Skip to content

Sign created artifacts, document updated processes #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 21, 2023
Merged

Sign created artifacts, document updated processes #448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
825422d
Sign created artifacts, document updated processes
niloc132 Feb 15, 2023
85ac402
Use signing key to produce output (check for main disabled)
niloc132 Feb 18, 2023
24a0234
Merge branch 'main' into sign-artifacts
niloc132 Feb 18, 2023
ee9deb6
Tidy up for review
niloc132 Feb 18, 2023
6bc6a05
Use intermediate env var for secret
niloc132 Feb 18, 2023
57e2fc4
try to appease inscrutable yml checks
niloc132 Feb 19, 2023
faa1c5f
correct step setup
niloc132 Feb 19, 2023
b3da849
Enable "don't sign except main and release branches" check
niloc132 Feb 19, 2023
62a61f0
Easier debugging unsigned output
niloc132 Feb 19, 2023
599a5ed
track down file contents...
niloc132 Feb 19, 2023
39f0940
Read other envs to set this one
niloc132 Feb 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,31 @@ jobs:
java-version: '17'
distribution: 'adopt'

- name: Build with Maven
- name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
#if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
id: keystore
env:
SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
run: |
if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT
echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
else
echo "available=false" >> $GITHUB_OUTPUT
fi

- name: Build with maven (sign artifacts)
if: ${{ steps.keystore.outputs.available == 'true' }}
env:
SIGN_STOREPASS: ${{ secrets.SIGN_STOREPASS }}
SIGN_ALIAS: ${{ secrets.SIGN_ALIAS }}
SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
SIGN_TSA: http://timestamp.digicert.com/
run: SIGN_KEYSTORE=${HOME}/key mvn --batch-mode --update-snapshots package

- name: Build with maven (no signing)
if: ${{ steps.keystore.outputs.available != 'true' }}
run: mvn --batch-mode --update-snapshots package

- uses: actions/upload-artifact@v3
Expand Down
54 changes: 37 additions & 17 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,6 @@ The Google Cloud Tools team has put a significant amount of effort in helping br

* [Google Cloud Tools](https://cloud.google.com/)

### Sencha
Sencha provides man power to help update the plugin and the build server which automates the build.

[![Sencha GXT](http://cdn.sencha.com/img/gwt-eclipse-plugin-banner.png)](https://www.sencha.com/products/gxt/)

## Not Included
* This plugin does not include the [Google Cloud Tools Eclipse](https://github.com/GoogleCloudPlatform/google-cloud-eclipse) features.

Expand Down Expand Up @@ -52,15 +47,29 @@ Install from the Eclipse marketplace.


## Repository
Download the repo in a zip file.
The Eclipse repositories for this plugin.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good you updated documentation


### Production
Release update site.

* [Eclipse Marketplace entry for the GWT Plugin](https://marketplace.eclipse.org/content/gwt-plugin)
* [Update sites for the GWT Plugin](https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/)

* [https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip)
### Production Zip
Download the repo in a zip file from the latest release at the
[releases page](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/). The current release is
[4.0.0](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip)

### Staging
The staging repository is also at plugins.gwtproject.org, under the `nightly` version. At this time,
these are signed with a self-signed certificate.

## Development
* Nightly update site: https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/nightly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any plan for uploading nightly artifacts as part of the build?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that I think we've got the build right, nightly artifacts are next, I'll be trying to implement a webhook for this.


## Development

### Importing
Simply use Maven to import all the plugins and modules.
Simply use Maven to import all the plugins and modules.

* Use Eclipse Import and choose import with Existing Maven projects. Don't forget to select recursive import.
* Select all the projects and import them. This will create the .project, .classpath and .settings files. If some exist, they will be overwritten.
Expand All @@ -73,16 +82,27 @@ The target defintion build is based off of the Google Cloud Tools. Follow their
* Note: The targets will have to be updated by setting the targets. This will regenerate the Eclipse target files.

### Build
Sencha has provided an internal build agent to build.
[Sencha Eclipse Build](https://teamcity.sencha.com/viewType.html?buildTypeId=Gxt3_Gwt_GwtEclipsePlugin)

* `mvn clean install`
To build, Apache Maven and Java 17 are required. Invoke `mvn verify` to build and test. The resulting
update site can be found in `repo/target/repository` for local deployment and testing.

### Release
Creating a release requires signing artifacts. Set the following environment variables before running
`mvn verify`:
* `SIGN_KEYSTORE` - Path to a pkcs12 keystore that contains a key to use to sign this release
* `SIGN_STOREPASS` - Passphrase for the keystore
* `SIGN_ALIAS` - Alias of the key to use to sign the release
* `SIGN_KEYPASS` - Passphrase for the key
* `SIGN_TSA` - URL of a Time stamp authority to use to sign this release

At this time, releases are performed manually. The releases deployed to the marketplace will be signed
with the certificate for `plugins.gwtproject.org`.

### Deploy
Google storage write permissions are needed to deploy.

* `sh ./build-deploy-release.sh` - deploy production version
* `sh ./build-deploy-snapshot.sh` - deploy snapshot version
Releases are uploaded as zips to the [release](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/)
part of the Github project page, and also deployed at
https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin as Eclipse update sites. Releases will be
added to the [GWT-Plugin](https://marketplace.eclipse.org/content/gwt-plugin) page on the Eclipse
Marketplace.

### Testing
There are a couple of archetypes that are used to test.
Expand Down
36 changes: 35 additions & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,41 @@
<module>eclipse/ide-target-platform</module>
</modules>
</profile>

<profile>
<!-- We only sign the jars when the keystore has been provided in the environment -->
<id>sign-jars</id>
<activation>
<file>
<exists>${env.SIGN_KEYSTORE}</exists>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, jars are signed only if SIGN_KEYSTORE is an environment variable.
And for CI, this means using github secrets.
Correct?

Copy link
Member Author

@niloc132 niloc132 Feb 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do CI for releases yes, we will need a certificate and its password in github secrets. I'm personally not prepared to do that with the official plugins.gwtproject.org cert (I make mistakes with code/build wiring, and several CI providers have had breaches), but perhaps we could make a self-signed cert instead for that purpose, just for nightlies?

If you like that idea, I'll add it to this PR after setting up a cert and putting it in the org.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I think that a self signed is good enough.

</file>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>3.0.0</version>
<configuration>
<keystore>${env.SIGN_KEYSTORE}</keystore>
<storepass>${env.SIGN_STOREPASS}</storepass>
<alias>${env.SIGN_ALIAS}</alias>
<keypass>${env.SIGN_KEYPASS}</keypass>
<storetype>${env.SIGN_STORETYPE}</storetype>
<tsa>${env.SIGN_TSA}</tsa>
<verbose>true</verbose>
</configuration>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>teamcity</id>
<properties>
Expand Down