diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..5956c799 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,28 @@ +name: Publish to Maven and GitHub Packages + +on: + push: + tags: + - 'v*' + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + + - name: Set up Java + uses: actions/setup-java@v2 + with: + java-version: '8' + distribution: 'adopt' + + - name: Publish to the Maven Central Repository + run: gradle publish + env: + MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 1201035e..c7bff250 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -1,5 +1,13 @@ name: Unit Tests +# READ THIS BEFORE MODIFYING: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +# And this: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests + +# WARNING ONLY EVER USE A GITHUB_TOKEN THAT HAS **ONLY** READ_REPO ACCESS +# (Because we invoke the local gradlew command for reproducibility) + +# read-only repo token +# no access to secrets on: pull_request: branches: diff --git a/.gitignore b/.gitignore index 5ad6e5d7..bd18e45d 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,8 @@ .cxx git-template herald/javadoc + +# Annoying Java in Visual Studio Code created artifacts +.project +.settings +.classpath \ No newline at end of file diff --git a/herald/build.gradle b/herald/build.gradle index 3554de20..d7d1b1f5 100644 --- a/herald/build.gradle +++ b/herald/build.gradle @@ -1,8 +1,10 @@ plugins { id 'maven-publish' + id 'signing' + //id 'com.github.spotbugs' version '4.2.3' } -group = 'io.heraldprox.herald' +group = 'io.heraldprox' version = '2.0.0-beta1' apply plugin: 'com.android.library' @@ -38,15 +40,24 @@ dependencies { implementation 'androidx.appcompat:appcompat:1.2.0' testImplementation 'junit:junit:4.12' testImplementation "org.json:json:20201115" + //spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.7.1' } +signing { + useGpgCmd() + sign(publishing.publications["release","debug"]) +} + + afterEvaluate { publishing { publications { release(MavenPublication) { from components.release + //artifact sourcesJar + //artifact javadocJar - groupId = 'io.heraldprox.herald' + groupId = 'io.heraldprox' artifactId = 'herald' pom { name = 'Herald' @@ -75,8 +86,10 @@ afterEvaluate { debug(MavenPublication) { // Applies the component for the debug build variant. from components.debug + //artifact sourcesJar + //artifact javadocJar - groupId = 'io.heraldprox.herald' + groupId = 'io.heraldprox' artifactId = 'herald-debug' pom { name = 'Herald' @@ -106,11 +119,20 @@ afterEvaluate { repositories { maven { - name = 'myRepo' - url = "file://${buildDir}/repo" - // def releasesRepoUrl = "https://oss.sonatype.org/content/repositories/releases/" - // def snapshotsRepoUrl = "https://oss.sonatype.org/content/repositories/snapshots/" - // url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl + name = "OSSRH" + url = "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + credentials { + username = System.getenv("MAVEN_USERNAME") + password = System.getenv("MAVEN_PASSWORD") + } + } + maven { + name = "GitHubPackages" + url = "https://maven.pkg.github.com/theheraldproject/herald-for-android" + credentials { + username = System.getenv("GITHUB_ACTOR") + password = System.getenv("GITHUB_TOKEN") + } } } }