Skip to content

Commit cd764c1

Browse files
WeltraumschafWeltraumschaf
committed
#35 Refine the release documentation
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
1 parent 106982a commit cd764c1

File tree

1 file changed

+12
-17
lines changed

1 file changed

+12
-17
lines changed

release.md

+12-17
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,17 @@
22

33
Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central.
44

5-
65
## Credentials
76

8-
Publishing to Maven Central requires authentication in the form of a username-password or an User Token (as username and password).
9-
We use User Tokens [2] for authentication, which are stored in our password manager.
7+
Publishing to Maven Central requires authentication in the form of username and password or user token (as username and password). We use [user tokens][user-token] for authentication, which are stored in our password manager.
108

119
### Local (on device)
1210

1311
The `MAVEN_USERNAME` and `MAVEN_PASSWORD` environment variable needs to be set on the device.
1412

1513
### GitHub Actions
1614

17-
In the GitHub Secrets [1], we need to add two secrets called `MAVEN_USERNAME` and `MAVEN_PASSWORD` (Github enforces a leading `SECRET_TOKEN`).
18-
They can be accessed in a yaml file with `${{ secrets.MAVEN_USERNAME }}` and `${{ secrets.MAVEN_PASSWORD }}`.
19-
We pass both these secrets in the `env` block.
15+
In the [GitHub Secrets][gh-secrets], we need to add two secrets called `MAVEN_USERNAME` and `MAVEN_PASSWORD`. They can be accessed in a yaml file with `${{ secrets.MAVEN_USERNAME }}` and `${{ secrets.MAVEN_PASSWORD }}`. We pass both these secrets in the `env` block.
2016

2117
For example:
2218

@@ -30,7 +26,7 @@ For example:
3026
3127
## GPG Guide for Maven Signing
3228
33-
This guide is based on [Working with PGP Signatures](https://central.sonatype.org/publish/requirements/gpg/) and [OpenPGP Best Practices](https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices).
29+
This guide is based on [Working with PGP Signatures][pgp-signatures] and [OpenPGP Best Practices][pgp-best-practices].
3430
3531
### About our key
3632
@@ -50,7 +46,7 @@ gpg --full-generate-key
5046

5147
### Import the private key
5248

53-
Download private key from password manager and import it locally
49+
Download private key from password manager and import it locally:
5450

5551
```shell
5652
gpg --import private.key
@@ -64,10 +60,8 @@ gpg --import private.key
6460
gpg --armor --export-secret-keys $KEYID
6561
```
6662

67-
In the GitHub Secrets [1], add the output of this command to the `SIGNING_KEY` secret.
68-
Additionally, you must add the corresponding password in as `SIGNING_PASSWORD`.
69-
Both can be accessed in a yaml file with `${{ secrets.SIGNING_KEY }}` and `${{ secrets.SIGNING_PASSWORD }}`.
70-
We pass both these secrets in the `env` block-
63+
In the [GitHub Secrets][gh-secrets], add the output of this command to the `SIGNING_KEY` secret.
64+
Additionally, you must add the corresponding password as `SIGNING_PASSWORD`. Both can be accessed in a YAML file with `${{ secrets.SIGNING_KEY }}` and `${{ secrets.SIGNING_PASSWORD }}`. We pass both these secrets in the `env` block.
7165

7266
For example:
7367

@@ -77,7 +71,6 @@ For example:
7771
env:
7872
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
7973
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
80-
...
8174
```
8275

8376
#### For Password Manager
@@ -88,14 +81,14 @@ gpg -o private.key --export-secret-key $KEYID
8881

8982
### Expiration
9083

91-
It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar which to remind us.
84+
It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar to remind us.
9285

9386
#### How to extend the expiration date?
9487

9588
1. Download the private key file `private.key` from password manager
9689
2. Import it locally: `gpg --import private.key`
9790
3. Select the key : `gpg --edit-key $KEYID`
98-
4. Now select the subkey and set the expire date (use `2y` for two years):
91+
4. Now select the subkey and set the expiry date (use `2y` for two years):
9992
```shell
10093
gpg> key 1
10194
gpg> expire
@@ -106,5 +99,7 @@ gpg> save
10699
```
107100
6. Update the private key in out password manager and GitHub Secrets
108101

109-
[1]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial
110-
[2]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens
102+
[gh-secrets]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial
103+
[user-token]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens
104+
[pgp-signatures]: https://central.sonatype.org/publish/requirements/gpg/
105+
[pgp-best-practices]: https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices

0 commit comments

Comments
 (0)