Skip to content

claude: silence GPG passphrase-decryption stacktrace in release logs#4

Merged
Liam-DeVoe merged 1 commit into
mainfrom
silence-gpg-release-stacktrace
Jun 12, 2026
Merged

claude: silence GPG passphrase-decryption stacktrace in release logs#4
Liam-DeVoe merged 1 commit into
mainfrom
silence-gpg-release-stacktrace

Conversation

@Liam-DeVoe

Copy link
Copy Markdown
Member
Claude-written description

Every release job run logs a ~110-line SecDispatcherException stacktrace (printed three times as a nested cause chain) from maven-gpg-plugin before signing. It is harmless — signing succeeds and the job is green — but it makes the release logs noisy and looks alarming.

Root cause: actions/setup-java templates a gpg.passphrase server entry into the runner's ~/.m2/settings.xml whenever gpg-private-key is supplied, even though this workflow sets no gpg-passphrase input. maven-gpg-plugin then runs that entry through Maven's settings decrypter, which unconditionally tries to read ~/.m2/settings-security.xml (absent on a fresh runner), and the plugin logs the resulting FileNotFoundException at WARN with the full cause chain before falling back to the plaintext value. The release key has no passphrase, so the value is never actually needed.

Fix: enable <bestPractices>true</bestPractices> on the gpg plugin's sign execution. Verified against the 3.2.7 plugin source: with bestPractices on, passphraseServerId is no longer defaulted to gpg.passphrase, so the settings.xml lookup (and its stacktrace + "W A R N I N G" block) is skipped entirely; enforceBestPractices() only throws if a passphrase or server id is explicitly configured, which they aren't. If the key ever gains a passphrase, the MAVEN_GPG_PASSPHRASE environment variable still works — it is checked first.

Rejected alternative: setting MAVEN_GPG_PASSPHRASE: "" in the workflow env. The plugin uses isNotBlank() on the env value, so an empty string falls through to the settings lookup anyway.

No RELEASE.md: the published artifact would be bit-for-bit unchanged, so this PR carries the skip release label instead (created the label, since check-release.yml and RELEASE-sample.md already reference it).

@Liam-DeVoe Liam-DeVoe added the skip release merging this PR will not cut a new release label Jun 12, 2026
@Liam-DeVoe Liam-DeVoe merged commit 9ba11f7 into main Jun 12, 2026
8 checks passed
@Liam-DeVoe Liam-DeVoe deleted the silence-gpg-release-stacktrace branch June 12, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip release merging this PR will not cut a new release

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant