misc: enable signing with JReleaser (#126)

lauzadis · web-flow · commit 4e259cf77c77 · 2025-09-08T15:41:26.000-04:00
diff --git a/.github/actions/jreleaser/action.yml b/.github/actions/jreleaser/action.yml
@@ -19,4 +19,33 @@ runs:
         export JRELEASER_MAVENCENTRAL_TOKEN="foo"
         export JRELEASER_GENERIC_TOKEN="foo"
         
+        export JRELEASER_GPG_PASSPHRASE="foo"
+        export JRELEASER_GPG_PUBLIC_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
+        mDMEaL8nuRYJKwYBBAHaRw8BAQdAWL775FzgrwDmg7muKyddMoed4k/Xb/fYly/J
+        /uDD2wy0BHRlc3SIkwQTFgoAOxYhBLcG5xXLamZFShYwTwukzlxOPrMDBQJovye5
+        AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEAukzlxOPrMDAHsBAPC+
+        eUMDlJlvQDLduN0+BGD75RENyayZONHT42H2+U+aAP9wwQBJfhCCEzY3GpeavFgz
+        4IyWZf5Wh4m2/qKPpW10B7g4BGi/J7kSCisGAQQBl1UBBQEBB0AETG4BD1cgDqs1
+        lfU9+R/ECvlY4AdiO8iqBUtuabtMZwMBCAeIeAQYFgoAIBYhBLcG5xXLamZFShYw
+        TwukzlxOPrMDBQJovye5AhsMAAoJEAukzlxOPrMDuzkA/2WXh8Wikfpx6O4xoZf0
+        2Faek9vBPZlTM7Caoeq4tSV4AQCYcg1P9BFghqhnwvrRZvdQQTx76umHLz8enbke
+        OAHfDw==
+        =/9s0
+        -----END PGP PUBLIC KEY BLOCK-----"
+        export JRELEASER_GPG_SECRET_KEY="-----BEGIN PGP PRIVATE KEY BLOCK-----
+        lIYEaL8nuRYJKwYBBAHaRw8BAQdAWL775FzgrwDmg7muKyddMoed4k/Xb/fYly/J
+        /uDD2wz+BwMCaLqUQm4ihML7jBPOkRNRNSycy2m45R0GXzH9c1M7ImKOxYfBxrcx
+        xu+EAJ5eWvpr2//wZ+qHHXS0Rh8/SL9DoX+sFE9pRx6yJlDBO90mK7QEdGVzdIiT
+        BBMWCgA7FiEEtwbnFctqZkVKFjBPC6TOXE4+swMFAmi/J7kCGwMFCwkIBwICIgIG
+        FQoJCAsCBBYCAwECHgcCF4AACgkQC6TOXE4+swMAewEA8L55QwOUmW9AMt243T4E
+        YPvlEQ3JrJk40dPjYfb5T5oA/3DBAEl+EIITNjcal5q8WDPgjJZl/laHibb+oo+l
+        bXQHnIsEaL8nuRIKKwYBBAGXVQEFAQEHQARMbgEPVyAOqzWV9T35H8QK+VjgB2I7
+        yKoFS25pu0xnAwEIB/4HAwKJuUDoPaqNo/ssfY0b1vWGopVJneFheLIOWAMjWeur
+        8MjxaRS7IyFjPrm8p0W0/SSoKuGNdU390bwrKFmjmv5UfJrKGpJTiZZHt2awtvds
+        iHgEGBYKACAWIQS3BucVy2pmRUoWME8LpM5cTj6zAwUCaL8nuQIbDAAKCRALpM5c
+        Tj6zA7s5AP9ll4fFopH6cejuMaGX9NhWnpPbwT2ZUzOwmqHquLUleAEAmHINT/QR
+        YIaoZ8L60Wb3UEE8e+rphy8/Hp25HjgB3w8=
+        =Cn5U
+        -----END PGP PRIVATE KEY BLOCK-----"
+        
         ./gradlew jreleaserFullRelease --dryrun --stacktrace
diff --git a/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt b/build-plugins/build-support/src/main/kotlin/aws/sdk/kotlin/gradle/dsl/Publish.kt
@@ -182,8 +182,7 @@ fun Project.configureNexusPublishing(repoName: String, githubOrganization: Strin
 }
 
 /**
- * Configure publishing for this project. This applies the `maven-publish` and `signing` plugins and configures
- * the publications.
+ * Configure publishing for this project. This applies the `maven-publish` plugin and configures publications.
  * @param repoName the repository name (e.g. `smithy-kotlin`, `aws-sdk-kotlin`, etc)
  * @param githubOrganization the name of the GitHub organization that [repoName] is located in
  */
@@ -236,23 +235,6 @@ fun Project.configurePublishing(repoName: String, githubOrganization: String = "
                 }
             }
         }
-
-        val secretKey = System.getenv(EnvironmentVariables.GPG_SECRET_KEY)
-        val passphrase = System.getenv(EnvironmentVariables.GPG_PASSPHRASE)
-
-        if (!secretKey.isNullOrBlank() && !passphrase.isNullOrBlank()) {
-            apply(plugin = "signing")
-            extensions.configure<SigningExtension> {
-                useInMemoryPgpKeys(secretKey, passphrase)
-                sign(publications)
-            }
-
-            // FIXME - workaround for https://github.com/gradle/gradle/issues/26091
-            val signingTasks = tasks.withType<Sign>()
-            tasks.withType<AbstractPublishToMaven>().configureEach {
-                mustRunAfter(signingTasks)
-            }
-        }
     }
 
     tasks.withType<AbstractPublishToMaven>().configureEach {
@@ -312,6 +294,9 @@ fun Project.configureJReleaser() {
     val requiredVariables = listOf(
         EnvironmentVariables.MAVEN_CENTRAL_USERNAME,
         EnvironmentVariables.MAVEN_CENTRAL_TOKEN,
+        EnvironmentVariables.GPG_PASSPHRASE,
+        EnvironmentVariables.GPG_PUBLIC_KEY,
+        EnvironmentVariables.GPG_SECRET_KEY,
         EnvironmentVariables.GENERIC_TOKEN,
     )
 
@@ -346,6 +331,11 @@ fun Project.configureJReleaser() {
             version = providers.gradleProperty("sdkVersion").get()
         }
 
+        signing {
+            active = Active.ALWAYS
+            armored = true
+        }
+
         // JReleaser requires a releaser to be configured even though we don't use it.
         // https://github.com/jreleaser/jreleaser/discussions/1725#discussioncomment-10674529
         release {
@@ -365,7 +355,6 @@ fun Project.configureJReleaser() {
                 mavenCentral {
                     create("maven-central") {
                         active = Active.ALWAYS // the Maven deployer default is ALWAYS, but MavenCentral is NEVER
-                        sign = false // Signing is done when publishing, see the 'configurePublishing' function
                         url = "https://central.sonatype.com/api/v1/publisher"
                         stagingRepository(rootProject.layout.buildDirectory.dir("m2").get().toString())
                         artifacts {
