stevedlawrence commented on code in PR #20:
URL:
https://github.com/apache/daffodil-infrastructure/pull/20#discussion_r2500480848
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
Review Comment:
gpg_signing_key could be const.
```ts
// only require a signing key if we aren't publishing
const gpg_signing_key = core.getInput("gpg_signing_key", { required:
do_publish });
```
##########
actions/release-candidate/src/main.js:
##########
@@ -26,46 +26,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
+
+ if (gpg_signing_key.trim() === "") {
+ // Generate keypair (non-interactive)
+ await exec("gpg", ["--batch", "--yes", "--passphrase",
'', "--quick-generate-key", process.env.USER ]);
+
+ // Capture the key id of the most recent generated key
+ await exec('bash', ['-c', "gpg --list-secret-keys
--with-colons | grep '^fpr' | tail -n1 | cut -d: -f10"], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key_id +=
data.toString().trim();
+ }
+ }
+ });
+
+ // Capture the private signing key
+ await exec("gpg", ["--armor", "--export-secret-keys",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key +=
data.toString().trim();
+ }
+ }
+ });
+ // Capture the public signing key
+ await exec("gpg", ["--armor", "--export",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_public_key +=
data.toString().trim();
+ }
+ }
+ });
Review Comment:
I don't think we need to capture either of these keys above.
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
Review Comment:
Can you add a blank line after this to make differentiate getting the input
vs the start of the action logic?
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
Review Comment:
Can you define these variables closer to where they are used? Makes it
easier to see when they are mutated if it's they are defined and mutated closed
to each other.
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
+
+ if (gpg_signing_key.trim() === "") {
+ // Generate keypair (non-interactive)
+ await exec("gpg", ["--batch", "--yes", "--passphrase",
'', "--quick-generate-key", process.env.USER ]);
+
+ // Capture the key id of the most recent generated key
+ await exec('bash', ['-c', "gpg --list-secret-keys
--with-colons | grep '^fpr' | tail -n1 | cut -d: -f10"], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key_id +=
data.toString().trim();
+ }
+ }
+ });
+
+ // Capture the private signing key
+ await exec("gpg", ["--armor", "--export-secret-keys",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key +=
data.toString().trim();
+ }
+ }
+ });
+ // Capture the public signing key
+ await exec("gpg", ["--armor", "--export",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_public_key +=
data.toString().trim();
+ }
+ }
+ });
+ }
// import signing key into gpg and get it's key id
let gpg_import_stdout = ""
await exec("gpg", ["--batch", "--import", "--import-options",
"import-show"], {
input: Buffer.from(gpg_signing_key),
listeners: {
- stdout: (data) => { gpg_import_stdout +=
data.toString(); }
+ stdout: (data) => {
+ gpg_import_stdout += data.toString();
+ }
}
});
- const gpg_signing_key_id =
gpg_import_stdout.match("[0-9A-Z]{40}")[0];
- console.info("Using gpgp key id: " + gpg_signing_key_id);
- // tags must be signed with a committers key, download and
import committer
- // keys for verification later
- let committer_keys = "";
- await exec("curl", [`https://downloads.apache.org/${ tlp_dir
}/KEYS`], {
- silent: true,
- listeners: {
- stdout: (data) => { committer_keys +=
data.toString(); }
- }
- });
- await exec("gpg", ["--batch", "--import"], {
- input: Buffer.from(committer_keys)
- });
+ // if the key id is not already set, extract it from the output
of the import command
+ if (gpg_signing_key_id === "") {
+ gpg_signing_key_id =
gpg_import_stdout.match("[0-9A-Z]{40}")[0];
+ }
+ console.info("Using gpgp key id: " + gpg_signing_key_id);
- // get the actual project version, this requires a 'VERSION'
file at
- // the root of the repository
- const project_version =
fs.readFileSync("VERSION").toString().trim();
+ if (do_publish) {
+ // tags must be signed with a committers key, download
and import committer
+ // keys for verification later
+ let committer_keys = "";
+ await exec("curl",
[`https://downloads.apache.org/${tlp_dir}/KEYS`], {
+ silent: true,
+ listeners: {
+ stdout: (data) => {
+ committer_keys +=
data.toString();
+ }
+ }
+ });
+ await exec("gpg", ["--batch", "--import"], {
+ input: Buffer.from(committer_keys)
+ });
+ }
Review Comment:
Can we combine this into the below do_publish block? That way there is only
one place where all the do_publish checks and configurations happen?
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
+
+ if (gpg_signing_key.trim() === "") {
+ // Generate keypair (non-interactive)
+ await exec("gpg", ["--batch", "--yes", "--passphrase",
'', "--quick-generate-key", process.env.USER ]);
Review Comment:
Generating a secret key automatically imports it, so it isn't necessary to
export the secret/public key and to import it later. I think this can just be
```ts
if (gpg_signing_key.trim() === "") {
// Generate keypair (non-interactive)
await exec("gpg", ["--batch", "--yes", "--passphrase", '',
"--quick-generate-key"]);
} else {
await exec("gpg", ["--batch", "--import", "--import-options",
"import-show"])
}
```
Also, I'm not sure if --quick-generate-key will output the key id, so maybe
you can do tweak and do the --list-secret-keys command after this to extract
the key id out of that. That would probably be a more reliable way to get the
key id anyways instead of our current thing of just trying to match 40
characters.
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
+
+ if (gpg_signing_key.trim() === "") {
+ // Generate keypair (non-interactive)
+ await exec("gpg", ["--batch", "--yes", "--passphrase",
'', "--quick-generate-key", process.env.USER ]);
+
+ // Capture the key id of the most recent generated key
+ await exec('bash', ['-c', "gpg --list-secret-keys
--with-colons | grep '^fpr' | tail -n1 | cut -d: -f10"], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key_id +=
data.toString().trim();
+ }
+ }
+ });
+
+ // Capture the private signing key
+ await exec("gpg", ["--armor", "--export-secret-keys",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_key +=
data.toString().trim();
+ }
+ }
+ });
+ // Capture the public signing key
+ await exec("gpg", ["--armor", "--export",
gpg_signing_key_id], {
+ listeners: {
+ stdout: (data) => {
+ gpg_signing_public_key +=
data.toString().trim();
+ }
+ }
+ });
+ }
// import signing key into gpg and get it's key id
let gpg_import_stdout = ""
await exec("gpg", ["--batch", "--import", "--import-options",
"import-show"], {
input: Buffer.from(gpg_signing_key),
listeners: {
- stdout: (data) => { gpg_import_stdout +=
data.toString(); }
+ stdout: (data) => {
+ gpg_import_stdout += data.toString();
+ }
}
});
- const gpg_signing_key_id =
gpg_import_stdout.match("[0-9A-Z]{40}")[0];
- console.info("Using gpgp key id: " + gpg_signing_key_id);
- // tags must be signed with a committers key, download and
import committer
- // keys for verification later
- let committer_keys = "";
- await exec("curl", [`https://downloads.apache.org/${ tlp_dir
}/KEYS`], {
- silent: true,
- listeners: {
- stdout: (data) => { committer_keys +=
data.toString(); }
- }
- });
- await exec("gpg", ["--batch", "--import"], {
- input: Buffer.from(committer_keys)
- });
+ // if the key id is not already set, extract it from the output
of the import command
+ if (gpg_signing_key_id === "") {
+ gpg_signing_key_id =
gpg_import_stdout.match("[0-9A-Z]{40}")[0];
+ }
+ console.info("Using gpgp key id: " + gpg_signing_key_id);
- // get the actual project version, this requires a 'VERSION'
file at
- // the root of the repository
- const project_version =
fs.readFileSync("VERSION").toString().trim();
+ if (do_publish) {
+ // tags must be signed with a committers key, download
and import committer
+ // keys for verification later
+ let committer_keys = "";
+ await exec("curl",
[`https://downloads.apache.org/${tlp_dir}/KEYS`], {
+ silent: true,
+ listeners: {
+ stdout: (data) => {
+ committer_keys +=
data.toString();
+ }
+ }
+ });
+ await exec("gpg", ["--batch", "--import"], {
+ input: Buffer.from(committer_keys)
+ });
+ }
// figure out the release version. This should follow the
pattern
// 'v<VERSION>-rcX', where <VERSION> is the value from the
VERSION file
- const gitTagPrefix = "refs/tags/";
let release_version = "";
- if (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix)) {
+ if (do_publish) {
Review Comment:
I'm not sure we should do this change. Even if we aren't publishing but we
are triggered via a tag then I think we still want to get the release_version
from the tag. Maybe we just wrapp the git tag --verify command in a if
(do_publish), or maybe add something like `if (is_tagged) git tag --verify` in
the do_publish block. Again making it so all the do_publish logic is in one
spot.
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
+
+ if (do_publish) {
+ gpg_signing_key = core.getInput("gpg_signing_key",
{required: true});
+ }
+
+ if (gpg_signing_key.trim() === "") {
+ // Generate keypair (non-interactive)
+ await exec("gpg", ["--batch", "--yes", "--passphrase",
'', "--quick-generate-key", process.env.USER ]);
+
+ // Capture the key id of the most recent generated key
+ await exec('bash', ['-c', "gpg --list-secret-keys
--with-colons | grep '^fpr' | tail -n1 | cut -d: -f10"], {
Review Comment:
Suggest we implement this in type script so there isn't a of mix of bash and
typescript. ChatGPT says something like this should work. It's quite as clean,
but it's still perfectly readable
```ts
let gpg_list_secret_keys_stdout = ""
await exec("gpg", ['"--list-secret-keys", "--with-colons"], {
listeners: {
stdout: (data) => {
gpg_list_secret_keys_stdout += data.toString().trim();
}
}
});
const gpg_siging_key_id = gpg_list_secret_keys_stdout
.split("\n")
.findLast(l => l.startsWith("fpr"))!
.split(":")[9];
```
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
Review Comment:
Instead of "enable publishing" I think it's more clear to say "require a
pushed tag to enabling publishing". Same thing below "require non-snapshot ASF
builds to enable publishing"
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31855,46 +31855,97 @@ async function run() {
const tlp_dir = core.getInput("tlp_dir", { required: true });
const project_id = core.getInput("project_id", { required: true
});
const project_dir = core.getInput("project_dir");
- const gpg_signing_key = core.getInput("gpg_signing_key", {
required: true });
- const svn_username = core.getInput("svn_username", { required:
true });
- const svn_password = core.getInput("svn_password", { required:
true });
- const nexus_username = core.getInput("nexus_username", {
required: true });
- const nexus_password = core.getInput("nexus_password", {
required: true });
- let publish = core.getBooleanInput("publish");
+ const publish = core.getBooleanInput("publish");
+ let gpg_signing_key = "";
+ let gpg_signing_public_key = "";
+ let gpg_signing_key_id = "";
+ const gitTagPrefix = "refs/tags/";
+ // get the actual project version, this requires a 'VERSION'
file at
+ // the root of the repository
+ const project_version =
fs.readFileSync("VERSION").toString().trim();
+ const is_snapshot = project_version.includes("-SNAPSHOT");
+ const do_publish =
+ // Note that publishing could be disabled if the
publish input was explicitly set
+ // to false
+ publish
+ // enable publishing for tags
+ && (github.context.eventName == "push" &&
github.context.ref.startsWith(gitTagPrefix))
+ // enable publishing for non-snapshot builds and ASF
builds.
+ && (!is_snapshot && process.env.GITHUB_REPOSITORY_OWNER
== "apache")
Review Comment:
These conditions are duplicated elsewhere elsewhere. Should we capture them
in const variables? So this can be something like
```ts
const do_publish = publish && is_tagged && !is_snapshot && is_apache
```
That's also a bit easier to read to make sense of
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31950,14 +31995,16 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
- // enable SBT for publishing SBOM
+ // enable SBT for publishing SBOM either locally or remotely
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" %% "sbt-sbom" % "0.4.0")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'bomFormat :=
"xml"\n');
- if (publish) {
+ if (do_publish) {
// if publishing is enabled, publishing to the apache
staging repository
// with the provided credentials. We must diable
gigahorse since that fails
// to publish on some systems
+ const nexus_username = core.getInput("nexus_username",
{ required: true });
+ const nexus_password = core.getInput("nexus_password",
{ required: true });
Review Comment:
Can we also get the svn_username/password? They aren't used but if we don't
get and require them now we could fail in post after sbt might have published
things. If we detect the error now, we detect failure early and avoid
publishing things.
I also wonder if we could also actually write the svn_username/passowrd to a
some credntials file that svn will use. Then we don't have to worry about
post.js having to be concerned about credentials. It also means the actions
using this could commit things to svn without needing to know the user/pass
information, similar to how sbt publish already has access to credentials.
##########
actions/release-candidate/dist/main/index.js:
##########
@@ -31991,6 +32038,12 @@ async function run() {
const artifact_dir = `${ project_dist_dir }/${
release_version.slice(1) }`;
fs.mkdirSync(artifact_dir);
+ // if publishing is disabled, store public key as artifact so
it can be downloaded
+ // by the post step for verification
+ if (!do_publish) {
+ fs.appendFileSync(`${ artifact_dir }/public-key.asc`,
gpg_signing_public_key);
+ }
Review Comment:
I'd suggest we both capture the public key and write it to a file in the
post.js in the do_publish false block in post.js, since that's all specific to
creating the github upload artifact.
Also, I would recommend we write this to the release-download directory
instead of the artifact_dir. It avoids any possible issues thinking it's an
actual artifact that might cause reproducible checks to fail. I don't think
they should since we ignore.asc files, but I'm not positive. If it's in the
download-release directory, that definitely shouldn't cause it's. The key is
also a bit more visible that way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
