Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automate publishing of DefectDojo Java Client release to maven central #35

Closed
Weltraumschaf opened this issue May 23, 2023 · 22 comments · Fixed by #73
Closed

Automate publishing of DefectDojo Java Client release to maven central #35

Weltraumschaf opened this issue May 23, 2023 · 22 comments · Fixed by #73
Assignees
@Weltraumschaf @Zero3141

Comments

@Weltraumschaf
Copy link
Member

Weltraumschaf commented May 23, 2023
edited
Loading

@Weltraumschaf Weltraumschaf converted this from a draft issue May 23, 2023
@Weltraumschaf Weltraumschaf self-assigned this May 23, 2023
@J12934
Copy link
Member

J12934 commented May 23, 2023
edited
Loading

Mhh? It's automated: https://github.com/secureCodeBox/defectdojo-client-java/blob/main/.github/workflows/publish.yml
Getting automatically published when a github release is created. @Weltraumschaf

@Weltraumschaf
Copy link
Member Author

Build is automated, but there is no such release in Maven Central.

@J12934
Copy link
Member

J12934 commented May 23, 2023

@Weltraumschaf should publish to maven central when the release doesn't contain snapshot
https://github.com/secureCodeBox/defectdojo-client-java/blob/main/build.gradle#L81

@Weltraumschaf
Copy link
Member Author

Long time ago (~4 years) @rseedorff requested access to Maven Central. They said we should release some SNAPSHOT versions before they grant us access to the public repo. Now we should hook up this process.

@Weltraumschaf
Copy link
Member Author

Weltraumschaf commented May 23, 2023
edited
Loading

Found the Sonatype OSSRH issue:

Looks like everything is prepared to perform a release. @rseedorff do you have the GPG key to sign the jars? Do you have your Jira Account working and can login here?

@Weltraumschaf Weltraumschaf moved this from Todo to In Progress in secureCodeBox v4 May 23, 2023
@Weltraumschaf
Copy link
Member Author

Weltraumschaf commented May 23, 2023
edited
Loading

We also need to meet some requirements:

  • Supply Javadoc and Sources
  • Provide Files Checksums
  • Sign Files with GPG/PGP
  • Sufficient Metadata

Documentation how to do this with Gradle.

@rseedorff rseedorff changed the title Automate Relase of DefectDojo Java Client Automate publishing of DefectDojo Java Client release to maven central May 24, 2023
@Weltraumschaf
Copy link
Member Author

Weltraumschaf commented Jun 5, 2023
edited
Loading

I've raised an comment in the OSSRH issue and asked how to add more maintainers.

@Weltraumschaf
Copy link
Member Author

@J12934 and me now have publish rights to our Sonatype staging repo. Now we can test a first release.

@Weltraumschaf
Copy link
Member Author

Gradle documentaton from sonatype

Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jun 28, 2023
@Weltraumschaf
secureCodeBox#35 Add basic formatting config
a304ba9 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jun 28, 2023
@Weltraumschaf
secureCodeBox#35 Start from 1.0.0 as suggested by SemVer
6903331 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jul 3, 2023
@Weltraumschaf
secureCodeBox#35 Add basic formatting config
59b62c6 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jul 3, 2023
@Weltraumschaf
secureCodeBox#35 Start from 1.0.0 as suggested by SemVer
c0d3e75 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jul 3, 2023
@Weltraumschaf
secureCodeBox#35 Add basic formatting config
015dcf1 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@Zero3141 Zero3141 mentioned this issue Jul 19, 2023
Merged
@Zero3141
Copy link
Contributor

Publishing requires that all files need to be signed with GPG/PGP. For that, we need the signing key together with its password in a ci run. We store these two Github's Encrypted secrets.

Signing key extraction (local)

First, we need to identify the LONG_ID of the private key:

gpg  --list-secret-keys

Then, we extract the private key:

gpg --armor --export-secret-keys <LONG_ID>

It should look like the following:

-----BEGIN PGP PRIVATE KEY BLOCK-----

...
-----END PGP PRIVATE KEY BLOCK-----

Github release workflow

The release workflow runs ./gradlew sign, which needs the following two environment variables being set: SIGNING_KEY and SIGNING_PASSWORD. In the workflow, they should be set from the preconfigured Github secrets SIGNING_KEY and SIGNING_PASSWORD.

@Zero3141 Zero3141 moved this from In Progress to To Review in secureCodeBox v4 Jul 19, 2023
@Weltraumschaf
Copy link
Member Author

Real name: the secureCodeBox authors
E-Mail: securecodebox@iteratec.com
Comment:

  1. Master Key
  2. Signing Key

@Weltraumschaf
Copy link
Member Author

Here we can see our published snapshots.

@Weltraumschaf
Copy link
Member Author

GPG Signing: We had the plan to use a sub key derived from a secret master key to sign the artifacts, bit it seems that Maven can't deal with sub keys. So we decided to use one dedicated GPG key only for our Java artifacts we deploy to Maven Central.

@Zero3141
Copy link
Contributor

Its recommended to set an expiration date of less than two years for our signing key. How do we keep track of this interval? @Weltraumschaf

@Weltraumschaf
Copy link
Member Author

We add an appointment to the team calendar :-)

@Weltraumschaf
Copy link
Member Author

Weltraumschaf commented Jul 21, 2023
edited
Loading

We should really document all this stuff. I added your GPG notes as first part for a whole release documentation.

Weltraumschaf added a commit that referenced this issue Jul 26, 2023
@Weltraumschaf
Revert "#35 Test that failing test does not publish to maven central"
83b0afe 
This reverts commit 5abab83.
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Jul 26, 2023
@Weltraumschaf
secureCodeBox#35 Describe the whole release ceremony
000c189 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Zero3141 pushed a commit that referenced this issue Jul 27, 2023
@Weltraumschaf @Zero3141
#35 Describe the whole release ceremony
d1d5051 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@Zero3141 Zero3141 mentioned this issue Jul 31, 2023
Merged
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Aug 1, 2023
@Weltraumschaf
secureCodeBox#35 Add dependency information to readme
a28c5e1 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@Zero3141 Zero3141 mentioned this issue Aug 1, 2023
Merged
Weltraumschaf added a commit that referenced this issue Aug 1, 2023
@Weltraumschaf
#35 Add dependency information to readme
0c217b9 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@github-project-automation github-project-automation bot moved this from In Progress to Done in secureCodeBox v4 Aug 1, 2023
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Aug 2, 2023
@Weltraumschaf
secureCodeBox#35 Please use a globale ignore file for common ignores
8ad143f 
How toconfigure it you can see in my dotfiles:
https://github.com/Weltraumschaf/dotfiles/blob/master/src/dotfiles/_gitconfig#L11

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Aug 2, 2023
@Weltraumschaf
secureCodeBox#35 Migrate from Gradle to Maven
3779650 
It is a big hassle to get Gradle releases work in GH actions as
we like. After spending some time fiddling around with Gradle,
we decidedto use god oldMaven, we have more knowledge in.

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit to Weltraumschaf/defectdojo-client-java that referenced this issue Aug 2, 2023
@Weltraumschaf
secureCodeBox#35 Add build information
2835d2c 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Zero3141 referenced this issue in Zero3141/defectdojo-client-java Aug 2, 2023
@Weltraumschaf @Zero3141
#35 Please use a globale ignore file for common ignores
db14d56 
How toconfigure it you can see in my dotfiles:
https://github.com/Weltraumschaf/dotfiles/blob/master/src/dotfiles/_gitconfig#L11

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Zero3141 referenced this issue in Zero3141/defectdojo-client-java Aug 2, 2023
@Weltraumschaf @Zero3141
#35 Migrate from Gradle to Maven
f7ddbd1 
It is a big hassle to get Gradle releases work in GH actions as
we like. After spending some time fiddling around with Gradle,
we decidedto use god oldMaven, we have more knowledge in.

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Zero3141 referenced this issue in Zero3141/defectdojo-client-java Aug 2, 2023
@Weltraumschaf @Zero3141
#35 Add build information
ac22827 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@Weltraumschaf Weltraumschaf moved this from Done to In Progress in secureCodeBox v4 Aug 3, 2023
@Weltraumschaf
Copy link
Member Author

We decided to change from Gradle to Maven bc full automatic release is not feasible int the we want it. We tried now for merely a week to get it work. With Maven it seems way more easier.

@Weltraumschaf Weltraumschaf reopened this Aug 3, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Backlog in secureCodeBox v4 Aug 3, 2023
@Weltraumschaf Weltraumschaf moved this from Backlog to In Progress in secureCodeBox v4 Aug 3, 2023
@Zero3141 Zero3141 mentioned this issue Aug 7, 2023
Merged
Weltraumschaf added a commit that referenced this issue Aug 7, 2023
@Weltraumschaf
#35 Please use a globale ignore file for common ignores
4179bf1 
How toconfigure it you can see in my dotfiles:
https://github.com/Weltraumschaf/dotfiles/blob/master/src/dotfiles/_gitconfig#L11

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit that referenced this issue Aug 7, 2023
@Weltraumschaf
#35 Migrate from Gradle to Maven
912bf15 
It is a big hassle to get Gradle releases work in GH actions as
we like. After spending some time fiddling around with Gradle,
we decidedto use god oldMaven, we have more knowledge in.

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
Weltraumschaf added a commit that referenced this issue Aug 7, 2023
@Weltraumschaf
#35 Add build information
040254d 
Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
@Zero3141
Copy link
Contributor

Zero3141 commented Aug 7, 2023

Problem: We enforce two status checks (DCO & Java Tests) to pass before merging. We already allowed the SCB Bot (who performs the push commit in which the version is bumped in the pom.xml) to push on the main branch. However, this setting mentions that Required status checks will still prevent these people, teams, and apps from merging if the checks fail..

It seems like that this issue is a general issue, see this discussion.

@Zero3141
Copy link
Contributor

Zero3141 commented Aug 10, 2023
edited
Loading

We have weakened the branch protection rules to decouple the release process from Issue 157.

@Weltraumschaf
Copy link
Member Author

@Zero3141 Can we add to the action that it updates the version in the README.md?

@Zero3141 Zero3141 mentioned this issue Aug 10, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in secureCodeBox v4 Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Weltraumschaf Weltraumschaf

@Zero3141 Zero3141

Labels
None yet
Projects
secureCodeBox v4
Archived in project
Milestone
No milestone
4 participants
@Weltraumschaf @J12934 @Zero3141 @sofi0071