Remove/replace Shipkit

[nipafx]

Shipkit is deprecated and the GitHub project is archived. They write:

"One Shipkit Gradle plugin to rule them all" approach has proven hard to maintain for the team. We are converted Shipkit into a narrow set of small libraries (design note). Several customers, inclusing Mockito project have already migrated.

We need to investigate whether there is already a replacement ("We are converted" is an unfortunate mistake because it could be "have converted" or "are converting") and then possibly migrate to it. This may also fix #246.

On a side note: Our version of Shipkit uses a deprecated GitHub API that stops working in May. It was fixed, though, so this could be solved by updating Shipkit.

[Michael1993]

I guess it's 'have converted' because 'Several customers inclusing Mockito project have already migrated'.

Maybe we should just copy Mockito? 🤷

[aepfli]

Oh cool, I will take a look tomorrow evening

[Michael1993]

Updating Shipkit is already 'in-progress' because dependabot opened #400.

[slawekjaranowski]

Now Shipkit is split to new separate projects:
https://github.com/shipkit/shipkit-auto-version
https://github.com/shipkit/shipkit-changelog
Those project should be used

[slawekjaranowski]

If nobody is working on it, I can try do it in a few days.
Please assign me.

[slawekjaranowski]

and PR #419

[nipafx]

I've just got a mail from GitHub (full text below) that they revoked my read-only OAuth token that we used for ShipKit. I was a bit surprised at first - after all, what's the harm in sharing a read-only token? Only thing I could come up with was that other people could use it to circumvent rate-limiting. Either way, we need a new way to implement this because I assume future tokens would share the same fate (sooner or later).

@aepfli Was there a reason why this token was not also passed in as an environment variable?

@slawekjaranowski First of all, hi! 👋🏾 Thanks for taking up this task - it may take a few days before I get to look at your PR, but that doesn't change that it is highly appreciated. Don't forget to add yourself to the README as described here. If you haven't already, can you take this opportunity to replace the token with a System environment variable called GH_READ_TOKEN and let me know what permissions it needs, so I can create the token and put it into the variable?

[GitHub] OAuth access token found in commit

Hello nipafx,

We noticed that a valid OAuth, GitHub App or Personal Access Token of yours was committed to a GitHub repository. Disclosing a valid access token would allow other people to interact with GitHub on your behalf, potentially altering data, your contact information, and billing data.

As a precautionary measure, we have revoked the token. You will need to generate a new token for the app to authenticate to GitHub.

Here are a couple of steps you can do to ensure your account security has not been compromised:

• Review any unauthorized applications, and remove any you don’t recognize:
  https://docs.github.com/articles/reviewing-your-authorized-integrations/#reviewing-your-authorized-oauth-apps
  https://docs.github.com/articles/reviewing-your-authorized-integrations/#reviewing-your-authorized-github-apps

• Review your security log to ensure that no malicious activity has occurred: https://docs.github.com/articles/reviewing-your-security-log/

The commit in question is at https://github.com/sullis/junit-pioneer/blob/52b010f1de1e03ec6326dd859e9655b15699f854/gradle/shipkit.gradle

Please feel free to contact us at https://github.com/contact if you have any questions or concerns.

Thanks,
GitHub.com

[aepfli]

I never ever touched this token :D - would have been a good idea - it is from long time ago, even before our migration to Github actions.

[slawekjaranowski]

mentioned token will be remove in my PR