Sign created artifacts, document updated processes (#448)

niloc132 · web-flow · commit b20f75aaa538 · 2023-02-21T08:22:07.000-06:00
Updates CI to sign all artifacts produced on main or release branches, using a self-signed certificate. These env vars should be flexible enough for a fork that provides its own signing key to be able to sign their own builds in the same way. Also includes documentation updates reflecting new update site and nightly builds. Fixes #446
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,7 +15,31 @@ jobs:
           java-version: '17'
           distribution: 'adopt'
 
-      - name: Build with Maven
+      - name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
+        #if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        id: keystore
+        env:
+          SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
+        run: |
+          if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT
+            echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
+          else
+            echo "available=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build with maven (sign artifacts)
+        if: ${{ steps.keystore.outputs.available == 'true' }}
+        env:
+          SIGN_STOREPASS: ${{ secrets.SIGN_STOREPASS }}
+          SIGN_ALIAS: ${{ secrets.SIGN_ALIAS }}
+          SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
+          SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
+          SIGN_TSA: http://timestamp.digicert.com/
+        run: SIGN_KEYSTORE=${HOME}/key mvn --batch-mode --update-snapshots package
+
+      - name: Build with maven (no signing)
+        if: ${{ steps.keystore.outputs.available != 'true' }}
         run: mvn --batch-mode --update-snapshots package
 
       - uses: actions/upload-artifact@v3
diff --git a/README.md b/README.md
@@ -12,11 +12,6 @@ The Google Cloud Tools team has put a significant amount of effort in helping br
 
 * [Google Cloud Tools](https://cloud.google.com/)
 
-### Sencha
-Sencha provides man power to help update the plugin and the build server which automates the build. 
-
-  [![Sencha GXT](http://cdn.sencha.com/img/gwt-eclipse-plugin-banner.png)](https://www.sencha.com/products/gxt/)
-
 ## Not Included
 * This plugin does not include the [Google Cloud Tools Eclipse](https://github.com/GoogleCloudPlatform/google-cloud-eclipse) features.
 
@@ -52,15 +47,29 @@ Install from the Eclipse marketplace.
 
 
 ## Repository
-Download the repo in a zip file. 
+The Eclipse repositories for this plugin.
+
+### Production
+Release update site.
+
+* [Eclipse Marketplace entry for the GWT Plugin](https://marketplace.eclipse.org/content/gwt-plugin)
+* [Update sites for the GWT Plugin](https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/)
 
-* [https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip)
+### Production Zip
+Download the repo in a zip file from the latest release at the
+[releases page](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/). The current release is
+[4.0.0](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip)
 
+### Staging
+The staging repository is also at plugins.gwtproject.org, under the `nightly` version. At this time,
+these are signed with a self-signed certificate.
 
-## Development 
+* Nightly update site: https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/nightly
+
+## Development
 
 ### Importing
-Simply use Maven to import all the plugins and modules. 
+Simply use Maven to import all the plugins and modules.
 
 * Use Eclipse Import and choose import with Existing Maven projects. Don't forget to select recursive import.  
 * Select all the projects and import them. This will create the .project, .classpath and .settings files. If some exist, they will be overwritten.  
@@ -73,16 +82,27 @@ The target defintion build is based off of the Google Cloud Tools. Follow their
 * Note: The targets will have to be updated by setting the targets. This will regenerate the Eclipse target files.  
 
 ### Build
-Sencha has provided an internal build agent to build. 
-[Sencha Eclipse Build](https://teamcity.sencha.com/viewType.html?buildTypeId=Gxt3_Gwt_GwtEclipsePlugin)
-
-* `mvn clean install`
+To build, Apache Maven and Java 17 are required. Invoke `mvn verify` to build and test. The resulting
+update site can be found in `repo/target/repository` for local deployment and testing.
+
+### Release
+Creating a release requires signing artifacts. Set the following environment variables before running
+`mvn verify`:
+ * `SIGN_KEYSTORE` - Path to a pkcs12 keystore that contains a key to use to sign this release
+ * `SIGN_STOREPASS` - Passphrase for the keystore
+ * `SIGN_ALIAS` - Alias of the key to use to sign the release
+ * `SIGN_KEYPASS` - Passphrase for the key
+ * `SIGN_TSA` - URL of a Time stamp authority to use to sign this release
+ 
+ At this time, releases are performed manually. The releases deployed to the marketplace will be signed
+ with the certificate for `plugins.gwtproject.org`.
 
 ### Deploy
-Google storage write permissions are needed to deploy. 
-
-* `sh ./build-deploy-release.sh` - deploy production version
-* `sh ./build-deploy-snapshot.sh` - deploy snapshot version
+Releases are uploaded as zips to the [release](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/)
+part of the Github project page, and also deployed at
+https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin as Eclipse update sites. Releases will be
+added to the [GWT-Plugin](https://marketplace.eclipse.org/content/gwt-plugin) page on the Eclipse
+Marketplace.
 
 ### Testing
 There are a couple of archetypes that are used to test. 
diff --git a/pom.xml b/pom.xml
@@ -294,7 +294,41 @@
         <module>eclipse/ide-target-platform</module>
       </modules>
     </profile>
-
+    <profile>
+      <!-- We only sign the jars when the keystore has been provided in the environment -->
+      <id>sign-jars</id>
+      <activation>
+        <file>
+          <exists>${env.SIGN_KEYSTORE}</exists>
+        </file>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-jarsigner-plugin</artifactId>
+            <version>3.0.0</version>
+            <configuration>
+              <keystore>${env.SIGN_KEYSTORE}</keystore>
+              <storepass>${env.SIGN_STOREPASS}</storepass>
+              <alias>${env.SIGN_ALIAS}</alias>
+              <keypass>${env.SIGN_KEYPASS}</keypass>
+              <storetype>${env.SIGN_STORETYPE}</storetype>
+              <tsa>${env.SIGN_TSA}</tsa>
+              <verbose>true</verbose>
+            </configuration>
+            <executions>
+              <execution>
+                <id>sign</id>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
     <profile>
       <id>teamcity</id>
       <properties>
