Skip to content

Commit

Permalink
Merge pull request #23 from guardian/use-sonatype-token-rather-than-u…
Browse files Browse the repository at this point in the history
…sername-password-auth

Explicitly switch to Sonatype token authentication
  • Loading branch information
rtyley authored Jun 20, 2024
2 parents cccaa32 + 23a148a commit 59122ef
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 14 deletions.
14 changes: 5 additions & 9 deletions .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,9 @@ on:
default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
required: false # ...but if you're not the Guardian, you'll want to set this explicitly
type: string
SONATYPE_USERNAME:
description: 'Sonatype username'
default: 'guardian.automated.maven.release' # Only for use by the Guardian!
required: false # Must be supplied if used by a non-Guardian project
type: string
secrets:
SONATYPE_PASSWORD:
description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
SONATYPE_TOKEN:
description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
required: true
PGP_PRIVATE_KEY:
description:
Expand Down Expand Up @@ -416,9 +411,10 @@ jobs:
cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
- name: Release
env:
SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
run: |
export SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
export SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
sbt "sonatypeBundleRelease"
github-release:
Expand Down
24 changes: 20 additions & 4 deletions docs/credentials/generating-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,25 @@
Normally you'll be using [shared organisation-wide credentials](supplying-credentials.md),
but if you need to rotate those credentials, or just create some new ones for your organisation:

## Updating a Sonatype OSSRH user's password

See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).
## Updating a Sonatype OSSRH Token username & password

As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
Sonatype is actively discouraging the legacy username & password method of authentication, recommending
[token authentication](https://central.sonatype.org/publish/generate-token/)
(see link for token-regenerating instructions).

Note these points:

* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
secret strings.
* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
**a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
is hosted on.
**Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
use must be generated [there](https://oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
account.

## Generating a new PGP key

Expand All @@ -26,4 +42,4 @@ See [GitHub's instructions](https://docs.github.com/en/apps/creating-github-apps
release workflow, see [Setting up the GitHub App](github-app.md) first.

**Guardian developers:** Here's a direct link to our GitHub App settings page, where you can generate a new private key:
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
2 changes: 1 addition & 1 deletion docs/credentials/supplying-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ has _access_ to those secrets.
to grant repos access to the necessary Organisation secrets - you need to raise a PR (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
which will grant access to these:

* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`
* `AUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`

Expand Down

0 comments on commit 59122ef

Please sign in to comment.