ci: use the new Smallrye secrets scheme

.build/justfile-for-release

@@ -12,28 +12,14 @@ purpose:
 perform-release: pre-release release post-release
     @echo "🎉 Successfully released Mutiny ${RELEASE_VERSION} 🚀"
 
-# Decrypt secrets
-decrypt-secrets:
-    @echo "Decrypting smallrye signature"
-    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET_FILES_PASSPHRASE}" \
-        --output smallrye-sign.asc .build/smallrye-sign.asc.gpg
-    @echo "Decrypting Maven settings"
-    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET_FILES_PASSPHRASE}" \
-        --output maven-settings.xml .build/maven-settings.xml.gpg
-
-# Initialize GnuPG
-init-gpg:
-    @echo "GnuPG setup"
-    gpg --fast-import --no-tty --batch --yes smallrye-sign.asc
-
 # Initialize Git
 init-git:
     @echo "Git setup"
     git config --global user.name "smallrye-ci"
     git config --global user.email "smallrye@googlegroups.com"
 
 # Steps before releasing
-pre-release: decrypt-secrets init-gpg init-git
+pre-release: init-git
     @echo "🚀 Pre-release steps..."
     @echo "Pre-release verifications"
     jbang .build/PreRelease.java --token=${RELEASE_TOKEN} --release-version=${RELEASE_VERSION}
@@ -42,7 +28,7 @@ pre-release: decrypt-secrets init-gpg init-git
     ./mvnw --settings .build/maven-ci-settings.xml --batch-mode --no-transfer-progress versions:set -DnewVersion=${RELEASE_VERSION} -DgenerateBackupPoms=false -pl bom
     jbang .build/UpdateDocsAttributesFiles.java --mutiny-version=${RELEASE_VERSION}
     @echo "Check that the project builds (no tests)"
-    ./mvnw --settings maven-settings.xml --batch-mode --no-transfer-progress clean install -Prelease -DskipTests
+    ./mvnw --settings .build/maven-ci-settings.xml --batch-mode --no-transfer-progress clean install -Prelease -DskipTests
     @echo "Bump workshop examples to ${RELEASE_VERSION}"
     .build/update-workshop-target-version.sh "${RELEASE_VERSION}"
     @echo "Check that the website builds"
@@ -63,9 +49,9 @@ release: pre-release
     git push
 
 # Deploy to Maven Central
-deploy-to-maven-central: decrypt-secrets init-gpg
+deploy-to-maven-central:
     @echo "Deploy to Maven Central"
-    ./mvnw --settings maven-settings.xml --batch-mode --no-transfer-progress deploy -Prelease -DskipTests
+    ./mvnw --settings .build/maven-ci-settings.xml --batch-mode --no-transfer-progress deploy -Prelease -DskipTests
 
 # Steps post-release
 post-release:

.github/workflows/build-main.yml

@@ -20,12 +20,19 @@ jobs:
           java-version: 11
           distribution: temurin
           cache: maven
+          server-id: 'oss.sonatype'
+          server-username: 'MAVEN_DEPLOY_USERNAME'
+          server-password: 'MAVEN_DEPLOY_TOKEN'
+          gpg-private-key: ${{secrets.MAVEN_GPG_PRIVATE_KEY}}
+          gpg-passphrase: 'MAVEN_GPG_PASSPHRASE'
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Test and deploy snapshots
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SECRET_FILES_PASSPHRASE: ${{ secrets.SECRET_FILES_PASSPHRASE }}
+          MAVEN_DEPLOY_USERNAME: ${{secrets.MAVEN_DEPLOY_USERNAME}}
+          MAVEN_DEPLOY_TOKEN: ${{secrets.MAVEN_DEPLOY_TOKEN}}
+          MAVEN_GPG_PASSPHRASE: ${{secrets.MAVEN_GPG_PASSPHRASE}}
         run: |
           VERSION=$(./mvnw -q exec:exec -Dexec.executable=echo -Dexec.args='${project.version}' -pl :mutiny-project)
           if [[ ${VERSION} == *SNAPSHOT ]]; then

.github/workflows/push-release-to-maven-central.yml

@@ -8,8 +8,6 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
-    env:
-      SECRET_FILES_PASSPHRASE: ${{ secrets.SECRET_FILES_PASSPHRASE }}
     steps:
       - name: Git checkout
         uses: actions/checkout@v4
@@ -19,7 +17,16 @@ jobs:
           java-version: '11'
           distribution: 'temurin'
           cache: maven
+          server-id: 'oss.sonatype'
+          server-username: 'MAVEN_DEPLOY_USERNAME'
+          server-password: 'MAVEN_DEPLOY_TOKEN'
+          gpg-private-key: ${{secrets.MAVEN_GPG_PRIVATE_KEY}}
+          gpg-passphrase: 'MAVEN_GPG_PASSPHRASE'
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Deploy to Maven Central
+        env:
+          MAVEN_DEPLOY_USERNAME: ${{secrets.MAVEN_DEPLOY_USERNAME}}
+          MAVEN_DEPLOY_TOKEN: ${{secrets.MAVEN_DEPLOY_TOKEN}}
+          MAVEN_GPG_PASSPHRASE: ${{secrets.MAVEN_GPG_PASSPHRASE}}
         run: just -f .build/justfile-for-release -d . deploy-to-maven-central

.github/workflows/release.yml

@@ -24,7 +24,6 @@ jobs:
     env:
       GITHUB_TOKEN: ${{secrets.RELEASE_TOKEN}}
       RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-      SECRET_FILES_PASSPHRASE: ${{ secrets.SECRET_FILES_PASSPHRASE }}
       PREVIOUS_VERSION: ${{ github.event.inputs.previousVersion }}
       RELEASE_VERSION: ${{ github.event.inputs.version }}      
       DEPLOY_WEBSITE: ${{ github.event.inputs.deployWebsite }}
@@ -45,6 +44,11 @@ jobs:
           java-version: '11'
           distribution: 'temurin'
           cache: maven
+          server-id: 'oss.sonatype'
+          server-username: 'MAVEN_DEPLOY_USERNAME'
+          server-password: 'MAVEN_DEPLOY_TOKEN'
+          gpg-private-key: ${{secrets.MAVEN_GPG_PRIVATE_KEY}}
+          gpg-passphrase: 'MAVEN_GPG_PASSPHRASE'
       - name: Install just
         uses: taiki-e/install-action@just
       - name: Install yq
@@ -56,6 +60,10 @@ jobs:
       - name: Install MkDocs dependencies
         run: .build/install-mkdocs-deps.sh
       - name: Perform the release steps
+        env:
+          MAVEN_DEPLOY_USERNAME: ${{secrets.MAVEN_DEPLOY_USERNAME}}
+          MAVEN_DEPLOY_TOKEN: ${{secrets.MAVEN_DEPLOY_TOKEN}}
+          MAVEN_GPG_PASSPHRASE: ${{secrets.MAVEN_GPG_PASSPHRASE}}
         run: |
           curl -s "https://get.sdkman.io" | bash
           source ~/.sdkman/bin/sdkman-init.sh && sdk install jbang