From 605b6ee7bb2f19d5fc10b28370da8f6c9c98a42d Mon Sep 17 00:00:00 2001 From: hjwilli Date: Thu, 6 Oct 2022 18:39:39 -0400 Subject: [PATCH] Implement signing for production builds Fix gradle config for signing, update publishing docs. Ref #99 --- .env-template | 7 +++-- app/build.gradle | 12 +------- app/carnival-core/build.gradle | 28 ++++++++----------- app/carnival-gradle/build.gradle | 17 +++++++----- app/carnival-graph/build.gradle | 17 +++++++----- app/carnival-util/build.gradle | 16 ++++++----- docker-compose-publish-maven.yml | 6 ++-- docs/index.md | 2 +- docs/production-buids.md | 15 ---------- docs/production-builds.md | 47 ++++++++++++++++++++++++++++++++ 10 files changed, 96 insertions(+), 71 deletions(-) delete mode 100644 docs/production-buids.md create mode 100644 docs/production-builds.md diff --git a/.env-template b/.env-template index 9546e51b..9e6d36cb 100644 --- a/.env-template +++ b/.env-template @@ -1,9 +1,10 @@ #.env is only used in the docker-compose files # -SIGNING_PRIVATE_KEY= -SIGNING_PRIVATE_KEY_PASSWORD= -SIGNING_KEY_ID= +SIGNING_PRIVATE_DIR= +SIGNING_PRIVATE_FILE= # must be .gpg format +SIGNING_PRIVATE_KEY_PASSWORD= +SIGNING_KEY_ID= # usually last 8 of fingerprint # CENTRAL_USER= diff --git a/app/build.gradle b/app/build.gradle index c238586f..42649780 100644 --- a/app/build.gradle +++ b/app/build.gradle @@ -76,17 +76,6 @@ allprojects { subprojects { apply plugin: 'groovy' - apply plugin: "signing" - //ext.isReleaseVersion = !version.endsWith("SNAPSHOT") - signing { - required { - //isReleaseVersion && - gradle.taskGraph.hasTask("publish") && - !gradle.taskGraph.hasTask("publishToMavenLocal") - } - sign publishing.publications - } - dependencies { // see gradle.properties for versions @@ -148,6 +137,7 @@ subprojects { /////////////////////////////////////////////////////////////////////////////// subprojects { apply plugin: "maven-publish" + apply plugin: "signing" publishing { repositories { maven { diff --git a/app/carnival-core/build.gradle b/app/carnival-core/build.gradle index 48b410f9..1c5dc852 100644 --- a/app/carnival-core/build.gradle +++ b/app/carnival-core/build.gradle @@ -61,26 +61,20 @@ publishing { url 'https://github.com/carnival-data/carnival' } } - } - //pom.withXml { - // Node pomNode = asNode() - // pomNode.dependencies.'*'.findAll() { - // it.artifactId.text() == 'ojdbc6' - // }.each() { - // it.parent().remove(it) - // } - //} + } } } - repositories { - maven { - // mavenCentral { - // change URLs to point to your repos, e.g. http://my.org/repo - def releasesRepoUrl = "$buildDir/repos/releases" - def snapshotsRepoUrl = "$buildDir/repos/snapshots" - url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl - } +} + + +signing { + required { + (!version.endsWith("SNAPSHOT")) && + gradle.taskGraph.hasTask("publish") && + !gradle.taskGraph.hasTask("publishToMavenLocal") } + + sign publishing.publications.mavenGroovy } diff --git a/app/carnival-gradle/build.gradle b/app/carnival-gradle/build.gradle index 94d0c467..b3db2fd4 100644 --- a/app/carnival-gradle/build.gradle +++ b/app/carnival-gradle/build.gradle @@ -72,18 +72,21 @@ publishing { } } } - repositories { - maven { - // change URLs to point to your repos, e.g. http://my.org/repo - def releasesRepoUrl = "$buildDir/repos/releases" - def snapshotsRepoUrl = "$buildDir/repos/snapshots" - url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl - } +} + +signing { + required { + (!version.endsWith("SNAPSHOT")) && + gradle.taskGraph.hasTask("publish") && + !gradle.taskGraph.hasTask("publishToMavenLocal") } + + sign publishing.publications.mavenGroovy } + /////////////////////////////////////////////////////////////////////////////// // dependencies /////////////////////////////////////////////////////////////////////////////// diff --git a/app/carnival-graph/build.gradle b/app/carnival-graph/build.gradle index f02fe1ad..e7ce8080 100644 --- a/app/carnival-graph/build.gradle +++ b/app/carnival-graph/build.gradle @@ -68,18 +68,21 @@ publishing { } } } - repositories { - maven { - // change URLs to point to your repos, e.g. http://my.org/repo - def releasesRepoUrl = "$buildDir/repos/releases" - def snapshotsRepoUrl = "$buildDir/repos/snapshots" - url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl - } +} + +signing { + required { + (!version.endsWith("SNAPSHOT")) && + gradle.taskGraph.hasTask("publish") && + !gradle.taskGraph.hasTask("publishToMavenLocal") } + + sign publishing.publications.mavenGroovy } + /////////////////////////////////////////////////////////////////////////////// // dependencies /////////////////////////////////////////////////////////////////////////////// diff --git a/app/carnival-util/build.gradle b/app/carnival-util/build.gradle index 1b5b7535..4647effb 100644 --- a/app/carnival-util/build.gradle +++ b/app/carnival-util/build.gradle @@ -68,14 +68,16 @@ publishing { } } } - repositories { - maven { - // change URLs to point to your repos, e.g. http://my.org/repo - def releasesRepoUrl = "$buildDir/repos/releases" - def snapshotsRepoUrl = "$buildDir/repos/snapshots" - url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl - } +} + +signing { + required { + (!version.endsWith("SNAPSHOT")) && + gradle.taskGraph.hasTask("publish") && + !gradle.taskGraph.hasTask("publishToMavenLocal") } + + sign publishing.publications.mavenGroovy } diff --git a/docker-compose-publish-maven.yml b/docker-compose-publish-maven.yml index d43a6dbf..8a4ac853 100644 --- a/docker-compose-publish-maven.yml +++ b/docker-compose-publish-maven.yml @@ -8,14 +8,14 @@ services: working_dir: /appsrc/app command: > gradle publishAllPublicationsToCentralRepository - -Psigning.secretKeyRingFile=/appsrc/signing_private.gpg + -Psigning.secretKeyRingFile=/appsrc/keys/${SIGNING_PRIVATE_FILE} -Psigning.password=${SIGNING_PRIVATE_KEY_PASSWORD} -Psigning.keyId=${SIGNING_KEY_ID} -Pcentral.user=${CENTRAL_USER} -Pcentral.password=${CENTRAL_PASSWORD} - --no-daemon + --no-daemon --console=plain tty: true stdin_open: true volumes: - ./:/appsrc - - ${SIGNING_PRIVATE_KEY}:/appsrc/signing_private.gpg \ No newline at end of file + - ${SIGNING_PRIVATE_DIR}:/appsrc/keys \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index f306fb75..0289beca 100644 --- a/docs/index.md +++ b/docs/index.md @@ -261,7 +261,7 @@ To learn more about graph methods, see [Graph Methods](graph-method.md). ## Core Development - [Developer Setup](developer-setup.md) -- [Production Builds](production-buids.md) +- [Production Builds](production-builds.md) - [Building Documentation](documentation.md) - [Default Carnival Schemas](schema.md) diff --git a/docs/production-buids.md b/docs/production-buids.md deleted file mode 100644 index f63efbc3..00000000 --- a/docs/production-buids.md +++ /dev/null @@ -1,15 +0,0 @@ -# Production Builds - -## Publishing Production Builds to Github - -Production images are published to Github packages. In order to publish an image, you will need to create a Github personal access token with appropriate permissions to manage github packages (see Github Packages documentation for details). Then create local environment variables **GITHUB_USER** and **GITHUB_TOKEN** with your github user and personal access token. -Once authorization has been set up, the procedure to publish production builds is: - -- Stage and test any changes in the master branch -- Update the app version number in `app/build.gradle` using semantic versioning conventions -- Merge changes into the production branch -- Build and publish changes to Github with the command gradle publish . The build.grade file has been configured to use the authentication information in the environment variables **GITHUB_USER** and **GITHUB_TOKEN** when attempting to publish. -- Check that the packages with the updated version number are listed in Carnival Packages -- Go back to the master branch, and `app/build.gradle` increment the version number and add the `-SNAPSHOT` suffix (i.e. `0.2.9-SNAPSHOT`) - -For further details, see Configuring Gradle for use with GitHub Packages. diff --git a/docs/production-builds.md b/docs/production-builds.md new file mode 100644 index 00000000..6f5799ea --- /dev/null +++ b/docs/production-builds.md @@ -0,0 +1,47 @@ +# Production Builds + +## Publishing to Maven + +* Maven Repository Manager: https://s01.oss.sonatype.org/#welcome +* Maven: https://search.maven.org/artifact/io.github.carnival-data/carnival-core + +### Configuration +Copy `.env-template` to `.env` and update the file with your maven central credentials and private key information. The signing file should be .gpg format, and SIGNING_KEY_ID is usually the last 8 digits of the fingerprint. More detail about the signing plugin available [here](https://docs.gradle.org/7.4.1/userguide/signing_plugin.html#sec:signatory_credentials). + + +### Publish to Snapshot Repository +When the carnivalVersion specified in `app\gradle.properties` ends with "-SNAPSHOT", the package will be published to the snapshot repository. Previous releases with the same version can be overwritten. +``` +docker-compose -f docker-compose-publish-maven.yml up +``` + +### Publish Release Versions +If the version number does not end with "-SNAPSHOT", the package will be published to the staging repository and must be manually approved. + +1. Run the following to publish to the staging repository: +``` +docker-compose -f docker-compose-publish-maven.yml up +``` + +1. Log into the [Maven Nexus Repository Manager](https://s01.oss.sonatype.org/#welcome) + +1. Click "Staging Repositories" on the left. The repository that was just published should be visible. + +1. Review the repository files. If it looks correct, click "close" to close the staging repository and start the validation process. + +1. If the validation is successfull, click "Release" to publish the release. + + +### Publishing Production Builds to Github (Deprecated) + +Production images are published to Github packages. In order to publish an image, you will need to create a Github personal access token with appropriate permissions to manage github packages (see Github Packages documentation for details). Then create local environment variables **GITHUB_USER** and **GITHUB_TOKEN** with your github user and personal access token. +Once authorization has been set up, the procedure to publish production builds is: + +- Stage and test any changes in the master branch +- Update the app version number in `app/build.gradle` using semantic versioning conventions +- Merge changes into the production branch +- Build and publish changes to Github with the command gradle publish . The build.grade file has been configured to use the authentication information in the environment variables **GITHUB_USER** and **GITHUB_TOKEN** when attempting to publish. +- Check that the packages with the updated version number are listed in Carnival Packages +- Go back to the master branch, and `app/build.gradle` increment the version number and add the `-SNAPSHOT` suffix (i.e. `0.2.9-SNAPSHOT`) + +For further details, see Configuring Gradle for use with GitHub Packages.