iamsmkr / greeter   0.1.0

GitHub

Project to demo pushing artifacts to Sonatype OSSRH and subsequently to Maven Central

greeter

CI Workflow codecov GitHub

This project aims to demonstrates building complete CI/CD workflow using GitHub Actions which includes following agenda:

  • Automate unit/integration testing
  • Validate code formatting
  • Add code owners to review code
  • Create release drafts and publish them
  • Upload artifacts to Sonatype OSSRH and subsequently to Maven Central
  • Upload code coverage reports on Codecov.io
  • Notify release on Slack

Notes:

Configurations

  1. Install GnuPG and verify the installation

    Refer: https://www.gnupg.org/download/

    $ gpg --version
    
    gpg (GnuPG/MacGPG2) 2.2.8
    libgcrypt 1.8.3
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
  2. Generate a key

    A key pair allows you to sign artifacts with GPG and users can subsequently validate that artifacts have been signed by you. You can generate a key with:

    $ gpg --gen-key
  3. List the keys

    Once key pair is generated, we can list them along with any other keys installed:

    $ gpg --list-keys
    
    /home/foo/.gnupg/pubring.gpg
    ------------------------------
    
    pub   rsa4096 2018-08-22 [SC]
        1234517530FB96F147C6A146A326F592D39AAAAA
    uid           [ultimate] your name <you@example.com>
    sub   rsa4096 2018-08-22 [E]
  4. Distribute the key and verify

    Since other people need your public key to verify your files, you have to distribute your public key to a key server:

    $ gpg --keyserver keyserver.ubuntu.com --send-keys 1234517530FB96F147C6A146A326F592D39AAAAA
    $ gpg --keyserver keyserver.ubuntu.com --search-keys 'mail@shivamkapoor.com'
  5. Export secret keys for sbt

    $ gpg -a --export-secret-keys > ~/.sbt/gpg/secring.asc
  6. Create Sonatype credentials file under .sbt and add following to that file:

    $ cat sonatype_credentials
    
    realm=Sonatype Nexus Repository Manager
    host=s01.oss.sonatype.org
    user=<your username>
    password=<your password>
  7. Create sonatype.sbt and add location to sonatype credentials

    This lets sbt know what credentials to use to access sonatype OSSRH.

    $ cat ~/.sbt/1.0/sonatype.sbt
    credentials += Credentials(Path.userHome / ".sbt" / "sonatype_credentials")

Publish

Publish artifacts to nexus repository

$ sbt publishSigned

Note: Versions that end with -SNAPSHOT will end up in snapshot repository and won't be eligible for release. Other versions would be released to staging repository which are eligible for release to maven central.

Release

In order to release artifacts against a version, go to staging repository, select the repository, close it and then release.

Screenshot-2022-05-06-at-12-48-50-PM.png

Note: After you successfully release, your component will be available to the public on Central https://repo1.maven.org/maven2/, typically within 30 minutes, though updates to https://search.maven.org can take up to four hours.

Alternatively, you could use sbt-sonatype plugin to take care of steps above for you, like so:

$ sbt sonatypeRelease

References