Configure maven central publishing #1042
Conversation
Signed-off-by: Appu Goundan <[email protected]>
loosebazooka
force-pushed
the
gcp-secrets-to-central-publish
branch
from
b2656a5 to
28171bb
Compare
| nmcpAggregation(project(":sigstore-java")) | ||
| nmcpAggregation(project(":sigstore-maven-plugin")) |
There was a problem hiding this comment.
Please add gradle plugin artifacts as well
There was a problem hiding this comment.
this is creating some issue where it's trying to apply the plugin on itself? We can try to add it in after, but for now, I'd like to get this in so we can publish these (and still publish the plugins to the portal)
An exception occurred applying plugin request [id: 'build-logic.java-published-library']
> Failed to apply plugin 'dev.sigstore.sign'.
> Plugin with id 'dev.sigstore.sign-base' not found.
There was a problem hiding this comment.
What are the changes and how do you reproduce the error of "Failed to apply plugin 'dev.sigstore.sign'"?
diff --git a/build.gradle.kts b/build.gradle.kts
index bb9cfe5..fa3933a 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -29,4 +29,6 @@ nmcpAggregation {
dependencies {
nmcpAggregation(project(":sigstore-java"))
nmcpAggregation(project(":sigstore-maven-plugin"))
+ nmcpAggregation(project(":sigstore-gradle:sigstore-gradle-sign-base-plugin"))
+ nmcpAggregation(project(":sigstore-gradle:sigstore-gradle-sign-plugin"))
}% CENTRAL_PORTAL_USERNAME=u CENTRAL_PORTAL_PASSWORD=p ./gradlew publishAggregationToCentralPortal -m
:sigstore-java:cleanupDirectory SKIPPED
:sigstore-java:generateBuildInfo SKIPPED
:sigstore-java:protobufDummy SKIPPED
:sigstore-java:extractProto SKIPPED
:sigstore-java:processResources SKIPPED
...
[Incubating] Problems report is available at: file:////sigstore-java/build/reports/problems/problems-report.html
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.14.1/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD SUCCESSFUL in 1
There was a problem hiding this comment.
hrmm interesting, maybe it doesn't add signing?
diff --git a/build.gradle.kts b/build.gradle.kts
index bb9cfe5..fa3933a 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -29,4 +29,6 @@ nmcpAggregation {
dependencies {
nmcpAggregation(project(":sigstore-java"))
nmcpAggregation(project(":sigstore-java"))
nmcpAggregation(project(":sigstore-maven-plugin"))
+ nmcpAggregation(project(":sigstore-gradle:sigstore-gradle-sign-base-plugin"))
+ nmcpAggregation(project(":sigstore-gradle:sigstore-gradle-sign-plugin"))
}
diff --git a/sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts b/sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts
index 8ef4908..0642901 100644
--- a/sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts
+++ b/sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts
@@ -1,5 +1,6 @@
plugins {
id("build-logic.kotlin-dsl-published-gradle-plugin")
+ id("build-logic.java-published-library")
id("build-logic.test-junit5")
}
diff --git a/sigstore-gradle/sigstore-gradle-sign-plugin/build.gradle.kts b/sigstore-gradle/sigstore-gradle-sign-plugin/build.gradle.kts
index 2b5133c..fe0322a 100644
--- a/sigstore-gradle/sigstore-gradle-sign-plugin/build.gradle.kts
+++ b/sigstore-gradle/sigstore-gradle-sign-plugin/build.gradle.kts
@@ -1,5 +1,6 @@
plugins {
id("build-logic.kotlin-dsl-published-gradle-plugin")
+ id("build-logic.java-published-library")
id("build-logic.test-junit5")
}There was a problem hiding this comment.
Note that sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts already has id("build-logic.kotlin-dsl-published-gradle-plugin") which internally has id("build-logic.publish-to-central").
So the addition of id("build-logic.java-published-library") should not be needed for sigstore-gradle/*/build.gradle.kts
There was a problem hiding this comment.
while signing, etc is all configured in java-published-library
Apparently, we'd better move signing to publish-to-central or a separate file.
I might try signing the plugin itself.
However, I did use com.github.vlsi.state-vote-release plugin to release com.github.vlsi.state-vote-release, so the limitation of "plugin can't be used" sounds strange.
There was a problem hiding this comment.
Yeah I think you brought that up when we discussed it last time. I can't remember the details I think it might be lost in slack history unfortunately. If you find a solution I would love to include it. I was just unable to find one that worked.
There was a problem hiding this comment.
I might try once again and add a code comment
There was a problem hiding this comment.
any update here? I would like to unblock this.
There was a problem hiding this comment.
Ah, sorry, I did not intend to block the pr
should consume secrets from gcp during publishing. Note that this means we have moved our pgp key to something else and we must document that releases 2.x onwards use the new key.