Restrict publish worflow to production env, remove auto snapshot publishing (#6)

rsfez · web-flow · commit 4bd9def75d41 · 2026-01-06T09:52:11.000+09:00
* Restrict publish worflow to production env, remove auto snapshot publishing

* Refactoring, allow usage of signing.local for snapshot publishing
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,6 +9,7 @@ jobs:
   publish:
     name: Publish to Maven Central
     runs-on: ubuntu-latest
+    environment: production
 
     steps:
       - name: Checkout code
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,5 @@
 .externalNativeBuild
 .cxx
 local.properties
+signing.local
 firebase-debug.log
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,4 +1,12 @@
 // Top-level build file where you can add configuration options common to all sub-projects/modules.
+
+val signingProperties = java.util.Properties().apply {
+    file("signing.local").takeIf { it.exists() }?.inputStream()?.use { load(it) }
+}
+
+fun getSigningProperty(key: String): String? =
+    providers.environmentVariable(key).orNull ?: signingProperties.getProperty(key)
+
 plugins {
     alias(libs.plugins.android.application) apply false
     alias(libs.plugins.android.library) apply false
@@ -15,8 +23,8 @@ nexusPublishing {
         sonatype {
             nexusUrl.set(uri("https://ossrh-staging-api.central.sonatype.com/service/local/"))
             snapshotRepositoryUrl.set(uri("https://central.sonatype.com/repository/maven-snapshots/"))
-            username.set(providers.environmentVariable("SONATYPE_USERNAME"))
-            password.set(providers.environmentVariable("SONATYPE_PASSWORD"))
+            username.set(getSigningProperty("SONATYPE_USERNAME"))
+            password.set(getSigningProperty("SONATYPE_PASSWORD"))
         }
     }
 }
@@ -29,8 +37,8 @@ allprojects {
                     name = "snapshot"
                     url = uri("https://central.sonatype.com/repository/maven-snapshots/")
                     credentials {
-                        username = providers.environmentVariable("SONATYPE_USERNAME").orNull ?: ""
-                        password = providers.environmentVariable("SONATYPE_PASSWORD").orNull ?: ""
+                        username = getSigningProperty("SONATYPE_USERNAME") ?: ""
+                        password = getSigningProperty("SONATYPE_PASSWORD") ?: ""
                     }
                 }
             }
diff --git a/gradle/publishing.gradle.kts b/gradle/publishing.gradle.kts
@@ -1,12 +1,26 @@
 import org.gradle.api.publish.PublishingExtension
 import org.gradle.api.publish.maven.MavenPublication
+import org.gradle.plugins.signing.SigningExtension
+
+val signingProperties = java.util.Properties().apply {
+    rootProject.file("signing.local").takeIf { it.exists() }?.inputStream()?.use { load(it) }
+}
+
+fun getSigningProperty(key: String): String? =
+    System.getenv(key) ?: signingProperties.getProperty(key)
+
+fun getSigningPropertyWithNewlines(key: String): String? =
+    System.getenv(key) ?: signingProperties.getProperty(key)?.replace("\\n", "\n")
+
+extra["signingProperties"] = signingProperties
+extra["getSigningProperty"] = ::getSigningProperty
 
 plugins.withId("maven-publish") {
     afterEvaluate {
         extensions.configure<PublishingExtension> {
             publications.withType<MavenPublication>().configureEach {
                 groupId = "com.mercari"
-                version = System.getenv("VERSION") ?: project.property("navEntryScopeVersion") as String
+                version = getSigningProperty("VERSION") ?: project.property("navEntryScopeVersion") as String
 
                 pom {
                     url.set("https://github.com/mercari/nav-entry-scope-android")
@@ -38,4 +52,17 @@ plugins.withId("maven-publish") {
             }
         }
     }
+
+    plugins.withId("signing") {
+        val publishing = extensions.getByType<PublishingExtension>()
+        val signing = extensions.getByType<SigningExtension>()
+
+        val signingKey = getSigningPropertyWithNewlines("SIGNING_KEY")
+        val signingPassword = getSigningProperty("SIGNING_PASSWORD")
+
+        if (signingKey != null && signingPassword != null) {
+            signing.useInMemoryPgpKeys(signingKey, signingPassword)
+            signing.sign(publishing.publications)
+        }
+    }
 }
diff --git a/gradle/signing.gradle.kts b/gradle/signing.gradle.kts
diff --git a/nav-entry-scope/lib/build.gradle.kts b/nav-entry-scope/lib/build.gradle.kts
@@ -83,5 +83,4 @@ afterEvaluate {
     }
 }
 
-apply(from = rootProject.file("gradle/publishing.gradle.kts"))
-apply(from = rootProject.file("gradle/signing.gradle.kts"))
+apply(from = rootProject.file("gradle/publishing.gradle.kts"))
diff --git a/nav-entry-scope/processor/build.gradle.kts b/nav-entry-scope/processor/build.gradle.kts
@@ -44,5 +44,4 @@ publishing {
     }
 }
 
-apply(from = rootProject.file("gradle/publishing.gradle.kts"))
-apply(from = rootProject.file("gradle/signing.gradle.kts"))
+apply(from = rootProject.file("gradle/publishing.gradle.kts"))

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,12 @@`
`1`	`1`	`// Top-level build file where you can add configuration options common to all sub-projects/modules.`
	`2`	`+`
	`3`	`+val signingProperties = java.util.Properties().apply {`
	`4`	`+ file("signing.local").takeIf { it.exists() }?.inputStream()?.use { load(it) }`
	`5`	`+}`
	`6`	`+`
	`7`	`+fun getSigningProperty(key: String): String? =`
	`8`	`+ providers.environmentVariable(key).orNull ?: signingProperties.getProperty(key)`
	`9`	`+`
`2`	`10`	`plugins {`
`3`	`11`	`alias(libs.plugins.android.application) apply false`
`4`	`12`	`alias(libs.plugins.android.library) apply false`
`@@ -15,8 +23,8 @@ nexusPublishing {`
`15`	`23`	`sonatype {`
`16`	`24`	`nexusUrl.set(uri("https://ossrh-staging-api.central.sonatype.com/service/local/"))`
`17`	`25`	`snapshotRepositoryUrl.set(uri("https://central.sonatype.com/repository/maven-snapshots/"))`
`18`		`- username.set(providers.environmentVariable("SONATYPE_USERNAME"))`
`19`		`- password.set(providers.environmentVariable("SONATYPE_PASSWORD"))`
	`26`	`+ username.set(getSigningProperty("SONATYPE_USERNAME"))`
	`27`	`+ password.set(getSigningProperty("SONATYPE_PASSWORD"))`
`20`	`28`	`}`
`21`	`29`	`}`
`22`	`30`	`}`
`@@ -29,8 +37,8 @@ allprojects {`
`29`	`37`	`name = "snapshot"`
`30`	`38`	`url = uri("https://central.sonatype.com/repository/maven-snapshots/")`
`31`	`39`	`credentials {`
`32`		`- username = providers.environmentVariable("SONATYPE_USERNAME").orNull ?: ""`
`33`		`- password = providers.environmentVariable("SONATYPE_PASSWORD").orNull ?: ""`
	`40`	`+ username = getSigningProperty("SONATYPE_USERNAME") ?: ""`
	`41`	`+ password = getSigningProperty("SONATYPE_PASSWORD") ?: ""`
`34`	`42`	`}`
`35`	`43`	`}`
`36`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,5 +83,4 @@ afterEvaluate {`
`83`	`83`	`}`
`84`	`84`	`}`
`85`	`85`
`86`		`-apply(from = rootProject.file("gradle/publishing.gradle.kts"))`
`87`		`-apply(from = rootProject.file("gradle/signing.gradle.kts"))`
	`86`	`+apply(from = rootProject.file("gradle/publishing.gradle.kts"))`
Original file line number	Diff line number	Diff line change
`@@ -44,5 +44,4 @@ publishing {`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`47`		`-apply(from = rootProject.file("gradle/publishing.gradle.kts"))`
`48`		`-apply(from = rootProject.file("gradle/signing.gradle.kts"))`
	`47`	`+apply(from = rootProject.file("gradle/publishing.gradle.kts"))`