From 1b92dc024b8a84781e2e0198c61520501f3b8466 Mon Sep 17 00:00:00 2001 From: Robin Sfez Date: Mon, 5 Jan 2026 21:30:30 +0900 Subject: [PATCH 1/2] Restrict publish worflow to production env, remove auto snapshot publishing --- .github/workflows/publish-snapshot.yml | 39 -------------------------- .github/workflows/publish.yml | 1 + 2 files changed, 1 insertion(+), 39 deletions(-) delete mode 100644 .github/workflows/publish-snapshot.yml diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml deleted file mode 100644 index aa4318f..0000000 --- a/.github/workflows/publish-snapshot.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Publish Snapshot to Maven Central - -on: - push: - branches: - - main - paths: - - 'nav-entry-scope/**' - -jobs: - publish-snapshot: - name: Publish Snapshot - runs-on: ubuntu-latest - - steps: - - name: Checkout code - run: | - git init - git remote add origin https://github.com/${{ github.repository }}.git - git fetch --depth=1 origin ${{ github.sha }} - git checkout ${{ github.sha }} - - - name: Set up JDK 17 - uses: ./.github/actions/setup-jdk - - - name: Extract base version from version catalog - run: | - BASE_VERSION=$(grep '^navEntryScope = ' gradle/libs.versions.toml | sed 's/.*= *"\(.*\)"/\1/') - echo "VERSION=${BASE_VERSION}-SNAPSHOT" >> $GITHUB_ENV - - - name: Publish Snapshot to Maven Central - run: ./gradlew publishAllPublicationsToSnapshotRepository - env: - SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - SIGNING_KEY_ID: ${{ secrets.GPG_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.GPG_PASSPHRASE }} - SIGNING_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - VERSION: ${{ env.VERSION }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 458e8af..3bb76f1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,6 +9,7 @@ jobs: publish: name: Publish to Maven Central runs-on: ubuntu-latest + environment: production steps: - name: Checkout code From e25be1daf5ed3b6c29ce0bc7065f95d8715f886e Mon Sep 17 00:00:00 2001 From: Robin Sfez Date: Mon, 5 Jan 2026 22:37:21 +0900 Subject: [PATCH 2/2] Refactoring, allow usage of signing.local for snapshot publishing --- .gitignore | 1 + build.gradle.kts | 16 +++++++++--- gradle/publishing.gradle.kts | 29 +++++++++++++++++++++- gradle/signing.gradle.kts | 17 ------------- nav-entry-scope/lib/build.gradle.kts | 3 +-- nav-entry-scope/processor/build.gradle.kts | 3 +-- 6 files changed, 43 insertions(+), 26 deletions(-) delete mode 100644 gradle/signing.gradle.kts diff --git a/.gitignore b/.gitignore index ba10421..2537f7b 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,5 @@ .externalNativeBuild .cxx local.properties +signing.local firebase-debug.log \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts index 1148d78..ec42bc3 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,4 +1,12 @@ // Top-level build file where you can add configuration options common to all sub-projects/modules. + +val signingProperties = java.util.Properties().apply { + file("signing.local").takeIf { it.exists() }?.inputStream()?.use { load(it) } +} + +fun getSigningProperty(key: String): String? = + providers.environmentVariable(key).orNull ?: signingProperties.getProperty(key) + plugins { alias(libs.plugins.android.application) apply false alias(libs.plugins.android.library) apply false @@ -15,8 +23,8 @@ nexusPublishing { sonatype { nexusUrl.set(uri("https://ossrh-staging-api.central.sonatype.com/service/local/")) snapshotRepositoryUrl.set(uri("https://central.sonatype.com/repository/maven-snapshots/")) - username.set(providers.environmentVariable("SONATYPE_USERNAME")) - password.set(providers.environmentVariable("SONATYPE_PASSWORD")) + username.set(getSigningProperty("SONATYPE_USERNAME")) + password.set(getSigningProperty("SONATYPE_PASSWORD")) } } } @@ -29,8 +37,8 @@ allprojects { name = "snapshot" url = uri("https://central.sonatype.com/repository/maven-snapshots/") credentials { - username = providers.environmentVariable("SONATYPE_USERNAME").orNull ?: "" - password = providers.environmentVariable("SONATYPE_PASSWORD").orNull ?: "" + username = getSigningProperty("SONATYPE_USERNAME") ?: "" + password = getSigningProperty("SONATYPE_PASSWORD") ?: "" } } } diff --git a/gradle/publishing.gradle.kts b/gradle/publishing.gradle.kts index 627f99f..ab29207 100644 --- a/gradle/publishing.gradle.kts +++ b/gradle/publishing.gradle.kts @@ -1,12 +1,26 @@ import org.gradle.api.publish.PublishingExtension import org.gradle.api.publish.maven.MavenPublication +import org.gradle.plugins.signing.SigningExtension + +val signingProperties = java.util.Properties().apply { + rootProject.file("signing.local").takeIf { it.exists() }?.inputStream()?.use { load(it) } +} + +fun getSigningProperty(key: String): String? = + System.getenv(key) ?: signingProperties.getProperty(key) + +fun getSigningPropertyWithNewlines(key: String): String? = + System.getenv(key) ?: signingProperties.getProperty(key)?.replace("\\n", "\n") + +extra["signingProperties"] = signingProperties +extra["getSigningProperty"] = ::getSigningProperty plugins.withId("maven-publish") { afterEvaluate { extensions.configure { publications.withType().configureEach { groupId = "com.mercari" - version = System.getenv("VERSION") ?: project.property("navEntryScopeVersion") as String + version = getSigningProperty("VERSION") ?: project.property("navEntryScopeVersion") as String pom { url.set("https://github.com/mercari/nav-entry-scope-android") @@ -38,4 +52,17 @@ plugins.withId("maven-publish") { } } } + + plugins.withId("signing") { + val publishing = extensions.getByType() + val signing = extensions.getByType() + + val signingKey = getSigningPropertyWithNewlines("SIGNING_KEY") + val signingPassword = getSigningProperty("SIGNING_PASSWORD") + + if (signingKey != null && signingPassword != null) { + signing.useInMemoryPgpKeys(signingKey, signingPassword) + signing.sign(publishing.publications) + } + } } diff --git a/gradle/signing.gradle.kts b/gradle/signing.gradle.kts deleted file mode 100644 index ae55a44..0000000 --- a/gradle/signing.gradle.kts +++ /dev/null @@ -1,17 +0,0 @@ -import org.gradle.api.publish.PublishingExtension -import org.gradle.plugins.signing.SigningExtension - -plugins.withId("maven-publish") { - plugins.withId("signing") { - val publishing = extensions.getByType() - val signing = extensions.getByType() - - val signingKey = System.getenv("SIGNING_KEY") - val signingPassword = System.getenv("SIGNING_PASSWORD") - - if (signingKey != null && signingPassword != null) { - signing.useInMemoryPgpKeys(signingKey, signingPassword) - signing.sign(publishing.publications) - } - } -} diff --git a/nav-entry-scope/lib/build.gradle.kts b/nav-entry-scope/lib/build.gradle.kts index e7f74ce..945c8a7 100644 --- a/nav-entry-scope/lib/build.gradle.kts +++ b/nav-entry-scope/lib/build.gradle.kts @@ -83,5 +83,4 @@ afterEvaluate { } } -apply(from = rootProject.file("gradle/publishing.gradle.kts")) -apply(from = rootProject.file("gradle/signing.gradle.kts")) \ No newline at end of file +apply(from = rootProject.file("gradle/publishing.gradle.kts")) \ No newline at end of file diff --git a/nav-entry-scope/processor/build.gradle.kts b/nav-entry-scope/processor/build.gradle.kts index 135ae6a..3d67a66 100644 --- a/nav-entry-scope/processor/build.gradle.kts +++ b/nav-entry-scope/processor/build.gradle.kts @@ -44,5 +44,4 @@ publishing { } } -apply(from = rootProject.file("gradle/publishing.gradle.kts")) -apply(from = rootProject.file("gradle/signing.gradle.kts")) \ No newline at end of file +apply(from = rootProject.file("gradle/publishing.gradle.kts")) \ No newline at end of file