From f073e9d2be3615c3823ffecee9eb252f9282a525 Mon Sep 17 00:00:00 2001 From: jean_de_bot Date: Wed, 10 Jun 2026 12:44:37 +0000 Subject: [PATCH 1/2] fix: sign Maven Central release artifacts --- .github/workflows/release.yml | 9 +++++++-- build.gradle | 23 ++++++++++++++++++++++- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78920f7..1b31a12 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,11 @@ on: push: tags: - '*' + workflow_dispatch: + inputs: + version: + description: Version to publish, for example 4.0.0 + required: true jobs: release: name: Release @@ -32,11 +37,11 @@ jobs: } >> "$GITHUB_ENV" - name: Semantic Version id: version + if: github.event_name == 'push' uses: ncipollo/semantic-version-action@v1 - name: Publish env: ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.CENTRAL_TOKEN_USERNAME || secrets.SONATYPE_USERNAME }} ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.CENTRAL_TOKEN_PASSWORD || secrets.SONATYPE_PASSWORD }} - ORG_GRADLE_PROJECT_signingInMemoryKeyId: ${{ secrets.SIGNING_KEY_ID }} ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }} - run: ./gradlew gitPublishPush publishAndReleaseToMavenCentral -Pversion=${{ steps.version.outputs.tag }} -Prelease=true -Dorg.ajoberstar.grgit.auth.username=${{ secrets.GH_PAGES_TOKEN }} --stacktrace + run: ./gradlew gitPublishPush publishAndReleaseToMavenCentral -Pversion=${{ github.event_name == 'workflow_dispatch' && inputs.version || steps.version.outputs.tag }} -Prelease=true -Dorg.ajoberstar.grgit.auth.username=${{ secrets.GH_PAGES_TOKEN }} --stacktrace diff --git a/build.gradle b/build.gradle index f52bf4a..cccec1e 100644 --- a/build.gradle +++ b/build.gradle @@ -169,9 +169,30 @@ subprojects { subproject -> developerConnection = "scm:git:ssh://git@github.com/${slug}.git" } } + } + afterEvaluate { if (rootProject.config.release) { - signAllPublications() + apply plugin: 'signing' + + signing { + String signingKey = findProperty('signingInMemoryKey') + if (signingKey) { + useInMemoryPgpKeys( + signingKey, + (findProperty('signingInMemoryKeyPassword') ?: '') as String + ) + } + + sign publishing.publications + required = true + } + + tasks.withType(org.gradle.plugins.signing.Sign).configureEach { + required = true + signatory = signing.signatory + setOnlyIf { true } + } } } From 9b90128a0bb6d2d90390141273507773cd6f3203 Mon Sep 17 00:00:00 2001 From: jean_de_bot Date: Wed, 10 Jun 2026 12:52:22 +0000 Subject: [PATCH 2/2] fix: keep release workflow tag-only --- .github/workflows/release.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b31a12..abee20a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,11 +4,6 @@ on: push: tags: - '*' - workflow_dispatch: - inputs: - version: - description: Version to publish, for example 4.0.0 - required: true jobs: release: name: Release @@ -37,11 +32,10 @@ jobs: } >> "$GITHUB_ENV" - name: Semantic Version id: version - if: github.event_name == 'push' uses: ncipollo/semantic-version-action@v1 - name: Publish env: ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.CENTRAL_TOKEN_USERNAME || secrets.SONATYPE_USERNAME }} ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.CENTRAL_TOKEN_PASSWORD || secrets.SONATYPE_PASSWORD }} ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }} - run: ./gradlew gitPublishPush publishAndReleaseToMavenCentral -Pversion=${{ github.event_name == 'workflow_dispatch' && inputs.version || steps.version.outputs.tag }} -Prelease=true -Dorg.ajoberstar.grgit.auth.username=${{ secrets.GH_PAGES_TOKEN }} --stacktrace + run: ./gradlew gitPublishPush publishAndReleaseToMavenCentral -Pversion=${{ steps.version.outputs.tag }} -Prelease=true -Dorg.ajoberstar.grgit.auth.username=${{ secrets.GH_PAGES_TOKEN }} --stacktrace