GitHub allows automated builds using GitHub Actions. A commonly asked question is how to release artifacts (packaged Java jars) built by Maven and Gradle to The Central Repository. The GitHub Actions documentation provides only part of the answer.
So, first, configure your Maven project for staging artifacts to The Central Repository, by reading through Configuring Your Project for Deployment and following those steps. Please make sure that the maven-gpg-plugin is configured to prevent gpg from using PIN entry programs, as follows:
<configuration>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>At this point, you should be able to manually stage your artifacts to The Central Repository.
Next, set up a basic GitHub Actions workflow to build your project. Take a look at Publishing Java packages with Maven, and complete all the steps there.
At this point, you will find that you are missing one step - being able to sign your Maven-built jar files within your GitHub Actions workflow. You can follow the steps below to sign artifacts in GitHub actions. The trick involves loading in your private key into GitHub Actions using the gpg command-line commands.
- Export your gpg private key from the system on which you have created it.
- Find your key-id (using
gpg --list-secret-keys --keyid-format=long) - Export the gpg secret key to an ASCII file using
gpg --export-secret-keys -a <key-id> > secret.txt - Edit
secret.txtusing a plain text editor, and replace all newlines with a literal "\n" (backslash + n) until everything is on a single line
- Find your key-id (using
- Set up GitHub Actions secrets
- Create a secret called
OSSRH_GPG_SECRET_KEYusing the text from your editedsecret.txtfile (the whole text should be in a single line) as the value - Create a secret called
OSSRH_GPG_SECRET_KEY_PASSWORDcontaining the password for your gpg secret key
- Create a secret called
- Create a GitHub Actions step to install the gpg secret key
- Add an action similar to:
- id: install-secret-key name: Install gpg secret key run: | # Install gpg secret key cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import # Verify gpg secret key gpg --list-secret-keys --keyid-format LONG
- Verify that the secret key is shown in the GitHub Actions logs
- You can remove the output from list secret keys if you are confident that this action will work, but it is better to leave it in there
- Add an action similar to:
- Bring it all together, and create a GitHub Actions step to publish
- Add an action similar to:
- id: publish-to-central name: Publish to Central Repository env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }} run: | mvn \ --no-transfer-progress \ --batch-mode \ -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} \ clean deploy
- After a couple of hours, verify that the artifact got published to The Central Repository
- Add an action similar to:
Funny you should mention that, since only today I wrote an answer on Stackoverflow saying the same thing. I quote part of it below.
A straightforward approach is to store your GPG key and passphrase as GitHub secrets. This method has several advantages:
No Base64 Encoding: Directly use the key without extra encoding steps.
Secure Logging: GitHub will automatically mask these secrets in your logs, reducing the risk of accidental exposure.
Here's a sample configuration for a Gradle project using the
vanniktech/gradle-maven-publish-plugin:This setup ensures the private key is securely used in memory without the need for intermediate files.