Skip to content

Use gpg.passphraseEnvName instead of the deprecated gpg.passphrase server#1123

Open
brunoborges wants to merge 5 commits into
mainfrom
brunoborges-update-gpg-passphrase-env-name
Open

Use gpg.passphraseEnvName instead of the deprecated gpg.passphrase server#1123
brunoborges wants to merge 5 commits into
mainfrom
brunoborges-update-gpg-passphrase-env-name

Conversation

@brunoborges

@brunoborges brunoborges commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Description:

The maven-gpg-plugin's gpg.passphrase / passphraseServerId mechanism (a <server id="gpg.passphrase"> entry in settings.xml) is deprecated, and it fails outright once the plugin's bestPractices mode is enabled. This PR switches setup-java to the plugin's recommended gpg.passphraseEnvName mechanism.

Approach:

  • generate() in src/auth.ts no longer writes the gpg.passphrase server to settings.xml.
  • The gpg-passphrase input is the name of the environment variable holding the passphrase, and its default is unchanged (GPG_PASSPHRASE), so existing workflows that already set that variable keep working.
  • setup-java sets gpg.passphraseEnvName through an active profile in the generated settings.xml so the plugin reads the passphrase from the configured variable. When the name equals the plugin default MAVEN_GPG_PASSPHRASE, nothing extra is written because the plugin already reads it.

Compatibility:

  • The env var name and default are preserved, so this is not a breaking change for workflows on maven-gpg-plugin 3.2.0+.
  • Reading the passphrase from an environment variable (gpg.passphraseEnvName) requires maven-gpg-plugin 3.2.0 or newer. Older versions do not honor this property, and since the deprecated gpg.passphrase server is no longer written, they will not pick up the passphrase. Users pinned to older plugins should upgrade to 3.2.0+. This is called out under "Breaking changes in V6" in the README and documented in docs/advanced-usage.md.

Docs (README.md, docs/advanced-usage.md) were updated to describe the new mechanism and the version requirement. The e2e-publishing.yml settings.xml validation was updated to assert the new generated output.

Related issue:

Fixes: #760

Check list:

  • Ran npm run check locally (format, lint, build, test) and all checks pass.
  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

The maven-gpg-plugin's `gpg.passphrase`/`passphraseServerId` mechanism is
deprecated and fails when the plugin's `bestPractices` mode is enabled.
Stop writing the `gpg.passphrase` server to settings.xml and instead set
`gpg.passphraseEnvName` via an active profile when the configured passphrase
env var name differs from the plugin default (MAVEN_GPG_PASSPHRASE).

The default `gpg-passphrase` input value (GPG_PASSPHRASE) is unchanged, so the
plugin reads the same environment variable as before.

Fixes #760

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 15, 2026 02:02
@brunoborges brunoborges requested a review from a team as a code owner July 15, 2026 02:02
Update the publishing e2e check to assert the settings.xml generated when gpg-passphrase is MAVEN_GPG_PASSPHRASE. In that default case the action no longer writes a gpg.passphrase server entry.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates actions/setup-java Maven settings.xml generation to stop using the deprecated gpg.passphrase server mechanism and instead configure the Maven GPG Plugin via gpg.passphraseEnvName (only when the configured env var name differs from the plugin default MAVEN_GPG_PASSPHRASE). This aligns setup-java with the Maven GPG Plugin’s recommended configuration and avoids failures when bestPractices is enabled.

Changes:

  • Add constants for the Maven GPG Plugin default passphrase env var name and a dedicated settings profile id.
  • Update src/auth.ts to write an active settings.xml profile that sets gpg.passphraseEnvName instead of writing a gpg.passphrase server.
  • Update docs and tests to reflect the new mechanism (and regenerate dist/ output).
Show a summary per file
File Description
src/constants.ts Introduces constants for Maven GPG Plugin default env var name and settings profile id.
src/auth.ts Switches from writing gpg.passphrase server to writing an active profile that sets gpg.passphraseEnvName when needed.
docs/advanced-usage.md Updates guidance and examples to describe the gpg.passphraseEnvName approach and deprecation of the old server mechanism.
tests/auth.test.ts Updates/extends settings.xml generation assertions for the new profile-based behavior (including the “plugin default env var” case).
dist/setup/index.js Regenerated distribution output reflecting the updated settings.xml generation behavior.
dist/cleanup/index.js Regenerated distribution output reflecting updated constants.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/7 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread docs/advanced-usage.md Outdated
Comment on lines +685 to +688
The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, which defaults to `MAVEN_GPG_PASSPHRASE`.

- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`.
- If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable:
brunoborges and others added 3 commits July 14, 2026 22:18
Align the default `gpg-passphrase` input value with the maven-gpg-plugin
default environment variable name (MAVEN_GPG_PASSPHRASE). With this default,
setup-java writes no extra GPG configuration to settings.xml and the plugin
reads the passphrase from MAVEN_GPG_PASSPHRASE out of the box.

Also document that reading the passphrase from an environment variable via
`gpg.passphraseEnvName` requires maven-gpg-plugin 3.2.0 or newer.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Add a "Breaking changes in V6" section to the README covering the switch to
gpg.passphraseEnvName, the new MAVEN_GPG_PASSPHRASE default, and the
maven-gpg-plugin 3.2.0+ requirement.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Revert the gpg-passphrase input default back to GPG_PASSPHRASE so existing v5
workflows that set the GPG_PASSPHRASE environment variable keep working without
changes. setup-java writes gpg.passphraseEnvName=GPG_PASSPHRASE into an active
profile, so the maven-gpg-plugin reads the same variable as before.

The only remaining compatibility requirement is maven-gpg-plugin 3.2.0+, which
is documented in the README and advanced usage guide.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update how passphrase is passed to GPG

2 participants