.

com-lihaoyi · Sep 12, 2024 · 2de5e7d · 2de5e7d
1 parent 5518480
commit 2de5e7d
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 39 deletions.
diff --git a/.github/workflows/publish-artifacts.yml b/.github/workflows/publish-artifacts.yml
@@ -31,10 +31,10 @@ jobs:
     concurrency: publish-sonatype-${{ github.sha }}
 
     env:
-      SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-      SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-      SONATYPE_PGP_SECRET: ${{ secrets.SONATYPE_PGP_SECRET }}
-      SONATYPE_PGP_PASSWORD: ${{ secrets.SONATYPE_PGP_PASSWORD }}
+      MILL_SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+      MILL_SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+      MILL_PGP_SECRET_BASE64: ${{ secrets.SONATYPE_PGP_SECRET }}
+      MILL_PGP_PASSWORD: ${{ secrets.SONATYPE_PGP_PASSWORD }}
       LANG: "en_US.UTF-8"
       LC_MESSAGES: "en_US.UTF-8"
       LC_ALL: "en_US.UTF-8"

diff --git a/ci/release-maven.sh b/ci/release-maven.sh
@@ -2,18 +2,6 @@
 
 set -eu
 
-echo $SONATYPE_PGP_SECRET | base64 --decode > gpg_key
+./mill -i installLocal
 
-gpg --import  --no-tty --batch --yes gpg_key
-
-rm gpg_key
-
-# Build all artifacts
-./mill -i __.publishArtifacts
-
-# Publish all artifacts
-./mill -i \
-    mill.scalalib.PublishModule/publishAll \
-    --gpgArgs --passphrase=$SONATYPE_PGP_PASSWORD,--no-tty,--pinentry-mode,loopback,--batch,--yes,-a,-b \
-    --publishArtifacts __.publishArtifacts \
-    --release true
+./target/mill-release -i mill.scalalib.PublishModule/publishAll
diff --git a/contrib/sonatypecentral/src/mill/contrib/sonatypecentral/SonatypeCentralPublishModule.scala b/contrib/sonatypecentral/src/mill/contrib/sonatypecentral/SonatypeCentralPublishModule.scala
@@ -13,7 +13,7 @@ import mill.contrib.sonatypecentral.SonatypeCentralPublishModule.{
   getPublishingTypeFromReleaseFlag,
   getSonatypeCredentials
 }
-import mill.scalalib.PublishModule.{defaultGpgArgs, getFinalGpgArgs}
+import mill.scalalib.PublishModule.defaultGpgArgs
 import mill.scalalib.publish.Artifact
 import mill.scalalib.publish.SonatypeHelpers.{
   PASSWORD_ENV_VARIABLE_NAME,
@@ -40,10 +40,13 @@ trait SonatypeCentralPublishModule extends PublishModule {
       val fileMapping = publishData.withConcretePath._1
       val artifact = publishData.meta
       val finalCredentials = getSonatypeCredentials(username, password)()
-
+      PublishModule.pgpImportSecretIfProvided(T.env)
       val publisher = new SonatypeCentralPublisher(
         credentials = finalCredentials,
-        gpgArgs = getFinalGpgArgs(sonatypeCentralGpgArgs()),
+        gpgArgs = sonatypeCentralGpgArgs() match {
+          case "" => PublishModule.defaultGpgArgsForPassphrase(T.env.get("PGP_PASSPHRASE"))
+          case gpgArgs => gpgArgs.split(",").toIndexedSeq
+        },
         connectTimeout = sonatypeCentralConnectTimeout(),
         readTimeout = sonatypeCentralReadTimeout(),
         log = T.log,
@@ -86,10 +89,13 @@ object SonatypeCentralPublishModule extends ExternalModule {
 
     val finalBundleName = if (bundleName.isEmpty) None else Some(bundleName)
     val finalCredentials = getSonatypeCredentials(username, password)()
-
+    PublishModule.pgpImportSecretIfProvided(T.env)
     val publisher = new SonatypeCentralPublisher(
       credentials = finalCredentials,
-      gpgArgs = getFinalGpgArgs(gpgArgs),
+      gpgArgs = gpgArgs match {
+        case "" => PublishModule.defaultGpgArgsForPassphrase(T.env.get("PGP_PASSPHRASE"))
+        case gpgArgs => gpgArgs.split(",").toIndexedSeq
+      },
       connectTimeout = connectTimeout,
       readTimeout = readTimeout,
       log = T.log,

diff --git a/scalalib/src/mill/scalalib/PublishModule.scala b/scalalib/src/mill/scalalib/PublishModule.scala
@@ -221,7 +221,7 @@ trait PublishModule extends JavaModule { outer =>
 
   /**
    * Publish all given artifacts to Sonatype.
-   * Uses environment variables SONATYPE_USERNAME and SONATYPE_PASSWORD as
+   * Uses environment variables MILL_SONATYPE_USERNAME and MILL_SONATYPE_PASSWORD as
    * credentials.
    *
    * @param sonatypeCreds Sonatype credentials in format username:password.
@@ -248,12 +248,14 @@ trait PublishModule extends JavaModule { outer =>
       stagingRelease: Boolean = true
   ): define.Command[Unit] = T.command {
     val PublishModule.PublishData(artifactInfo, artifacts) = publishArtifacts()
+    PublishModule.pgpImportSecretIfProvided(T.env)
     new SonatypePublisher(
       sonatypeUri,
       sonatypeSnapshotUri,
       checkSonatypeCreds(sonatypeCreds)(),
       signed,
-      if (gpgArgs.isEmpty) PublishModule.defaultGpgArgs else gpgArgs,
+      if (gpgArgs.isEmpty) PublishModule.defaultGpgArgsForPassphrase(T.env.get("PGP_PASSPHRASE"))
+      else gpgArgs,
       readTimeout,
       connectTimeout,
       T.log,
@@ -279,7 +281,28 @@ trait PublishModule extends JavaModule { outer =>
 }
 
 object PublishModule extends ExternalModule {
-  val defaultGpgArgs: Seq[String] = Seq("--batch", "--yes", "-a", "-b")
+  val defaultGpgArgs: Seq[String] = defaultGpgArgsForPassphrase(None)
+  def pgpImportSecretIfProvided(env: Map[String, String]): Unit = {
+    for (secret <- env.get("MILL_PGP_SECRET_BASE64")) {
+      os.call(
+        ("gpg", "--import", "--no-tty", "--batch", "--yes"),
+        stdin = java.util.Base64.getDecoder.decode(secret)
+      )
+    }
+  }
+
+  def defaultGpgArgsForPassphrase(passphrase: Option[String]): Seq[String] = {
+    passphrase.map("--passphrase=" + _).toSeq ++
+      Seq(
+        "--no-tty",
+        "--pinentry-mode",
+        "loopback",
+        "--batch",
+        "--yes",
+        "-a",
+        "-b"
+      )
+  }
 
   case class PublishData(meta: Artifact, payload: Seq[(PathRef, String)]) {
 
@@ -313,7 +336,7 @@ object PublishModule extends ExternalModule {
           .getOrElse(sys.error("Unable to resolve __.publishArtifacts")),
       sonatypeCreds: String = "",
       signed: Boolean = true,
-      gpgArgs: String = defaultGpgArgs.mkString(","),
+      gpgArgs: String = "",
       release: Boolean = true,
       sonatypeUri: String = "https://oss.sonatype.org/service/local",
       sonatypeSnapshotUri: String = "https://oss.sonatype.org/content/repositories/snapshots",
@@ -325,12 +348,16 @@ object PublishModule extends ExternalModule {
     val x: Seq[(Seq[(os.Path, String)], Artifact)] = T.sequence(publishArtifacts.value)().map {
       case PublishModule.PublishData(a, s) => (s.map { case (p, f) => (p.path, f) }, a)
     }
+
+    pgpImportSecretIfProvided(T.env)
+
     new SonatypePublisher(
       sonatypeUri,
       sonatypeSnapshotUri,
       checkSonatypeCreds(sonatypeCreds)(),
       signed,
-      getFinalGpgArgs(gpgArgs),
+      if (gpgArgs.isEmpty) defaultGpgArgsForPassphrase(T.env.get("MILL_PGP_PASSPHRASE"))
+      else gpgArgs.split(','),
       readTimeout,
       connectTimeout,
       T.log,
@@ -344,15 +371,6 @@ object PublishModule extends ExternalModule {
     )
   }
 
-  private[mill] def getFinalGpgArgs(initialGpgArgs: String): Seq[String] = {
-    val argsAsString = if (initialGpgArgs.isEmpty) {
-      defaultGpgArgs.mkString(",")
-    } else {
-      initialGpgArgs
-    }
-    argsAsString.split(",").toIndexedSeq
-  }
-
   private def getSonatypeCredsFromEnv: Task[(String, String)] = T.task {
     (for {
       username <- T.env.get(USERNAME_ENV_VARIABLE_NAME)

diff --git a/scalalib/src/mill/scalalib/publish/SonatypeHelpers.scala b/scalalib/src/mill/scalalib/publish/SonatypeHelpers.scala
@@ -8,8 +8,8 @@ import java.security.MessageDigest
 object SonatypeHelpers {
   // http://central.sonatype.org/pages/working-with-pgp-signatures.html#signing-a-file
 
-  val USERNAME_ENV_VARIABLE_NAME = "SONATYPE_USERNAME"
-  val PASSWORD_ENV_VARIABLE_NAME = "SONATYPE_PASSWORD"
+  val USERNAME_ENV_VARIABLE_NAME = "MILL_SONATYPE_USERNAME"
+  val PASSWORD_ENV_VARIABLE_NAME = "MILL_SONATYPE_PASSWORD"
 
   private[mill] def getArtifactMappings(
       isSigned: Boolean,