Autosign of artifacts in CircleCI

zeromq · Sep 16, 2023 · 620db03 · 620db03
1 parent 86fa759
commit 620db03
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 15 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -155,6 +155,10 @@ jobs:
                     mv -n /tmp/ws/home/circleci/project/.??* /home/circleci/project/
             - run:
                 command: |
+                    if [ -n "$SECRING_GPG_ASC_BASE64" ] ; then
+                        echo "$SECRING_GPG_ASC_BASE64" | base64 --decode | gpg --batch --no-tty --import --yes
+                        GPGSIGN="-P gpgsign"
+                    fi
                     # If no symbolic name, it's a PR, will not publish results
                     # If not the official github, it's a fork, don't publish either
                     if [ -n "$(git symbolic-ref HEAD 2>/dev/null )"  -a "$CIRCLE_REPOSITORY_URL" == "git@github.com:zeromq/jeromq.git" ] ; then
@@ -163,7 +167,7 @@ jobs:
                         PUBLISH="install"
                     fi
                     echo "publishing jobs: $PUBLISH"
-                    mvn -B $PUBLISH -Pskip -Dmaven.test.skip=true -Dmaven.javadoc.skip=false -s .circleci/settings.xml
+                    mvn -B $PUBLISH -Pskip $GPGSIGN -Dmaven.test.skip=true -Dmaven.javadoc.skip=false -s .circleci/settings.xml
                 environment:
                     JAVA_HOME: /usr/local/openjdk-17
                     MAVEN_OPTS: "-Xmx2048m"

diff --git a/doc/development/public-keys.md b/doc/development/public-keys.md
@@ -132,3 +132,36 @@ PuMjF5XJV9daCDaTXlkDTDoGFcLwi7gFWx9+H5HMxCtQq+bX
 =evFC
 -----END PGP PUBLIC KEY BLOCK-----
 ```
+
+# Automated publication at CircleCI
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGUFZeEBEACl/bYA+BvSw5YyqNJ+KDzJbx2DD4i/JXYyT2Z83bE8CYBhAegm
+Ygiql4ejYhb1opWPIDopVXZ3DOyMivvS68foQ6UA+4ohOydaqTAHPRnn/+5GZFFM
+kfuA7KLZhEYRP6wkEmRNm63q9TIg4b80nssXbWKHNAar9VWk3yIKgsRsSXf1o9bh
+IrbCPh74qyFd0aWDbLUdZd1YFPT67IQbdPkioLp5TzPAHLuOp3qZuQEOu7ouRI6S
+P7eW0nkSIDcGRG41mgeveTfduIM3HxayTAiKsooBfsEtzVIsczW9qFP2wJ3ZiZt5
+iMj6WFH7J+dQYXndZF4r7iFB4M/tSOVhKUmSLoJgdF39h4WolCuICGM3DlmshPHG
+rrTNcrACDSm1bYbG1UG45cBexNflyjGHyUua9eAqjrBmH7IUHiiLY8mTx9kTy8Ne
+DK8y9XEDxv2M80k8h5JPXT3fxhNkqb5swrXx5gtR+tmfwg35tulmfKPcNvubQgOO
+5eQ0ansIc6wGgRZ6rVemcL/LNNLrCP4tok+WpzzD41bw/deEMNuTxwsOX9vMy8UM
+9RtwxBWQMdgAvxaqQvZPCzxqIlVGcYFsxyIPMNbBwb9DjX0saQzQCASZcuiTDNGe
+2YmzG7UT1ka90clfFh8a3MDTE5YtgL9xw3lpS9Zsjsbd6r8jMiGFcgrfDwARAQAB
+tAZKZXJvTVGJAk4EEwEIADgWIQQiOUvDYhLtNpSu+Nz7LqA2nJJe4QUCZQVl4QIb
+AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD7LqA2nJJe4f1xD/42o8a9adQ7
+kGpU5+PlqXrGquo/Rb2sgvSa+snlDb+wPeyh/P5fPz2sl3crUcH1mMXGWoXhOega
+daaK0JVrdkJwCYODnMtmdLirChjrcUCsG2fjwJFDOCRGe19wyaf+vX2gRnSQMcaN
+86q5MMxh3RXzKwdQWoIVyMuf32G8ysOATLBY4cpuAAjAVm9TH3jnFf0Y2+6gDx8W
+uvFThnLcyOCRiHnKNCitrEbEox0XYyLQFg6YNl7H74KhhyB6W+bmIs/XUVnybh2I
+91psjCXEQo76vjEFqTz7aQFvfIvuWxY7Nj8PcKXcIBJEmmHzdJVfP5ptleraFT3n
+7vh4RJpjZzLtn/m1JdvwGQpuzHBZbwMSBxee+lrTlICBtbV97xIdaYK88ZMm4MPp
+sOEs5IK4YlWN4HViVKCwkknHbL9mGH0bom5cIxsALMll+Y83s3U8mCQu0L22Vznv
+q+Xz85ly093Xmrw56En4ZCsiXrxHwH10P3+w6BYZSf+n2vCfhisy9Rz7eehkz/FW
+RIeX8efcToS77+JXKjl2wCPIBrUMyh/45HaucyYMqr+SqGq8ZKlSqbweZy+JFM34
+ur4bky72JDdhJe/q3Xkkl6C1ipkoqPWzA0neUbFxRm0CBQ1oU6q1bmdJLjofWtMM
+5h0FJi1Lc66uQe2stHEPfr+wlocfLDKE0A==
+=bpzb
+-----END PGP PUBLIC KEY BLOCK-----
+```
diff --git a/doc/development/release.md b/doc/development/release.md
@@ -68,15 +68,13 @@ The Maven Release Plugin will take care of bumping version numbers and
 tagging the release build. It will also push those changes to your
 chosen SCM.
 
-To perform a release, issue the following command.
+When you commit this changes, CircleCI will pick them and publish in the stagging
+repositories at [OSS Sonatype](https://oss.sonatype.org), with a valid GPG signature.
+There is a list of known keys that have been used to sign tagged JeroMQ releases [here](public-keys.md).
 
-```
-$ mvn release:perform
-```
+To publish it to the Central Repository, one can follow the procedure at 
+[Publish my artifact](https://central.sonatype.org/publish/release/).
 
-This will upload the artifacts to OSS Sonatype and release to Maven Central in
-one go, and will require you to sign the build. There is a list of known keys
-that have been used to sign tagged JeroMQ releases [here](public-keys.md).
 
 # Making an Announcement on the ZeroMQ Mailing list when it has been successfully synced.
 

diff --git a/pom.xml b/pom.xml
@@ -450,13 +450,7 @@
    </profile>
     <profile>
       <!-- Used to sign a release -->
-      <id>release</id>
-      <activation>
-        <property>
-          <name>performRelease</name>
-          <value>true</value>
-        </property>
-      </activation>
+      <id>gpgsign</id>
       <build>
         <plugins>
           <plugin>