Use gpg.passphraseEnvName instead of the deprecated gpg.passphrase server#1123
Open
brunoborges wants to merge 5 commits into
Open
Use gpg.passphraseEnvName instead of the deprecated gpg.passphrase server#1123brunoborges wants to merge 5 commits into
brunoborges wants to merge 5 commits into
Conversation
The maven-gpg-plugin's `gpg.passphrase`/`passphraseServerId` mechanism is deprecated and fails when the plugin's `bestPractices` mode is enabled. Stop writing the `gpg.passphrase` server to settings.xml and instead set `gpg.passphraseEnvName` via an active profile when the configured passphrase env var name differs from the plugin default (MAVEN_GPG_PASSPHRASE). The default `gpg-passphrase` input value (GPG_PASSPHRASE) is unchanged, so the plugin reads the same environment variable as before. Fixes #760 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Update the publishing e2e check to assert the settings.xml generated when gpg-passphrase is MAVEN_GPG_PASSPHRASE. In that default case the action no longer writes a gpg.passphrase server entry. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Contributor
There was a problem hiding this comment.
Pull request overview
Updates actions/setup-java Maven settings.xml generation to stop using the deprecated gpg.passphrase server mechanism and instead configure the Maven GPG Plugin via gpg.passphraseEnvName (only when the configured env var name differs from the plugin default MAVEN_GPG_PASSPHRASE). This aligns setup-java with the Maven GPG Plugin’s recommended configuration and avoids failures when bestPractices is enabled.
Changes:
- Add constants for the Maven GPG Plugin default passphrase env var name and a dedicated settings profile id.
- Update
src/auth.tsto write an activesettings.xmlprofile that setsgpg.passphraseEnvNameinstead of writing agpg.passphraseserver. - Update docs and tests to reflect the new mechanism (and regenerate
dist/output).
Show a summary per file
| File | Description |
|---|---|
| src/constants.ts | Introduces constants for Maven GPG Plugin default env var name and settings profile id. |
| src/auth.ts | Switches from writing gpg.passphrase server to writing an active profile that sets gpg.passphraseEnvName when needed. |
| docs/advanced-usage.md | Updates guidance and examples to describe the gpg.passphraseEnvName approach and deprecation of the old server mechanism. |
| tests/auth.test.ts | Updates/extends settings.xml generation assertions for the new profile-based behavior (including the “plugin default env var” case). |
| dist/setup/index.js | Regenerated distribution output reflecting the updated settings.xml generation behavior. |
| dist/cleanup/index.js | Regenerated distribution output reflecting updated constants. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/7 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
+685
to
+688
| The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, which defaults to `MAVEN_GPG_PASSPHRASE`. | ||
|
|
||
| - If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`. | ||
| - If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable: |
Align the default `gpg-passphrase` input value with the maven-gpg-plugin default environment variable name (MAVEN_GPG_PASSPHRASE). With this default, setup-java writes no extra GPG configuration to settings.xml and the plugin reads the passphrase from MAVEN_GPG_PASSPHRASE out of the box. Also document that reading the passphrase from an environment variable via `gpg.passphraseEnvName` requires maven-gpg-plugin 3.2.0 or newer. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Add a "Breaking changes in V6" section to the README covering the switch to gpg.passphraseEnvName, the new MAVEN_GPG_PASSPHRASE default, and the maven-gpg-plugin 3.2.0+ requirement. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
Revert the gpg-passphrase input default back to GPG_PASSPHRASE so existing v5 workflows that set the GPG_PASSPHRASE environment variable keep working without changes. setup-java writes gpg.passphraseEnvName=GPG_PASSPHRASE into an active profile, so the maven-gpg-plugin reads the same variable as before. The only remaining compatibility requirement is maven-gpg-plugin 3.2.0+, which is documented in the README and advanced usage guide. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
The maven-gpg-plugin's
gpg.passphrase/passphraseServerIdmechanism (a<server id="gpg.passphrase">entry insettings.xml) is deprecated, and it fails outright once the plugin'sbestPracticesmode is enabled. This PR switches setup-java to the plugin's recommendedgpg.passphraseEnvNamemechanism.Approach:
generate()insrc/auth.tsno longer writes thegpg.passphraseserver tosettings.xml.gpg-passphraseinput is the name of the environment variable holding the passphrase, and its default is unchanged (GPG_PASSPHRASE), so existing workflows that already set that variable keep working.gpg.passphraseEnvNamethrough an active profile in the generatedsettings.xmlso the plugin reads the passphrase from the configured variable. When the name equals the plugin defaultMAVEN_GPG_PASSPHRASE, nothing extra is written because the plugin already reads it.Compatibility:
maven-gpg-plugin3.2.0+.gpg.passphraseEnvName) requiresmaven-gpg-plugin3.2.0 or newer. Older versions do not honor this property, and since the deprecatedgpg.passphraseserver is no longer written, they will not pick up the passphrase. Users pinned to older plugins should upgrade to 3.2.0+. This is called out under "Breaking changes in V6" in the README and documented indocs/advanced-usage.md.Docs (
README.md,docs/advanced-usage.md) were updated to describe the new mechanism and the version requirement. Thee2e-publishing.ymlsettings.xml validation was updated to assert the new generated output.Related issue:
Fixes: #760
Check list:
npm run checklocally (format, lint, build, test) and all checks pass.