Upload release signatures to GitHub automatically

emlun · emlun · commit 499e1857bd7f · 2022-09-16T18:56:14.000+02:00
diff --git a/.github/workflows/release-verify-signatures.yml b/.github/workflows/release-verify-signatures.yml
@@ -1,14 +1,42 @@
 name: Reproducible binary
 
+# This workflow waits for release signatures to appear on Maven Central,
+# then rebuilds the artifacts and verifies them against those signatures,
+# and finally uploads the signatures to the GitHub release.
+
 on:
   release:
     types: [published, edited]
 
 jobs:
+  download:
+    name: Download keys and signatures
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Fetch keys
+      run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+
+    - name: Download signatures from Maven Central
+      timeout-minutes: 60
+      run: |
+        until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${{ github.ref_name }}/webauthn-server-attestation-${{ github.ref_name }}.jar.asc; do sleep 180; done
+        until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc; do sleep 180; done
+
+    - name: Store keyring and signatures as artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: keyring-and-signatures
+        retention-days: 1
+        path: |
+          yubico.keyring
+          *.jar.asc
+
   verify:
     name: Verify signatures (JDK ${{ matrix.java }} ${{ matrix.distribution }})
-
+    needs: download
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         java: [17]
@@ -31,21 +59,34 @@ jobs:
         java --version
         ./gradlew jar
 
-    - name: Fetch keys
-      run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+    - name: Retrieve keyring and signatures
+      uses: actions/download-artifact@v3
+      with:
+        name: keyring-and-signatures
 
-    - name: Verify signatures from GitHub release
+    - name: Verify signatures from Maven Central
       run: |
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${{ github.ref_name }}/webauthn-server-attestation-${{ github.ref_name }}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc
-
         gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-attestation-${{ github.ref_name }}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${{ github.ref_name }}.jar
         gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-core-${{ github.ref_name }}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${{ github.ref_name }}.jar
 
-    - name: Verify signatures from Maven Central
+  upload:
+    name: Upload signatures to GitHub
+    needs: verify
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # Allow uploading release artifacts
+
+    steps:
+    - name: Retrieve signatures
+      uses: actions/download-artifact@v3
+      with:
+        name: keyring-and-signatures
+
+    - name: Upload signatures to GitHub
       run: |
-        wget -O webauthn-server-core-${{ github.ref_name }}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc
-        wget -O webauthn-server-attestation-${{ github.ref_name }}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${{ github.ref_name }}/webauthn-server-attestation-${{ github.ref_name }}.jar.asc
+        RELEASE_DATA=$(curl -H "Authorization: Bearer ${{ github.token }}" ${{ github.api_url }}/repos/${{ github.repository }}/releases/tags/${{ github.ref_name }})
+        UPLOAD_URL=$(jq -r .upload_url <<<"${RELEASE_DATA}" | sed 's/{?name,label}//')
 
-        gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-attestation-${{ github.ref_name }}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${{ github.ref_name }}.jar
-        gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-core-${{ github.ref_name }}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${{ github.ref_name }}.jar
+        curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-attestation-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-attestation-${{ github.ref_name }}.jar.asc"
+        curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-core-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-core-${{ github.ref_name }}.jar.asc"
diff --git a/build.gradle b/build.gradle
@@ -116,12 +116,6 @@ task assembleJavadoc(type: Sync) {
   destinationDir = file("${rootProject.buildDir}/javadoc")
 }
 
-task collectSignatures(type: Sync) {
-  destinationDir = file("${rootProject.buildDir}/dist")
-  duplicatesStrategy DuplicatesStrategy.FAIL
-  include '*.jar', '*.jar.asc'
-}
-
 subprojects { project ->
 
   if (project.plugins.hasPlugin('scala')) {
@@ -247,14 +241,6 @@ subprojects { project ->
         useGpgCmd()
         sign publishing.publications.jars
       }
-
-      tasks.withType(Sign) { Sign signTask ->
-        rootProject.tasks.collectSignatures {
-          from signTask.inputs.files
-          from signTask.outputs.files
-        }
-        signTask.finalizedBy rootProject.tasks.collectSignatures
-      }
     }
   }
 
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -28,13 +28,7 @@ Release candidate versions
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
- 6. Wait for the artifacts to become downloadable at
-    https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/ . This is
-    needed for one of the GitHub Actions release workflows and usually takes
-    less than 30 minutes (long before the artifacts become searchable on the
-    main Maven Central website).
-
- 7. Push to GitHub.
+ 6. Push to GitHub.
 
     If the pre-release makes significant changes to the project README, such
     that the README does not accurately reflect the latest non-pre-release
@@ -52,19 +46,19 @@ Release candidate versions
     $ git push origin main 1.4.0-RC1
     ```
 
- 8. Make GitHub release.
+ 7. Make GitHub release.
 
     - Use the new tag as the release tag
     - Check the pre-release checkbox
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
       from ASCIIdoc to Markdown and remove line wraps. Include only
       changes/additions since the previous release or pre-release.
-    - Attach the signature files from
-      `build/dist/webauthn-server-attestation-X.Y.Z-RCN.jar.asc`
-      and
-      `build/dist/webauthn-server-core-X.Y.Z-RCN.jar.asc`.
     - Note which JDK version was used to build the artifacts.
 
+ 8. Check that the ["Reproducible binary"
+    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    runs and succeeds.
+
 
 Release versions
 ---
@@ -128,27 +122,20 @@ Release versions
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-11. Wait for the artifacts to become downloadable at
-    https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/ . This is
-    needed for one of the GitHub Actions release workflows and usually takes
-    less than 30 minutes (long before the artifacts become searchable on the
-    main Maven Central website).
-
-12. Push to GitHub:
+11. Push to GitHub:
 
     ```
     $ git push origin main 1.4.0
     ```
 
-13. Make GitHub release.
+12. Make GitHub release.
 
     - Use the new tag as the release tag
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
       from ASCIIdoc to Markdown and remove line wraps. Include all changes since
       the previous release (not just changes since the previous pre-release).
-    - Attach the signature files from
-      `build/dist/webauthn-server-attestation-X.Y.Z.jar.asc`
-      and
-      `build/dist/webauthn-server-core-X.Y.Z.jar.asc`.
-
     - Note which JDK version was used to build the artifacts.
+
+13. Check that the ["Reproducible binary"
+    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    runs and succeeds.

Original file line number	Diff line number	Diff line change
`@@ -116,12 +116,6 @@ task assembleJavadoc(type: Sync) {`
`116`	`116`	`destinationDir = file("${rootProject.buildDir}/javadoc")`
`117`	`117`	`}`
`118`	`118`
`119`		`-task collectSignatures(type: Sync) {`
`120`		`- destinationDir = file("${rootProject.buildDir}/dist")`
`121`		`- duplicatesStrategy DuplicatesStrategy.FAIL`
`122`		`- include '.jar', '.jar.asc'`
`123`		`-}`
`124`		`-`
`125`	`119`	`subprojects { project ->`
`126`	`120`
`127`	`121`	`if (project.plugins.hasPlugin('scala')) {`
`@@ -247,14 +241,6 @@ subprojects { project ->`
`247`	`241`	`useGpgCmd()`
`248`	`242`	`sign publishing.publications.jars`
`249`	`243`	`}`
`250`		`-`
`251`		`- tasks.withType(Sign) { Sign signTask ->`
`252`		`- rootProject.tasks.collectSignatures {`
`253`		`- from signTask.inputs.files`
`254`		`- from signTask.outputs.files`
`255`		`- }`
`256`		`- signTask.finalizedBy rootProject.tasks.collectSignatures`
`257`		`- }`
`258`	`244`	`}`
`259`	`245`	`}`
`260`	`246`