Initial build and publish workflows created. Tests run locally

Part of theheraldproject#52
Signed-off-by: Adam Fowler <adam@adamfowler.org>

.github/workflows/publish.yml

@@ -0,0 +1,28 @@
+name: Publish to Maven and GitHub Packages
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest 
+    permissions: 
+      contents: read
+      packages: write 
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Java
+        uses: actions/setup-java@v2
+        with:
+          java-version: '8'
+          distribution: 'adopt'
+
+      - name: Publish to the Maven Central Repository
+        run: gradle publish
+        env: 
+          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/unit_tests.yml

@@ -1,5 +1,13 @@
 name: Unit Tests
 
+# READ THIS BEFORE MODIFYING: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+# And this: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
+
+# WARNING ONLY EVER USE A GITHUB_TOKEN THAT HAS **ONLY** READ_REPO ACCESS
+# (Because we invoke the local gradlew command for reproducibility)
+
+# read-only repo token
+# no access to secrets
 on:
   pull_request:
     branches:

.gitignore

@@ -14,3 +14,8 @@
 .cxx
 git-template
 herald/javadoc
+
+# Annoying Java in Visual Studio Code created artifacts
+.project
+.settings
+.classpath

herald/build.gradle

@@ -1,8 +1,10 @@
 plugins {
     id 'maven-publish'
+    id 'signing'
+    //id 'com.github.spotbugs' version '4.2.3'
 }
 
-group = 'io.heraldprox.herald'
+group = 'io.heraldprox'
 version = '2.0.0-beta1'
 
 apply plugin: 'com.android.library'
@@ -38,15 +40,24 @@ dependencies {
     implementation 'androidx.appcompat:appcompat:1.2.0'
     testImplementation 'junit:junit:4.12'
     testImplementation "org.json:json:20201115"
+    //spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1'
 }
 
+signing {
+  useGpgCmd()
+  sign(publishing.publications["release","debug"])
+}
+
+
 afterEvaluate {
     publishing {
         publications {
             release(MavenPublication) {
                 from components.release
+                //artifact sourcesJar
+                //artifact javadocJar
 
-                groupId = 'io.heraldprox.herald'
+                groupId = 'io.heraldprox'
                 artifactId = 'herald'
                 pom {
                     name = 'Herald'
@@ -75,8 +86,10 @@ afterEvaluate {
             debug(MavenPublication) {
                 // Applies the component for the debug build variant.
                 from components.debug
+                //artifact sourcesJar
+                //artifact javadocJar
 
-                groupId = 'io.heraldprox.herald'
+                groupId = 'io.heraldprox'
                 artifactId = 'herald-debug'
                 pom {
                     name = 'Herald'
@@ -106,11 +119,20 @@ afterEvaluate {
 
         repositories {
             maven {
-                name = 'myRepo'
-                url = "file://${buildDir}/repo"
-                // def releasesRepoUrl = "https://oss.sonatype.org/content/repositories/releases/"
-                // def snapshotsRepoUrl = "https://oss.sonatype.org/content/repositories/snapshots/"
-                // url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl
+                name = "OSSRH"
+                url = "https://oss.sonatype.org/service/local/staging/deploy/maven2/"
+                credentials {
+                    username = System.getenv("MAVEN_USERNAME")
+                    password = System.getenv("MAVEN_PASSWORD")
+                }
+            }
+            maven {
+                name = "GitHubPackages"
+                url = "https://maven.pkg.github.com/theheraldproject/herald-for-android"
+                credentials {
+                    username = System.getenv("GITHUB_ACTOR")
+                    password = System.getenv("GITHUB_TOKEN")
+                }
             }
         }
     }