Merge pull request #602 from sigstore/setup-signing

gpg and sigstore sign publications

Author: loosebazooka

build-logic/publishing/build.gradle.kts

@@ -10,5 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.5.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1")
 }

build-logic/publishing/src/main/kotlin/build-logic.java-published-library.gradle.kts

@@ -3,6 +3,7 @@ plugins {
     id("build-logic.java-library")
     id("build-logic.reproducible-builds")
     id("build-logic.publish-to-central")
+    id("build-logic.signing")
 }
 
 java {
@@ -17,3 +18,5 @@ publishing {
         }
     }
 }
+
+signing.sign(publishing.publications["mavenJava"])

build-logic/publishing/src/main/kotlin/build-logic.signing.gradle.kts

@@ -0,0 +1,34 @@
+plugins {
+    id("signing")
+    id("dev.sigstore.sign")
+}
+
+signing {
+    val signingKey: String? by project
+    val signingPassword: String? by project
+    useInMemoryPgpKeys(signingKey, signingPassword)
+}
+
+tasks.withType<Sign>().configureEach {
+    onlyIf("Is a release") {
+        project.hasProperty("release")
+    }
+    onlyIf("Signing is not skipped") {
+        !project.hasProperty("skipSigning")
+    }
+    onlyIf("PGP Signing is not skipped") {
+        !project.hasProperty("skipPgpSigning")
+    }
+}
+
+tasks.withType<dev.sigstore.sign.tasks.SigstoreSignFilesTask>().configureEach {
+    onlyIf("Is a release") {
+        project.hasProperty("release")
+    }
+    onlyIf("Signing is not skipped") {
+        !project.hasProperty("skipSigning")
+    }
+    onlyIf("Sigstore Signing is not skipped") {
+        !project.hasProperty("skipSigstoreSigning")
+    }
+}

build.gradle.kts

@@ -1,35 +1,11 @@
 plugins {
     id("build-logic.root-build")
-    // It does not support participating in precompiled script plugins
-    id("com.github.vlsi.stage-vote-release") version "1.90"
     // The Kotlin Gradle plugin was loaded multiple times in different subprojects, which is not supported and may break the build.
     `embedded-kotlin` apply false
 }
 
-version = "${findProperty("version")}${releaseParams.snapshotSuffix}"
-
-println("Building Sigstore Java $version")
-
-releaseParams {
-    tlp.set("sigstore-java")
-    organizationName.set("sigstore")
-    componentName.set("sigstore-java")
-    prefixForProperties.set("s01")
-    svnDistEnabled.set(false)
-    sitePreviewEnabled.set(false)
-    nexus {
-        prodUrl.set(uri("https://s01.oss.sonatype.org"))
-    }
-    voteText.set {
-        """
-        ${it.componentName} v${it.version}-rc${it.rc} is ready for preview.
-
-        Git SHA: ${it.gitSha}
-        Staging repository: ${it.nexusRepositoryUri}
-        """.trimIndent()
-    }
-}
+val calculatedVersion = property("version") as String + (if (hasProperty("release")) "" else "-SNAPSHOT")
 
 allprojects {
-    version = rootProject.version
+    version = calculatedVersion
 }