Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to Sign and Release to The Central Repository with GitHub Actions

How to Sign and Release to The Central Repository with GitHub Actions

GitHub allows automated builds using GitHub Actions. A commonly asked question is how to release artifacts (packaged Java jars) built by Maven and Gradle to The Central Repository. The GitHub Actions documentation provides only part of the answer.

So, first, configure your Maven project for staging artifacts to The Central Repository, by reading through Configuring Your Project for Deployment and following those steps. Please make sure that the maven-gpg-plugin is configured to prevent gpg from using PIN entry programs, as follows:

<configuration>
  <gpgArguments>
      <arg>--pinentry-mode</arg>
      <arg>loopback</arg>
  </gpgArguments>
</configuration>

At this point, you should be able to manually stage your artifacts to The Central Repository.

Next, set up a basic GitHub Actions workflow to build your project. Take a look at Publishing Java packages with Maven, and complete all the steps there.

At this point, you will find that you are missing one step - being able to sign your Maven-built jar files within your GitHub Actions workflow. You can follow the steps below to sign artifacts in GitHub actions. The trick involves loading in your private key into GitHub Actions using the gpg command-line commands.

  1. Export your gpg private key from the system that you have created it.
    1. Find your key-id (using gpg --list-secret-keys --keyid-format=long)
    2. Export the gpg secret key to an ASCII file using gpg --export-secret-keys -a <key-id> > secret.txt
    3. Edit secret.txt using a plain text editor, and replace all newlines with a literal "\n" until everything is on a single line
  2. Set up GitHub Actions secrets
    1. Create a secret called OSSRH_GPG_SECRET_KEY using the text from your edited secret.txt file (the whole text should be in a single line)
    2. Create a secret called OSSRH_GPG_SECRET_KEY_PASSWORD containing the password for your gpg secret key
  3. Create a GitHub Actions step to install the gpg secret key
    1. Add an action similar to:
      - id: install-secret-key
        name: Install gpg secret key
        run: |
          cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
          gpg --list-secret-keys --keyid-format LONG
    2. Verify that the secret key is shown in the GitHub Actions logs
    3. You can remove the output from list secret keys if you are confident that this action will work, but it is better to leave it in there
  4. Bring it all together, and create a GitHub Actions step to publish
    1. Add an action similar to:
      - id: publish-to-central
        name: Publish to Central Repository
        env:
          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
        run: |
          mvn \
            --no-transfer-progress \
            --batch-mode \
            -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} \
            clean deploy
    2. After a couple of hours, verify that the artifact got published to The Central Repository
@keith-miller
Copy link

keith-miller commented Aug 28, 2021

Thank you for this!

@tryptichon
Copy link

tryptichon commented Sep 22, 2021

Stuff like this saves other people a lot of fiddling around for hours. So a heartfelt "Thanks" from me as well. :D

@poikilotherm
Copy link

poikilotherm commented Sep 24, 2021

Instead of manual text editing, you may either pipe the output of the command or the file content through ... | tr '\n' ',' | sed -e 's#,#\\n#g' to achieve the same.

@micheljung
Copy link

micheljung commented Oct 19, 2021

Thanks! Fyi replacing newlines is not required.

Any idea why I get:

Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.0.1:sign (sign-artifacts) on project ***: Unable to decrypt gpg passphrase: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /home/runner/.m2/settings-security.xml (No such file or directory)

I read actions/setup-java#91 but --pinentry-mode was already configured, and with 3.0.1 it's obsolete anyway.

Update:

My environment variables were misconfigured. A working example can be found here: https://github.com/microsoft/playwright-java/blob/29c0df6443666d9534121428255a5e9a4d7143a4/.github/workflows/publish.yml

@ThePrez
Copy link

ThePrez commented Nov 23, 2021

Echoing others. Thank you for this!!! I struggled to get this working yesterday, but it seems to be working on the first try after following your guide.

I did get stuck at the "find your key-id" step as I am new to GPG and hadn't done any key creation. This link helped fill that gap: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

@sualeh
Copy link
Author

sualeh commented Nov 23, 2021

Thanks, @ThePrez - I updated the text above, and a little more detail on the "find your key-id" step as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment