fast and explicit, but publishing will keep failing until an admin provisions
MAVEN_GPG_PRIVATE_KEYandMAVEN_GPG_PASSPHRASEin the repository'sPublishingGitHub environment. Provisioning environment secrets is an admin action outside the codebase.Testing
bash -eo pipefail).Generated by Claude Code