Re: [REQUEST] Grant permission to deploy Maven project via GitHub Actions

Mon, 03 Jul 2023 03:55:53 -0700 

On 2023-07-03 12:52, PJ Fanning wrote:

Adding the Incubator general list.

My view would be that non-snapshot binary artifacts should be signed
with a personal signing key - ideally the signing key that was used to
release the related source release. Unfortunately, this would mean
adding a user's signing key to the Apache GitHub account as a secret
so that the automated GitHub Action job could access it. I don't see
how we could allow personal signing keys to be added like this.


We don't and won't put personal keys into any CI system.
Please see https://infra.apache.org/release-signing.html#automated-release-signing for how to go about this. There is a standardized workflow here. 



On Mon, 3 Jul 2023 at 10:18, tison <wander4...@gmail.com> wrote:


cc security

Missed in the first place.

Best,
tison.


tison <wander4...@gmail.com> 于2023年6月29日周四 22:21写道:


Hi security team members,

I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding.

I already verify that GitHub Actions work well for automatically deploying 
OpenDAL Java binding[2].

When integrating it with upstream (apache/incuabtor-opendal), I met a problem 
that deploying Maven projects requires NEXUS credentials. For my personal repo, 
I can config my Apache ID and password as secrets. For apache repos, it 
requires handing over the credentials to INFRA team member. Even I can trust 
the member, it's a bit less than awesome.

Fortunately, INFRA provides two org-wise secrets NEXUS_USER and NEXUS_PW for 
doing so[3]. But it's limited to deploying snapshots only. INFRA member 
suggested me to consult security team for approval for such automatic 
deployment and they would help to grant related permissions if approved.

Please help review the request to support ASF projects deploying Maven project 
via GitHub Actions.

Best,
tison.

[1] http://github.com/apache/incubator-opendal
[2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752
[3] 
https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Reply via email to