Skip to content

Added GPG pvt key as a github secret and updated workflow accordingly #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Mahesh-Binayak wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Added GPG pvt key as a github secret and updated workflow accordingly #333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c93390c
ci: migrate GPG key handling to crazy-max/ghaction-import-gpg@v6
May 29, 2026
f24dee0
Merge pull request #1 from Mahesh-Binayak/gpg-migration
Mahesh-Binayak May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/dev-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: Set up JDK
uses: actions/setup-java@v2
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/docker-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV
echo "${{ toJSON(inputs) }}"

# Parse platforms into an array
Expand Down
16 changes: 7 additions & 9 deletions .github/workflows/maven-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ on:
required: true
GPG_SECRET:
required: true
GPG_PRIVATE_KEY:
required: true
Comment on lines +21 to +22

@coderabbitai coderabbitai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find downstream callers of this reusable workflow across the mosip org
gh search code --owner mosip "uses: mosip/kattu/.github/workflows/maven-build.yml" --limit 100

Repository: mosip/kattu

Length of output: 37

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect the reusable workflow contract and the GPG import step
echo "=== maven-build.yml: contract around lines 15-35 ==="
nl -ba .github/workflows/maven-build.yml | sed -n '1,120p'

echo "=== maven-build.yml: lines 40-90 (focus on GPG import) ==="
nl -ba .github/workflows/maven-build.yml | sed -n '35,100p'

# 2) Search within this repo for downstream callers of the reusable workflow
echo "=== Local callers (this repo) using the workflow ==="
rg -n --hidden --glob '!**/node_modules/**' "uses:\s*mosip/kattu/\.github/workflows/maven-build\.yml" -S . || true

echo "=== Local callers with a looser match (in case of different path/format) ==="
rg -n --hidden --glob '!**/node_modules/**' "maven-build\.yml" -S .github/workflows || true

# 3) Also list any workflow_call secrets definitions for reference
echo "=== workflow_call secrets block (if present) ==="
rg -n "workflow_call|secrets:|GPG_PRIVATE_KEY" .github/workflows/maven-build.yml -n || true

Repository: mosip/kattu

Length of output: 169

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== maven-build.yml (first 200 lines with numbers via cat -n) ==="
cat -n .github/workflows/maven-build.yml | sed -n '1,200p'

echo "=== Local callers in this repo (workflows) using mosip/kattu reusable workflow ==="
rg -n --hidden --glob '!**/node_modules/**' "uses:\s*mosip/kattu/\.github/workflows/maven-build\.yml" -S .github/workflows . || true

echo "=== Local callers using maven-build.yml (fallback match) ==="
rg -n --hidden --glob '!**/node_modules/**' "uses:\s*.*maven-build\.yml" -S .github/workflows . || true

echo "=== workflow_call secrets block (if present) ==="
rg -n "workflow_call|secrets:|GPG_PRIVATE_KEY" .github/workflows/maven-build.yml -n || true

Repository: mosip/kattu

Length of output: 11781

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== docs/maven-build-readme.md around the reusable workflow call ==="
sed -n '1,120p' docs/maven-build-readme.md

Repository: mosip/kattu

Length of output: 2286

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "GPG_PRIVATE_KEY" -S . || true
rg -n "uses:\s*mosip/kattu/\.github/workflows/maven-build\.yml" -S .github workflows docs || true
rg -n "secrets:\s*inherit" -S .github || true

Repository: mosip/kattu

Length of output: 216

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git diff --stat -- .github/workflows/maven-build.yml || true
git diff -- .github/workflows/maven-build.yml | sed -n '1,200p' || true

Repository: mosip/kattu

Length of output: 37

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Any occurrences of 'secrets: inherit' in .github workflows ==="
rg -n "secrets:\s*inherit" -S .github || true

echo "=== Any occurrences of 'GPG_PRIVATE_KEY' in .github ==="
rg -n "GPG_PRIVATE_KEY" -S .github || true

echo "=== Any other docs mentioning GPG_PRIVATE_KEY ==="
rg -n "GPG_PRIVATE_KEY" -S docs || true

Repository: mosip/kattu

Length of output: 731

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/maven-publish-to-nexus.yml (first 120 lines) ==="
cat -n .github/workflows/maven-publish-to-nexus.yml | sed -n '1,140p'

echo "=== .github/workflows/maven-publish-android.yml (first 140 lines) ==="
cat -n .github/workflows/maven-publish-android.yml | sed -n '1,180p'

Repository: mosip/kattu

Length of output: 12563

Require GPG_PRIVATE_KEY in all callers (and fix README example) — maven-build.yml consumes it

.github/workflows/maven-build.yml declares workflow_call.secrets.GPG_PRIVATE_KEY: required: true (lines 21-22) and passes it to crazy-max/ghaction-import-gpg@v6 as gpg_private_key (lines 52-56). Callers must supply secrets.GPG_PRIVATE_KEY. In this repo’s docs/maven-build-readme.md example, secrets: includes GPG_SECRET but omits GPG_PRIVATE_KEY, so the example would fail as written.

Also consider pinning crazy-max/ghaction-import-gpg to a commit SHA instead of a floating v6 tag.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-build.yml around lines 21 - 22, Update the docs and
callers to include the required secret by adding GPG_PRIVATE_KEY to the example
secrets block in docs/maven-build-readme.md (the workflow expects
workflow_call.secrets.GPG_PRIVATE_KEY) and ensure any repository using this
workflow supplies secrets.GPG_PRIVATE_KEY (not just GPG_SECRET); additionally,
replace the floating crazy-max/ghaction-import-gpg@v6 reference in
.github/workflows/maven-build.yml with a pinned commit SHA (or explicitly
document the version) to avoid unexpected changes.

SLACK_WEBHOOK_URL:
required: true

Expand Down Expand Up @@ -46,16 +48,12 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: Setup branch and GPG public key
run: |
# Strip git ref prefix from version
echo ${{ env.BRANCH_NAME }}
echo ${{ env.GPG_TTY }}
sudo apt-get --yes install gnupg2
gpg2 --import ./.github/keys/mosipgpgkey_pub.gpg
gpg2 --quiet --batch --passphrase=${{secrets.GPG_SECRET}} --allow-secret-key-import --import ./.github/keys/mosipgpgkey_sec.gpg
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SECRET }}
Comment on lines +52 to +56

@coderabbitai coderabbitai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Dereference the v6 tag to a commit SHA
gh api repos/crazy-max/ghaction-import-gpg/git/refs/tags/v6 \
  --jq '.object.type + " " + .object.sha'
# If type is "tag" (annotated), dereference once more:
# gh api repos/crazy-max/ghaction-import-gpg/git/tags/<sha-from-above> --jq '.object.sha'

Repository: mosip/kattu

Length of output: 103

🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".github/workflows/maven-build.yml"
# show lines 45-70 with numbers
nl -ba "$file" | sed -n '45,70p'

Repository: mosip/kattu

Length of output: 98

🌐 Web query:

crazy-max gaction-import-gpg gpg_private_key passphrase pin to commit SHA security best practice

💡 Result:

To ensure security when using the ghaction-import-gpg action, you should implement the following best practices: 1. Use Immutable Commit SHAs: Never pin your workflow actions to mutable tags or branch names (e.g., @v7). Instead, use the specific 40-character commit SHA to pin the action version [1][2]. This protects your pipeline against supply chain attacks where a malicious actor overwrites a tag or branch with compromised code [1][2]. Example: uses: crazy-max/ghaction-import-gpg@a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 # v7 2. Use GitHub Secrets for Sensitive Data: Always store the GPG private key and the associated passphrase in GitHub Secrets [3][4]. GitHub automatically masks these values in job logs, preventing them from being printed in plain text [4][5]. Never hardcode these values directly in your workflow files [4][5]. 3. Implement Least Privilege: Restrict the permissions of your workflow to only what is necessary [1]. Use an explicit permissions block to avoid granting excessive access by default [1]. If the workflow only needs to read the repository to sign commits, set: permissions: contents: read 4. Adopt Secure Alternatives: Consider using maintained forks or security-hardened versions of the action if your organization requires higher levels of provenance or supply chain security [6][7]. For example, some maintained versions provide additional features like signed commits and reproducible builds [6]. 5. Audit and Rotate: Regularly audit your GitHub Actions workflows for security misconfigurations, such as using mutable refs or excessive permissions [1]. If you suspect a secret has been exposed, rotate the GPG key immediately and update the corresponding GitHub Secret [2]. By combining immutable version pinning with secure secret management, you significantly reduce the attack surface of your CI/CD pipeline [1][2].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".github/workflows/maven-build.yml"
nl -ba "$file" | sed -n '45,70p'

Repository: mosip/kattu

Length of output: 98

🌐 Web query:

crazy-max/ghaction-import-gpg gpg_private_key passphrase security pin to commit SHA

💡 Result:

The crazy-max/ghaction-import-gpg GitHub Action facilitates GPG key usage in GitHub Actions by importing a private key into the runner's environment [1][2]. To use it securely: 1. Store your ASCII-armored private GPG key as a GitHub Secret (e.g., GPG_PRIVATE_KEY) [1][2]. 2. If your key is passphrase-protected, store the passphrase as a separate GitHub Secret (e.g., PASSPHRASE) [1][2]. 3. Pass these secrets into the action's with: block [1][2]. The action automatically seeds the gpg-agent with the provided passphrase, allowing subsequent Git operations to use the key without manual interaction [1][2]. Regarding security and best practices: - Commit SHA Pinning: To protect your CI/CD pipeline against supply chain attacks (such as tag-based mutable ref poisoning), you should pin the action to a specific commit SHA rather than a branch or tag version (e.g., uses: crazy-max/ghaction-import-gpg@<40-char-sha>) [3][4]. - Secret Masking: GitHub automatically masks secrets defined in your workflow [5][6]. When using this action, the passphrase and private key are handled as secrets and will be redacted in logs [5][6]. However, avoid logging these values manually [6]. - No PIN requirement: The action does not require a "PIN" in the traditional hardware-security-module (HSM) sense; it manages GPG-agent caching for you, which eliminates the need for interactive passphrase prompts [1][2]. - Scope: The action configures the runner's local environment. If your workflow involves building and running code in separate Docker containers (e.g., via other custom actions), ensure those environments are also configured to access the imported GPG key, as the configuration does not persist automatically across container boundaries [7].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".github/workflows/maven-build.yml"
# Print the relevant section with line numbers without relying on `nl`
awk 'NR>=45 && NR<=70 {printf "%d\t%s\n", NR, $0}' "$file"

Repository: mosip/kattu

Length of output: 2491

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Find all occurrences of the action to ensure only the expected one exists
rg -n "crazy-max/ghaction-import-gpg@v6|crazy-max/ghaction-import-gpg@" .github/workflows || true

Repository: mosip/kattu

Length of output: 324

🏁 Script executed:

#!/bin/bash
# Dereference the v6 tag to a commit SHA
gh api repos/crazy-max/ghaction-import-gpg/git/refs/tags/v6 \
  --jq '.object.type + " " + .object.sha'
# If type is "tag" (annotated), dereference once more:
# gh api repos/crazy-max/ghaction-import-gpg/git/tags/<sha-from-above> --jq '.object.sha'

Repository: mosip/kattu

Length of output: 103

Pin crazy-max/ghaction-import-gpg@v6 to a commit SHA

crazy-max/ghaction-import-gpg@v6 is a mutable tag for a third-party action and receives your GPG private key (secrets.GPG_PRIVATE_KEY) + passphrase, so it should be SHA-pinned. v6 resolves to e89d40939c28e39f97cf32126055eeae86ba74ec.

🔒 Pin to a SHA 
     - name: Import GPG key
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
       with:
         gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
         passphrase: ${{ secrets.GPG_SECRET }}

(Also used as @v6 in .github/workflows/maven-publish-to-nexus.yml and .github/workflows/maven-publish-android.yml.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SECRET }}
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SECRET }}
🧰 Tools
🪛 zizmor (1.25.2)

[error] 53-53: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-build.yml around lines 52 - 56, Replace the mutable
tag crazy-max/ghaction-import-gpg@v6 with the exact commit SHA (e.g.,
crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec) wherever
it is used (the Import GPG step in .github/workflows/maven-build.yml and the
same referenced entries in maven-publish-to-nexus.yml and
maven-publish-android.yml) so the action is immutable; update each workflow's
"uses:" value to the SHA-pinned ref and verify the CI runs succeed after the
change.


- name: Install xmlstartlet and xmllint
run: |
Expand Down
16 changes: 7 additions & 9 deletions .github/workflows/maven-publish-android.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ on:
required: true
GPG_SECRET:
required: true
GPG_PRIVATE_KEY:
required: true
SLACK_WEBHOOK_URL:
required: true

Expand Down Expand Up @@ -79,16 +81,12 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: Setup branch and GPG public key
run: |
# Strip git ref prefix from version
echo ${{ env.BRANCH_NAME }}
echo ${{ env.GPG_TTY }}
sudo apt-get --yes install gnupg2
gpg2 --import ./.github/keys/mosipgpgkey_pub.gpg
gpg2 --quiet --batch --passphrase=${{secrets.GPG_SECRET}} --allow-secret-key-import --import ./.github/keys/mosipgpgkey_sec.gpg
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SECRET }}

- name: Install xmlstartlet and xmllint
run: |
Expand Down
17 changes: 7 additions & 10 deletions .github/workflows/maven-publish-to-nexus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ on:
required: true
GPG_SECRET:
required: true
GPG_PRIVATE_KEY:
required: true
SLACK_WEBHOOK_URL:
required: false

Expand Down Expand Up @@ -46,16 +48,12 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: Setup branch and GPG public key
run: |
# Strip git ref prefix from version
echo ${{ env.BRANCH_NAME }}
echo ${{ env.GPG_TTY }}
sudo apt-get --yes install gnupg2
gpg2 --import ./.github/keys/mosipgpgkey_pub.gpg
gpg2 --quiet --batch --passphrase=${{secrets.GPG_SECRET}} --allow-secret-key-import --import ./.github/keys/mosipgpgkey_sec.gpg
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SECRET }}

- name: Setup the settings file for ossrh server
run: echo "<settings><servers><server><id>ossrh</id><username>${{secrets.OSSRH_USER}}</username><password>${{secrets.OSSRH_SECRET}}</password></server></servers><profiles><profile><id>ossrh</id><activation><activeByDefault>true</activeByDefault></activation><properties><gpg.executable>gpg2</gpg.executable><gpg.passphrase>${{secrets.GPG_SECRET}}</gpg.passphrase></properties></profile><profile><id>allow-snapshots</id><activation><activeByDefault>true</activeByDefault></activation><repositories><repository><id>snapshots-repo</id><url>https://central.sonatype.com/repository/maven-snapshots</url><releases><enabled>false</enabled></releases><snapshots><enabled>true</enabled></snapshots></repository><repository><id>releases-repo</id><url>https://central.sonatype.com/api/v1/publisher</url><releases><enabled>true</enabled></releases><snapshots><enabled>false</enabled></snapshots></repository><repository><id>danubetech-maven-public</id><url>https://repo.danubetech.com/repository/maven-public/</url></repository></repositories></profile><profile><id>sonar</id><properties><sonar.sources>.</sonar.sources><sonar.host.url>https://sonarcloud.io</sonar.host.url></properties><activation><activeByDefault>false</activeByDefault></activation></profile></profiles></settings>" > $GITHUB_WORKSPACE/settings.xml
Expand All @@ -68,7 +66,6 @@ jobs:
cd ${{ inputs.SERVICE_LOCATION }} && mvn -DskipTests -U -B deploy -Dmaven.wagon.http.retryHandler.count=2 -DaltDeploymentRepository=ossrh::default::${{ secrets.OSSRH_URL }} -s $GITHUB_WORKSPACE/settings.xml -f pom.xml
env:
GITHUB_TOKEN: ${{secrets.OSSRH_TOKEN}}
GPG_TTY: $(tty)

# - uses: 8398a7/action-slack@v3
# with:
Expand Down
12 changes: 0 additions & 12 deletions .github/workflows/maven-sonar-analysis-new.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ on:
required: true
OSSRH_TOKEN:
required: true
GPG_SECRET:
required: true
SLACK_WEBHOOK_URL:
required: true

Expand Down Expand Up @@ -55,18 +53,8 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV
echo "SONAR URL : ${{ inputs.SONAR_URL }}"

- name: Setup branch and GPG public key
run: |
# Strip git ref prefix from version
echo ${{ env.BRANCH_NAME }}
echo ${{ env.GPG_TTY }}
sudo apt-get --yes install gnupg2
gpg2 --import ./.github/keys/mosipgpgkey_pub.gpg
gpg2 --quiet --batch --passphrase=${{secrets.GPG_SECRET}} --allow-secret-key-import --import ./.github/keys/mosipgpgkey_sec.gpg

- name: Setup the settings file for ossrh server
run: echo "<settings> <servers> <server> <id>ossrh</id> <username>${{secrets.OSSRH_USER}}</username> <password>${{secrets.OSSRH_SECRET}}</password> </server> </servers> <profiles> <profile> <id>ossrh</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.executable>gpg2</gpg.executable> <gpg.passphrase>${{secrets.GPG_SECRET}}</gpg.passphrase> </properties> </profile> <profile> <id>allow-snapshots</id> <activation><activeByDefault>true</activeByDefault></activation> <repositories> <repository> <id>snapshots-repo</id> <url>https://oss.sonatype.org/content/repositories/snapshots</url> <releases><enabled>false</enabled></releases> <snapshots><enabled>true</enabled></snapshots> </repository> <repository> <id>releases-repo</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2</url> <releases><enabled>true</enabled></releases> <snapshots><enabled>false</enabled></snapshots> </repository> <repository> <id>danubetech-maven-public</id> <url>https://repo.danubetech.com/repository/maven-public/</url> </repository> </repositories> </profile> <profile> <id>sonar</id> <properties> <sonar.sources>.</sonar.sources> <sonar.host.url>https://sonarcloud.io</sonar.host.url> </properties> <activation> <activeByDefault>false</activeByDefault> </activation> </profile> </profiles> </settings>" > $GITHUB_WORKSPACE/settings.xml

Expand Down
12 changes: 0 additions & 12 deletions .github/workflows/maven-sonar-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ on:
required: true
OSSRH_TOKEN:
required: true
GPG_SECRET:
required: true
SLACK_WEBHOOK_URL:
required: true

Expand Down Expand Up @@ -55,18 +53,8 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV
echo "SONAR URL : ${{ inputs.SONAR_URL }}"

- name: Setup branch and GPG public key
run: |
# Strip git ref prefix from version
echo ${{ env.BRANCH_NAME }}
echo ${{ env.GPG_TTY }}
sudo apt-get --yes install gnupg2
gpg2 --import ./.github/keys/mosipgpgkey_pub.gpg
gpg2 --quiet --batch --passphrase=${{secrets.GPG_SECRET}} --allow-secret-key-import --import ./.github/keys/mosipgpgkey_sec.gpg

- name: Setup the settings file for ossrh server
run: echo "<settings> <servers> <server> <id>ossrh</id> <username>${{secrets.OSSRH_USER}}</username> <password>${{secrets.OSSRH_SECRET}}</password> </server> </servers> <profiles> <profile> <id>ossrh</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.executable>gpg2</gpg.executable> <gpg.passphrase>${{secrets.GPG_SECRET}}</gpg.passphrase> </properties> </profile> <profile> <id>allow-snapshots</id> <activation><activeByDefault>true</activeByDefault></activation> <repositories> <repository> <id>snapshots-repo</id> <url>https://oss.sonatype.org/content/repositories/snapshots</url> <releases><enabled>false</enabled></releases> <snapshots><enabled>true</enabled></snapshots> </repository> <repository> <id>releases-repo</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2</url> <releases><enabled>true</enabled></releases> <snapshots><enabled>false</enabled></snapshots> </repository> <repository> <id>danubetech-maven-public</id> <url>https://repo.danubetech.com/repository/maven-public/</url> </repository> </repositories> </profile> <profile> <id>sonar</id> <properties> <sonar.sources>.</sonar.sources> <sonar.host.url>https://sonarcloud.io</sonar.host.url> </properties> <activation> <activeByDefault>false</activeByDefault> </activation> </profile> </profiles> </settings>" > $GITHUB_WORKSPACE/settings.xml

Expand Down
1 change: 0 additions & 1 deletion .github/workflows/npm-sonar-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,6 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: setup sonar properties
run: |
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/release-changes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ jobs:
run: |
# Strip git ref prefix from version
echo "BRANCH_NAME=$(echo ${{ github.ref }} | sed -e 's,.*/\(.*\),\1,')" >> $GITHUB_ENV
echo "GPG_TTY=$(tty)" >> $GITHUB_ENV

- name: Install xmlstartlet and xmllint
run: |
Expand Down