Hello Apache Security Team, We are currently trying to automate the release process of Apache Baremaps (incubating) [1]. As highlighted in the documentation, it seems possible to get github secrets to sign artifacts [2]. Other projects are also using a nexus username and password to publish maven snapshots and releases [3, 4].
To do so, we drafted two release workflows on Github Actions. - The first one [5] publishes a pre release on GitHub. The source and binary artifacts are signed and hashed. This workflow is working currently works with a test key set as a secret in our CI. - The second one [6] tries to publish snapshot artifacts on Nexus. Later on, the intent is also to automate the publication of release artifacts. This workflow currently fails with a 401 Unauthorized error. The INFRA Team asked for a review of the workflow by the security team before setting the following secrets in the CI. - NEXUS_USERNAME - NEXUS_PASSWORD - GPG_KEY_ID - GPG_PASSPHRASE - GPG_PRIVATE_KEY Thanks a lot for your help, Bertil Chapuis [1] https://github.com/apache/incubator-baremaps/issues/752 [2] https://infra.apache.org/release-signing.html#automated-release-signing [3] https://github.com/apache/drill/blob/26f4d30dbefcc09a7dfe05576d3f9c7b45d822a0/.github/workflows/publish-snapshot.yml#L42 [4] https://infra.apache.org/publishing-maven-artifacts.html [5] https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/release.yml [6] https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/publish.yml --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
