Build #21231
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| schedule: | |
| - cron: "30 * * * *" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| # Always set up Java + Maven cache | |
| - name: Set up Java (baseline) | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: '17' | |
| cache: maven | |
| # Import GPG only for trusted contexts (not forked PRs). | |
| # Don't reference the `secrets` context in this `if:`. | |
| - name: Import GPG (trusted contexts only) | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: '17' | |
| cache: maven | |
| gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }} | |
| gpg-passphrase: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} | |
| - name: Configure pinentry & show key (trusted only) | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| run: | | |
| mkdir -p ~/.gnupg && chmod 700 ~/.gnupg | |
| echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf || true | |
| gpgconf --kill gpg-agent || true | |
| echo "=== Secret keys in CI keyring (if any) ===" | |
| gpg --batch --list-secret-keys --keyid-format LONG || true | |
| # Decide if a signing-capable key is present (works in all contexts) | |
| - name: Decide whether we can sign | |
| id: signable | |
| shell: bash | |
| run: | | |
| if gpg --batch --with-colons --list-secret-keys 2>/dev/null | grep -E '^(sec|ssb):' >/dev/null; then | |
| echo "sign=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "sign=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Build & Verify (sign if possible, otherwise skip) | |
| env: | |
| # Passphrase will only exist in trusted contexts where secrets are injected | |
| MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} | |
| shell: bash | |
| run: | | |
| if [ "${{ steps.signable.outputs.sign }}" = "true" ]; then | |
| KEYID=$(gpg --batch --with-colons --list-secret-keys \ | |
| | awk -F: '($1=="ssb" && $12 ~ /s/) || ($1=="sec" && $12 ~ /s/){print $5; exit}') | |
| echo "Signing with key: $KEYID" | |
| mvn --no-transfer-progress -B --update-snapshots \ | |
| -Dgpg.keyname="$KEYID" \ | |
| clean verify | |
| else | |
| echo "No signing key available in this context; skipping GPG signing." | |
| mvn --no-transfer-progress -B --update-snapshots \ | |
| -Dgpg.skip=true \ | |
| clean verify | |
| fi |