-
-
Notifications
You must be signed in to change notification settings - Fork 891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish to OSSRH #1135
Publish to OSSRH #1135
Conversation
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
Sure, I understand that the only way to test is to create a new release. Sounds good? |
sounds good @arnaudroques |
Ok, the CI has run :-) |
My mistake: it seems to have pushed something :-) |
However, I cannot release this version on https://oss.sonatype.org/ Any idea? Thanks! |
https://sourceforge.net/p/plantuml/code/HEAD/tree/trunk/pom.xml#313 has a similar sign section https://repo1.maven.org/maven2/net/sourceforge/plantuml/plantuml/1.2022.8/ has more files than https://github.com/plantuml/plantuml/releases/tag/v1.2022.9 I also downloaded https://repo1.maven.org/maven2/net/sourceforge/plantuml/plantuml/1.2022.8/plantuml-1.2022.8.jar and it is unsigned ...
maybe release v1.2022.9.1 and review logs? |
Let's go for v1.2022.10. We have some space left up to v1.2022.99 :-) About the log in https://github.com/plantuml/plantuml/actions/runs/3141306358/jobs/5103659727 :
Does it mean than signing is not done ? Also, the key I was using with maven (which is stored locally on some local server) is different from the key used by GitHub. Not sure if it's an issue or not. I've go two more interesting screenshots: It's probably unrelated but we've got: Thanks for your help! |
On second though, it looks like .asc signature files were not pushed to OSSRH ( Are there some logs about what is actually pushed to OSSRH? (to check whether those .asc files are present or not)
I'm definitively not an expert here but I think it may be a different story. |
if there is a chance that the Github key is no longer valid, consider updating with the "local" signing key at this point, I don't know what other updates are required to correct the signing process |
Ok, thanks! Both of you have write access now, so you may create some branch and debug the CI there if you wish, without me being on the bottleneck. I think we are not far from success :-) |
let's plan to review #1143 results during next (proper) release |
Ok, but before doing that, can we set up some verbose mode about the signing process to have a look on the log? I guess that something must be missing because in the signing part of gradle. |
@arnaudroques @gliptak, i tried to understand, but could not yet. what is the background of this change? and - thanks for the invite, but i was too slow to see it, it expired after 7 days blush |
@soloturn we were updating Gradle build to enable publishing to ossrh |
@gliptak, @arnaudroques, how do you check if the signature is good? after downloading the newest released files from here: the following happens:
when searching the key or email nothing is found: if one takes anything else, arbitrary, e.g. https://repo1.maven.org/maven2/io/github/ncasaux/camel-plantuml/1.4.0/ :
@arnaudroques you mind uploading the public key? i did not find it, otherwise i would have tried uploading it and you might have gotten an email for verification, if i am not wrong. |
Sure, the key is available here. To be honest, I'm completely lost on those subjects :-)
So we retrieve the ID using RSA key 019586D44BD80213. Now I think there is a passphrase on this key which is stored in the secret |
@soloturn Thanks for mentioning https://keys.openpgp.org/search?q=019586D44BD80213 The public key has just been published. |
Publishing the key did not really help. However, here is a clue: it seems that some Projet name and project description are also still missing in the generated .pom file. Thanks! |
To get things even stranger, the .asc files are generated on github side (see for example) However, they don't seem to be pushed/published to https://oss.sonatype.org/ Does the order matter in build.gradle.kts ? We should probably add debug logs for the "Upload artifacts" but I'm not sure about how set this... |
GHA sequences those calls https://github.com/plantuml/plantuml/actions/runs/3316317804/jobs/5478022205 Signing happens before the upload/release/publish steps (although |
@gliptak Thanks for your help and explanation! Would it be possible to have more trace/log on what is happing in publishMavenPublicationToOSSRHRepository or publish ? Because I cannot understand why the signature .asc files are not published to https://oss.sonatype.org/ |
does for you the check of gh pblished files work? for me still not. maxbe key is wrong, signing is wrong or publishing pubkey is wrong?
my feeling is we should get this running local firszt. |
works for me: $ gpg --verify plantuml-1.2022.12.jar.asc
gpg: assuming signed data in 'plantuml-1.2022.12.jar'
gpg: Signature made Mon 24 Oct 2022 23:40:17 CEST
gpg: using RSA key 019586D44BD80213
gpg: Good signature from "PlantUML JAR Signing Key <plantuml@gmail.com>" [full] |
interesting. need to look in more detail local then. for upload i saw: |
Yes, that sounds like the same issue we have :-) If you have the time to propose a MR to test the upload of asc files, we will be glad to merge it. Thanks! |
Just add the [...]
publishing {
[...]
pom {
name.set("HERE THE PROJECT NAME")
description.set("HERE A concise description of THE PROJECT")
[...] |
I'm trying to reproduce the problem locally. Here is what I have already tried :
gradle -q compileJava --no-daemon
gradle test --no-daemon -i
gradle -q clean build \
pdfJar \
generateMetadataFileForMavenPublication generatePomFileForMavenPublication \
-x test
gradle -i signMavenPublication signPdfJar
gradle publish But I have not reproduced the problem : |
Is it possible to trigger a new release to check the logs of the git workflow ? The next test is to try to simulate the workflow using https://github.com/nektos/act |
I think I have spotted a bug in the workflow 👯♂️. |
I think I have the reason : I will test it |
That's great! Good luck ;-) |
should be fixed by PR #1314 Tested on my repository |
Signed-off-by: Gábor Lipták gliptak@gmail.com
@arnaudroques I don't have a way to test