kaxil commented on code in PR #68073:
URL: https://github.com/apache/airflow/pull/68073#discussion_r3364355684
##########
java-sdk/sdk/build.gradle.kts:
##########
@@ -303,29 +303,33 @@ publishing {
repositories {
maven {
name = "mavenRepo"
- url =
- uri(
- getProperty("mavenUrl")
- ?: if (sdkVersion.endsWith("-SNAPSHOT")) {
-
"https://repository.apache.org/content/repositories/snapshots/";
- } else {
-
"https://repository.apache.org/service/local/staging/deploy/maven2/";
- },
- )
- getProperty("mavenUsername", "ASF_NEXUS_USERNAME").let { user ->
- credentials {
- username = user
- password = getProperty("mavenPassword",
"ASF_NEXUS_PASSWORD")
+ val repoPath =
+ getProperty("mavenUrl")
+ ?: if (sdkVersion.endsWith("-SNAPSHOT")) {
+
"https://repository.apache.org/content/repositories/snapshots/";
+ } else {
+
"https://repository.apache.org/service/local/staging/deploy/maven2/";
+ }
+ url = uri(repoPath)
+ if (!repoPath.startsWith("file:")) {
+ val user = getProperty("mavenUsername", "ASF_NEXUS_USERNAME")
+ val pass = getProperty("mavenPassword", "ASF_NEXUS_PASSWORD")
+ if (user != null && pass != null) {
+ credentials {
+ username = user
+ password = pass
+ }
}
}
}
}
}
signing {
- getProperty("signing.key", "SIGNING_KEY").let { secretKey ->
- val password = getProperty("signing.password", "SIGNING_PASSWORD")
- useInMemoryPgpKeys(secretKey, password)
+ val signingKey = getProperty("signing.key", "SIGNING_KEY")?.takeIf {
it.isNotBlank() }
Review Comment:
Signing is now skipped entirely whenever `signing.key` is absent or blank.
That's right for the local `file:` dry-run, but for a real release to ASF Nexus
staging a missing or empty key means the build silently publishes unsigned
artifacts instead of failing. The old code passed the key straight to
`useInMemoryPgpKeys`, so a missing key blew up loudly. Worth gating signing on
the target repo (or at least failing loudly when publishing to a non-`file:`
URL without a key) so a forgotten key during release can't slip through.
##########
java-sdk/README.md:
##########
@@ -119,58 +119,32 @@ cat
~/.m2/repository/org/apache/airflow/airflow-sdk/*/airflow-sdk-*.pom
Check that the coordinates, description, license, SCM, and organization fields
look correct.
-### Export your signing key
+### Dry-run against a local repository
-The build expects an ASCII-armored PGP private key. Export it with:
+To test the full publish flow without touching ASF infrastructure, override the
+repository URL to a local directory (no signing key required since nothing goes
+to Maven Central):
```bash
-gpg --armor --export-secret-keys <your-key-id>
+./gradlew :sdk:publish -PmavenUrl=file:///tmp/local-maven-repo
+ls /tmp/local-maven-repo/org/apache/airflow/airflow-sdk/
```
-Copy the full output (including the header and footer) for use in the next
step.
-
### Publish to ASF Nexus staging
Store the four credentials in `~/.gradle/gradle.properties` so they are not
Review Comment:
"Store the four credentials" is now stale, the block below only lists three
(`mavenUsername`, `mavenPassword`, `signing.password`), with `signing.key`
passed on the command line instead.
##########
java-sdk/README.md:
##########
@@ -119,58 +119,32 @@ cat
~/.m2/repository/org/apache/airflow/airflow-sdk/*/airflow-sdk-*.pom
Check that the coordinates, description, license, SCM, and organization fields
look correct.
-### Export your signing key
+### Dry-run against a local repository
-The build expects an ASCII-armored PGP private key. Export it with:
+To test the full publish flow without touching ASF infrastructure, override the
+repository URL to a local directory (no signing key required since nothing goes
+to Maven Central):
```bash
-gpg --armor --export-secret-keys <your-key-id>
+./gradlew :sdk:publish -PmavenUrl=file:///tmp/local-maven-repo
+ls /tmp/local-maven-repo/org/apache/airflow/airflow-sdk/
```
-Copy the full output (including the header and footer) for use in the next
step.
-
### Publish to ASF Nexus staging
Store the four credentials in `~/.gradle/gradle.properties` so they are not
exposed in your shell history:
```properties
-mavenUsername=<your-asf-id>
-mavenPassword=<your-asf-nexus-token>
-signing.key=<ascii-armored-pgp-key>
-signing.password=<key-passphrase>
-```
-
-Then run the publish task:
-
-```bash
-./gradlew :sdk:publish
-```
-
-Alternatively, pass them on the command line (note the single quotes around
-properties whose values contain newlines or special characters):
-
-```bash
-./gradlew :sdk:publish \
- -PmavenUsername=<your-asf-id> \
- -PmavenPassword=<your-asf-nexus-token> \
- -P'signing.key=<ascii-armored-pgp-key>' \
- -P'signing.password=<key-passphrase>'
+mavenUsername=your-asf-nexux-token-username
Review Comment:
Typo, `your-asf-nexux-token-username` should be `nexus`.
##########
java-sdk/README.md:
##########
@@ -119,58 +119,32 @@ cat
~/.m2/repository/org/apache/airflow/airflow-sdk/*/airflow-sdk-*.pom
Check that the coordinates, description, license, SCM, and organization fields
look correct.
-### Export your signing key
+### Dry-run against a local repository
-The build expects an ASCII-armored PGP private key. Export it with:
+To test the full publish flow without touching ASF infrastructure, override the
+repository URL to a local directory (no signing key required since nothing goes
+to Maven Central):
```bash
-gpg --armor --export-secret-keys <your-key-id>
+./gradlew :sdk:publish -PmavenUrl=file:///tmp/local-maven-repo
+ls /tmp/local-maven-repo/org/apache/airflow/airflow-sdk/
```
-Copy the full output (including the header and footer) for use in the next
step.
-
### Publish to ASF Nexus staging
Store the four credentials in `~/.gradle/gradle.properties` so they are not
exposed in your shell history:
```properties
-mavenUsername=<your-asf-id>
-mavenPassword=<your-asf-nexus-token>
-signing.key=<ascii-armored-pgp-key>
-signing.password=<key-passphrase>
-```
-
-Then run the publish task:
-
-```bash
-./gradlew :sdk:publish
-```
-
-Alternatively, pass them on the command line (note the single quotes around
-properties whose values contain newlines or special characters):
-
-```bash
-./gradlew :sdk:publish \
- -PmavenUsername=<your-asf-id> \
- -PmavenPassword=<your-asf-nexus-token> \
- -P'signing.key=<ascii-armored-pgp-key>' \
- -P'signing.password=<key-passphrase>'
+mavenUsername=your-asf-nexux-token-username
+mavenPassword=your-asf-nexus-token-password
+signing.password=your-gpg-key-passphrase
```
-### Release
-
-The process from now on should be the same as releasing other Airflow
components.
-
-### Dry-run against a local repository
-
-To test the full publish flow without touching ASF infrastructure, override the
-repository URL to a local directory (no signing key required since nothing goes
-to Maven Central):
+Then run the publish task.
```bash
-./gradlew :sdk:publish -PmavenUrl=file:///tmp/local-maven-repo
-ls /tmp/local-maven-repo/org/apache/airflow/airflow-sdk/
+./gradlew :sdk:publish -P"signing.key=$(gpg --armor --export-secret-keys
your-gpg-key-fingerprint)"
Review Comment:
Passing `signing.key` on the command line puts the PGP private key into
shell history and the process list, which is exactly what the "so they are not
exposed in your shell history" line above is trying to avoid. Since the
multiline key is awkward in `gradle.properties`, maybe note that env var
(`SIGNING_KEY`) is the safer route for the key, or call out the tradeoff.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
