Skip to content

refactor: reuse publish workflow #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tcheeric merged 1 commit into from
Aug 12, 2025
Merged

refactor: reuse publish workflow #365

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
refactor: reuse publish workflow
  • Loading branch information
@tcheeric
tcheeric committed Aug 12, 2025
commit 827b18ac0c2fd4ffb70a3593766e5855c0a81b67
26 changes: 24 additions & 2 deletions .github/workflows/publish-github-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
name: Publish to GitHub Packages

on:
workflow_call:
secrets:
GITHUB_TOKEN:
required: true
GPG_PRIVATE_KEY:
required: false
GPG_PASSPHRASE:
required: false
push:
branches: [main]
paths:
Expand All @@ -14,6 +22,9 @@ jobs:
permissions:
contents: read
packages: write
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -26,6 +37,17 @@ jobs:
server-id: github
server-username: ${{ github.actor }}
server-password: ${{ secrets.GITHUB_TOKEN }}
- name: Import GPG key
if: env.GPG_PRIVATE_KEY != ''
Copy link

Copilot AI Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using string comparison with an empty string is less robust than checking if the variable is defined. Consider using if: secrets.GPG_PRIVATE_KEY instead, which properly checks if the secret exists and has a value.

Suggested change
if: env.GPG_PRIVATE_KEY != ''
if: secrets.GPG_PRIVATE_KEY

Copilot uses AI. Check for mistakes.
run: |
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format LONG
- name: Publish modules
run: ./mvnw -B -q deploy -DskipTests -Dgpg.skip=true \
-DaltDeploymentRepository=github::default::https://maven.pkg.github.com/${{ github.repository }}
run: |
if [ -n "$GPG_PRIVATE_KEY" ]; then
./mvnw -q -P release deploy -Dgpg.passphrase="$GPG_PASSPHRASE" \
Copy link

Copilot AI Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GPG passphrase is passed as a command-line argument, which may be visible in process lists and logs. Consider using a more secure method like passing it through environment variables or using gpg-agent.

Suggested change
./mvnw -q -P release deploy -Dgpg.passphrase="$GPG_PASSPHRASE" \
# Use gpg-agent for signing, do not pass passphrase on command line
./mvnw -q -P release deploy \

Copilot uses AI. Check for mistakes.
-DaltDeploymentRepository=github::default::https://maven.pkg.github.com/${{ github.repository }}
else
./mvnw -B -q deploy -DskipTests -Dgpg.skip=true \
-DaltDeploymentRepository=github::default::https://maven.pkg.github.com/${{ github.repository }}
fi
16 changes: 8 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,19 +28,11 @@ jobs:
run: |
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
gpg --list-secret-keys --keyid-format LONG

- name: Build and deploy
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: ./mvnw -q -P release deploy -Dgpg.passphrase="$GPG_PASSPHRASE"

- name: Deploy to GitHub Packages
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
./mvnw -q -P release deploy -Dgpg.passphrase="$GPG_PASSPHRASE" \
-DaltDeploymentRepository=github::default::https://maven.pkg.github.com/tcheeric/nostr-java

- name: Collect JAR artifacts
run: |
mkdir -p release-jars
Expand Down Expand Up @@ -75,3 +67,11 @@ jobs:
for file in release-jars/*.jar; do
gh release upload "${{ github.ref_name }}" "$file" --clobber
done

publish-packages:
needs: release
uses: ./.github/workflows/publish-github-packages.yml
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
12 changes: 11 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,17 @@ Authenticating to GitHub Packages is required; provide a personal access token w

## Publishing Modules

This repository includes a [GitHub Actions workflow](.github/workflows/publish-github-packages.yml) that publishes all Maven modules to GitHub Packages. The workflow runs on pushes to `main` that modify `pom.xml` files and can also be triggered manually from the Actions tab.
This repository includes a [GitHub Actions workflow](.github/workflows/publish-github-packages.yml) that publishes all Maven modules to GitHub Packages. The workflow runs on pushes to `main` that modify `pom.xml` files and can also be triggered manually from the Actions tab. It is also exposed as a reusable workflow and can be invoked from other workflows, such as the release pipeline:

```yaml
jobs:
publish-packages:
uses: ./.github/workflows/publish-github-packages.yml
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
```

## Examples
Example usages are located in the [`nostr-java-examples`](./nostr-java-examples) module. Additional demonstrations can be found in [nostr-client](https://github.com/tcheeric/nostr-client) and [SuperConductor](https://github.com/avlo/superconductor).
Expand Down