commercetools · lojzatran · Mar 24, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -49,16 +49,19 @@ jobs:
           distribution: 'zulu'
       - name: status
         run: echo Build is tagged. Uploading artifact ${{ steps.vars.outputs.tag }} to maven central.
+      - run: scripts/setup-signing-key.sh
+        env:
+          DECRYPTER: ${{ secrets.DECRYPTER }}
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          PASSPHRASE: ${{ secrets.PASSPHRASE }}
       - name: Publish GitHub Pages
         run: ./gradlew --info -Dbuild.version="${{ steps.vars.outputs.tag }}" mkdocsPublish
       - name: deploy to sonatype and publish to maven central
-        run: ./gradlew setLibraryVersion -Dbuild.version="${{ steps.vars.outputs.tag }}" publishToSonatype closeAndReleaseSonatypeStagingRepository
+        run: ./gradlew -Pversion=$REF_NAME setLibraryVersion -Dbuild.version="${{ steps.vars.outputs.tag }}" clean publishToSonatype closeAndReleaseSonatypeStagingRepository
         env:
-          GITHUB_TAG: ${{ steps.vars.outputs.tag }}
-          MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
-          PGP_KEY: ${{ secrets.PGP_KEY }}
-          PGP_PASSWORD: ${{ secrets.PGP_PASSWORD }}
+           GITHUB_TAG: ${{ steps.vars.outputs.tag }}
+           MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
+           MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
       - name: Slack notification
         if: success() # only when previous step succeeds
         env:

diff --git a/gradle-scripts/maven-publish.gradle b/gradle-scripts/maven-publish.gradle
@@ -40,9 +40,7 @@ publishing {
 }
 
 signing {
-    def signingKey = System.getenv("PGP_KEY")
-    def signingPassword = System.getenv("PGP_PASSWORD")
-    useInMemoryPgpKeys(signingKey, signingPassword)
+    useGpgCmd()
     sign publishing.publications.mavenJava
 }
 

diff --git a/scripts/setup-signing-key.sh b/scripts/setup-signing-key.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+
+# Decrypt credentials
+echo 'Decode decrypter'
+echo ${DECRYPTER} | base64 --decode > decrypter.json
+echo 'Decode signing key'
+echo ${SIGNING_KEY} | base64 --decode > signing_key.enc
+echo 'Decode passphrase'
+echo ${PASSPHRASE} | base64 --decode > signing_passphrase.enc
+
+gcloud auth activate-service-account --key-file decrypter.json
+
+echo "Decrypt signing secrets"
+
+echo "passphrase"
+gcloud kms decrypt \
+  --project=commercetools-platform \
+  --location=global \
+  --keyring=devtooling \
+  --key=java-sdk-v2 \
+  --ciphertext-file=signing_passphrase.enc \
+  --plaintext-file=signing_passphrase.txt
+
+echo "key"
+gcloud kms decrypt \
+  --project=commercetools-platform \
+  --location=global \
+  --keyring=devtooling \
+  --key=java-sdk-v2 \
+  --ciphertext-file=signing_key.enc \
+  --plaintext-file=signing_key.asc
+
+
+# Import the GPG key
+set +e
+echo "Importing the signing key"
+gpg --import --no-tty --batch --yes signing_key.asc
+echo " - done"
+set -e
+
+# List available GPG keys
+gpg -K
+
+KEYNAME=`gpg --with-colons --keyid-format long --list-keys [email protected] | grep fpr | cut -d ':' -f 10`
+
+mkdir -p ~/.gradle
+touch ~/.gradle/gradle.properties
+
+echo "signing.gnupg.executable=gpg" >> ~/.gradle/gradle.properties
+echo "signing.gnupg.keyName=$KEYNAME" >> ~/.gradle/gradle.properties
+echo "signing.gnupg.passphrase=$(<signing_passphrase.txt)" >> ~/.gradle/gradle.properties
+
+rm -rf signing_passphrase.txt signing_passphrase.enc signing_key.enc decrypter.json signing_key.asc
+