This is an automated email from the ASF dual-hosted git repository.
slawrence pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/daffodil-infrastructure.git
The following commit(s) were added to refs/heads/main by this push:
new 185730e Change how we save svn credentials
185730e is described below
commit 185730e94832371b42cdae0957afdd47a70f7bdb
Author: Steve Lawrence <[email protected]>
AuthorDate: Mon Dec 8 07:31:33 2025 -0500
Change how we save svn credentials
Modern svn does not store passwords in the ~/.subversion/servers file.
Instead it stores them in ~/.subversion/auth/ using a custom file
format. This changes how we write the svn authentication credentials to
use the correct format so that workflow actions do need to provide
username/passwords.
This also adds parenthesis when calling os.homedir. Node.js has magic
that allows os.homedir to do what one expects within template strings,
but really the correct way to use it is to call it as a function.
---
actions/release-candidate/dist/main/index.js | 60 ++++++++++++++++------------
actions/release-candidate/src/main.js | 60 ++++++++++++++++------------
2 files changed, 68 insertions(+), 52 deletions(-)
diff --git a/actions/release-candidate/dist/main/index.js
b/actions/release-candidate/dist/main/index.js
index f5b67ae..162d695 100644
--- a/actions/release-candidate/dist/main/index.js
+++ b/actions/release-candidate/dist/main/index.js
@@ -31849,6 +31849,7 @@ const os = __nccwpck_require__(857);
const core = __nccwpck_require__(7484);
const github = __nccwpck_require__(3228);
const { exec } = __nccwpck_require__(5236);
+const crypto = __nccwpck_require__(6982);
async function run() {
try {
@@ -31968,7 +31969,7 @@ async function run() {
// sbt-pgp plugin version should not be updated unless there is
a
// compelling reason. Release signing has been known to break
with newer
// versions.
- const sbt_dir = `${ os.homedir }/.sbt/1.0`
+ const sbt_dir = `${ os.homedir() }/.sbt/1.0`
fs.mkdirSync(`${ sbt_dir }/plugins`, { recursive: true });
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
@@ -31978,34 +31979,41 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'bomFormat :=
"xml"\n');
if (do_publish) {
- // if publishing is enabled, we must configure sbt to
write to a config file for
- // post to read from
+ // if publishing is enabled, we configure SVN and SBT
so future commands and
+ // workflow tasks can publish artifacts without needing
to pass in
+ // credentials/repositories/etc.
+
+ // svn has a custom format for storing auth
credentials, which can be created
+ // using an official script they provide:
+ //
+ //
https://svn.apache.org/repos/asf/subversion/trunk/tools/client-side/store-plaintext-password.py
+ //
+ // But instead of trying to download and use that
script, we simply
+ // reimplement the core logic below
const svn_username = core.getInput("svn_username", {
required: true });
const svn_password = core.getInput("svn_password", {
required: true });
+ const svn_realm = "<https://dist.apache.org:443> ASF
Committers";
+
+ const svn_realm_id =
crypto.createHash("md5").update(svn_realm).digest("hex");
+ const svn_auth_dir = `${ os.homedir()
}/.subversion/auth/svn.simple/`;
+ const svn_auth_file = `${ svn_auth_dir }/${
svn_realm_id }`;
+ const svn_auth_content = {
+ 'svn:realmstring': svn_realm,
+ 'username': svn_username,
+ 'passtype': 'simple',
+ 'password': svn_password
+ };
+ fs.mkdirSync(svn_auth_dir, { recursive: true });
+ fs.writeFileSync(svn_auth_file, '');
+ for (const [key, value] of
Object.entries(svn_auth_content)) {
+ fs.appendFileSync(svn_auth_file, `K ${
key.length }\n${ key }\n`);
+ fs.appendFileSync(svn_auth_file, `V ${
value.length }\n${ value }\n`);
+ }
+ fs.appendFileSync(svn_auth_file, 'END\n');
- // Create the default config directory if it doesn't
exist
- const svn_config_dir = `${ os.homedir }/.subversion`;
- fs.mkdirSync(`${ svn_config_dir }`, { recursive: true
});
-
- // Write to/Overwrite the 'servers' file inside it
- const servers_file = `${ svn_config_dir }/servers`;
- const servers_content = `
-[global]
-store-plaintext-passwords = yes
-store-plaintext-creds = yes
-
-[groups]
-default = *
-
-[default]
-username = ${svn_username}
-password = ${svn_password}
-`;
- fs.writeFileSync(servers_file, servers_content.trim(),
{ mode: 0o600 });
-
- // if publishing is enabled, publishing to the apache
staging repository
- // with the provided credentials. We must diable
gigahorse since that fails
- // to publish on some systems
+ // configure SBT to publish to the apache staging
repository with the provided
+ // credentials. We must disable gigahorse since that
fails to publish on some
+ // systems
const nexus_username = core.getInput("nexus_username",
{ required: true });
const nexus_password = core.getInput("nexus_password",
{ required: true });
fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'ThisBuild
/ updateOptions := updateOptions.value.withGigahorse(false)\n');
diff --git a/actions/release-candidate/src/main.js
b/actions/release-candidate/src/main.js
index 79553b1..4747f42 100644
--- a/actions/release-candidate/src/main.js
+++ b/actions/release-candidate/src/main.js
@@ -20,6 +20,7 @@ const os = require("os");
const core = require("@actions/core");
const github = require("@actions/github");
const { exec } = require('@actions/exec');
+const crypto = require("crypto");
async function run() {
try {
@@ -139,7 +140,7 @@ async function run() {
// sbt-pgp plugin version should not be updated unless there is
a
// compelling reason. Release signing has been known to break
with newer
// versions.
- const sbt_dir = `${ os.homedir }/.sbt/1.0`
+ const sbt_dir = `${ os.homedir() }/.sbt/1.0`
fs.mkdirSync(`${ sbt_dir }/plugins`, { recursive: true });
fs.appendFileSync(`${ sbt_dir }/plugins/build.sbt`,
'addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.1.2")\n');
fs.appendFileSync(`${ sbt_dir }/build.sbt`, `pgpSigningKey :=
Some("${ gpg_signing_key_id }")\n`);
@@ -149,34 +150,41 @@ async function run() {
fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'bomFormat :=
"xml"\n');
if (do_publish) {
- // if publishing is enabled, we must configure sbt to
write to a config file for
- // post to read from
+ // if publishing is enabled, we configure SVN and SBT
so future commands and
+ // workflow tasks can publish artifacts without needing
to pass in
+ // credentials/repositories/etc.
+
+ // svn has a custom format for storing auth
credentials, which can be created
+ // using an official script they provide:
+ //
+ //
https://svn.apache.org/repos/asf/subversion/trunk/tools/client-side/store-plaintext-password.py
+ //
+ // But instead of trying to download and use that
script, we simply
+ // reimplement the core logic below
const svn_username = core.getInput("svn_username", {
required: true });
const svn_password = core.getInput("svn_password", {
required: true });
+ const svn_realm = "<https://dist.apache.org:443> ASF
Committers";
+
+ const svn_realm_id =
crypto.createHash("md5").update(svn_realm).digest("hex");
+ const svn_auth_dir = `${ os.homedir()
}/.subversion/auth/svn.simple/`;
+ const svn_auth_file = `${ svn_auth_dir }/${
svn_realm_id }`;
+ const svn_auth_content = {
+ 'svn:realmstring': svn_realm,
+ 'username': svn_username,
+ 'passtype': 'simple',
+ 'password': svn_password
+ };
+ fs.mkdirSync(svn_auth_dir, { recursive: true });
+ fs.writeFileSync(svn_auth_file, '');
+ for (const [key, value] of
Object.entries(svn_auth_content)) {
+ fs.appendFileSync(svn_auth_file, `K ${
key.length }\n${ key }\n`);
+ fs.appendFileSync(svn_auth_file, `V ${
value.length }\n${ value }\n`);
+ }
+ fs.appendFileSync(svn_auth_file, 'END\n');
- // Create the default config directory if it doesn't
exist
- const svn_config_dir = `${ os.homedir }/.subversion`;
- fs.mkdirSync(`${ svn_config_dir }`, { recursive: true
});
-
- // Write to/Overwrite the 'servers' file inside it
- const servers_file = `${ svn_config_dir }/servers`;
- const servers_content = `
-[global]
-store-plaintext-passwords = yes
-store-plaintext-creds = yes
-
-[groups]
-default = *
-
-[default]
-username = ${svn_username}
-password = ${svn_password}
-`;
- fs.writeFileSync(servers_file, servers_content.trim(),
{ mode: 0o600 });
-
- // if publishing is enabled, publishing to the apache
staging repository
- // with the provided credentials. We must diable
gigahorse since that fails
- // to publish on some systems
+ // configure SBT to publish to the apache staging
repository with the provided
+ // credentials. We must disable gigahorse since that
fails to publish on some
+ // systems
const nexus_username = core.getInput("nexus_username",
{ required: true });
const nexus_password = core.getInput("nexus_password",
{ required: true });
fs.appendFileSync(`${ sbt_dir }/build.sbt`, 'ThisBuild
/ updateOptions := updateOptions.value.withGigahorse(false)\n');
