From ba679c2aafca3ee6e1629196b00d7bd43b178734 Mon Sep 17 00:00:00 2001 From: Adriaan Moors Date: Thu, 4 Dec 2014 10:39:21 -0800 Subject: [PATCH 1/3] Support for tag-driven publishing on Travis. Modify travis build to derive the project version from TRAVIS_TAG (when set). as well as to have sbt run the `publish-signed` task if the environment is right. The tag must match the semver regex `^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)?`, and the jdk we're running on must match PUBLISH_JDK (set in .travis.yml). For every repo, you must create the following files (not included here) according to the instructions in admin/gpg.sbt: - admin/pubring.asc (commit) - admin/secring.asc (DO NOT COMMIT) - sensitive.sbt (DO NOT COMMIT) - passphrase for secring.asc - api token for staging to sonatype Generate these using `admin/encryptAll.sh`: - admin/secring.asc.enc (commit) - sensitive.sbt.enc (commit) Note that `encryptAll.sh` spits out a "- secure .... " line, that you need to add to `.travis.yml`'s `env` section, so that travis can supply the SECRET env variable, which is used to decrypt the sensitive files above. Conflicts: .travis.yml --- .travis.yml | 13 ++++++++++--- admin/build.sh | 20 ++++++++++++++++++++ admin/decrypt.sh | 2 ++ admin/encrypt.sh | 2 ++ admin/encryptAll.sh | 19 +++++++++++++++++++ admin/gpg.sbt | 26 ++++++++++++++++++++++++++ 6 files changed, 79 insertions(+), 3 deletions(-) create mode 100755 admin/build.sh create mode 100755 admin/decrypt.sh create mode 100755 admin/encrypt.sh create mode 100755 admin/encryptAll.sh create mode 100644 admin/gpg.sbt diff --git a/.travis.yml b/.travis.yml index e48b184..a847fff 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,8 +1,15 @@ language: scala + +env: + global: + - PUBLISH_JDK=openjdk6 # admin/build.sh only publishes when running on this jdk +# Don't commit sensitive files, instead commit a version encrypted with $SECRET, +# this environment variable is encrypted with this repo's private key and stored below: +# (See http://docs.travis-ci.com/user/environment-variables/#Secure-Variables.) +# - secure: + script: - # the concurrentRestrictions should prevent spurious test failures, see https://github.com/spray/spray/pull/233 - - sbt ++$TRAVIS_SCALA_VERSION 'set concurrentRestrictions in Global += Tags.limit(Tags.Test, 1)' clean update compile test - # TODO: -Dbuild.publish.user=${SONATYPE_USER} -Dbuild.publish.password=${SONATYPE_PASS} $(bash project/release_on_tag.sh) + - admin/build.sh scala: - 2.11.0 jdk: diff --git a/admin/build.sh b/admin/build.sh new file mode 100755 index 0000000..e759375 --- /dev/null +++ b/admin/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# prep environment for publish to sonatype staging if the HEAD commit is tagged + +# git on travis does not fetch tags, but we have TRAVIS_TAG +# headTag=$(git describe --exact-match ||:) + +if [ "$TRAVIS_JDK_VERSION" == "$PUBLISH_JDK" ] && [[ "$TRAVIS_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)? ]]; then + echo "Going to release from tag $TRAVIS_TAG!" + myVer=$(echo $TRAVIS_TAG | sed -e s/^v//) + publishVersion='set every version := "'$myVer'"' + extraTarget="publish-signed" + + cat admin/gpg.sbt >> project/plugins.sbt + admin/decrypt.sh sensitive.sbt + (cd admin/ && ./decrypt.sh secring.asc) +fi + +# the concurrentRestrictions should prevent spurious test failures, see https://github.com/spray/spray/pull/233 +sbt ++$TRAVIS_SCALA_VERSION 'set concurrentRestrictions in Global += Tags.limit(Tags.Test, 1)' "$publishVersion" clean update compile test $extraTarget \ No newline at end of file diff --git a/admin/decrypt.sh b/admin/decrypt.sh new file mode 100755 index 0000000..3c3c602 --- /dev/null +++ b/admin/decrypt.sh @@ -0,0 +1,2 @@ +#!/bin/bash +openssl aes-256-cbc -pass "pass:$SECRET" -in $1.enc -out $1 -d -a \ No newline at end of file diff --git a/admin/encrypt.sh b/admin/encrypt.sh new file mode 100755 index 0000000..4bf6c93 --- /dev/null +++ b/admin/encrypt.sh @@ -0,0 +1,2 @@ +#!/bin/bash +openssl aes-256-cbc -pass "pass:$SECRET" -in $1 -out $1.enc -a \ No newline at end of file diff --git a/admin/encryptAll.sh b/admin/encryptAll.sh new file mode 100755 index 0000000..de7016b --- /dev/null +++ b/admin/encryptAll.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Based on https://gist.github.com/kzap/5819745: + +echo "This will encrypt the cleartext sensitive.sbt and admin/secring.asc, while making the encrypted versions available for decryption on Travis." +echo "Update your .travis.yml as directed, and delete the cleartext versions." +echo "Press enter to continue." +read + +# 1. create a secret, put it in an environment variable while encrypting files -- UNSET IT AFTER +export SECRET=$(cat /dev/urandom | head -c 10000 | openssl sha1) + +# 2. add the "secure: ..." line under the env section -- generate it with `` (install the travis gem first) +travis encrypt SECRET=$SECRET + +admin/encrypt.sh admin/secring.asc +admin/encrypt.sh sensitive.sbt + +echo "Remember to rm sensitive.sbt admin/secring.asc -- once you do, they cannot be recovered (except on Travis)!" \ No newline at end of file diff --git a/admin/gpg.sbt b/admin/gpg.sbt new file mode 100644 index 0000000..01157e6 --- /dev/null +++ b/admin/gpg.sbt @@ -0,0 +1,26 @@ + +addSbtPlugin("com.typesafe.sbt" % "sbt-pgp" % "0.8.3") // only added when publishing: + +// There's a companion sensitive.sbt, which was created like this: +// +// 1. in an sbt shell that has the sbt-pgp plugin, create pgp key in admin/: +// +// sbt +// set pgpReadOnly := false +// set pgpPublicRing := file("admin/pubring.asc") +// set pgpSecretRing := file("admin/secring.asc") +// pgp-cmd gen-key // use $passPhrase +// Please enter the name associated with the key: $repoName +// Please enter the email associated with the key: scala-internals@googlegroups.com +// Please enter the passphrase for the key: $passphrase +// +// 2. create sensitive.sbt with contents: +// +// pgpPassphrase := Some($passPhrase.toArray) +// +// pgpPublicRing := file("admin/pubring.asc") +// +// pgpSecretRing := file("admin/secring.asc") +// +// credentials += Credentials("Sonatype Nexus Repository Manager", "oss.sonatype.org", $sonaUser, $sonaPass) + From 7fab546c8dc92dd863e0b17faa126ff77e69a1ed Mon Sep 17 00:00:00 2001 From: Adriaan Moors Date: Thu, 4 Dec 2014 15:21:31 -0800 Subject: [PATCH 2/3] Bump versions. --- .travis.yml | 2 +- build.sbt | 4 ++-- project/build.properties | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index a847fff..b22d0e8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ env: script: - admin/build.sh scala: - - 2.11.0 + - 2.11.4 jdk: - openjdk6 # - openjdk7 diff --git a/build.sbt b/build.sbt index 73f268a..68f1cce 100644 --- a/build.sbt +++ b/build.sbt @@ -8,8 +8,8 @@ lazy val commonSettings = scalaModuleSettings ++ Seq( repoName := "scala-continuations", organization := "org.scala-lang.plugins", version := "1.0.1-SNAPSHOT", - scalaVersion := "2.11.2", - snapshotScalaBinaryVersion := "2.11.2", + scalaVersion := "2.11.4", + snapshotScalaBinaryVersion := "2.11.4", scalacOptions ++= Seq( "-deprecation", "-feature") diff --git a/project/build.properties b/project/build.properties index 64abd37..748703f 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=0.13.6 +sbt.version=0.13.7 From bd63fda8435c6a4aeff6c10dea12586308c9d90f Mon Sep 17 00:00:00 2001 From: Adriaan Moors Date: Thu, 4 Dec 2014 15:25:26 -0800 Subject: [PATCH 3/3] Secure config for publishing to sonatype --- .travis.yml | 2 +- admin/pubring.asc | 18 ++++++++++++++++++ admin/secring.asc.enc | 40 ++++++++++++++++++++++++++++++++++++++++ sensitive.sbt.enc | 7 +++++++ 4 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 admin/pubring.asc create mode 100644 admin/secring.asc.enc create mode 100644 sensitive.sbt.enc diff --git a/.travis.yml b/.travis.yml index b22d0e8..36960a4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ env: # Don't commit sensitive files, instead commit a version encrypted with $SECRET, # this environment variable is encrypted with this repo's private key and stored below: # (See http://docs.travis-ci.com/user/environment-variables/#Secure-Variables.) -# - secure: + - secure: "apmuVagS7WgWzg9HeDLCcX4INxazi50qukOfPkvluJjm58RCJsDwaZseXrQGqyPzRKuBnAetJ4NDWbZMRkm6QpTiH8grPwDl6iNUSVivvzOZGl3Iy8LvNxUv6CYoQBG+R7d8dW//1xcoHtT2zYo3dYEFpSelfNMMLADNUKXSQmI=" script: - admin/build.sh diff --git a/admin/pubring.asc b/admin/pubring.asc new file mode 100644 index 0000000..0c0ff30 --- /dev/null +++ b/admin/pubring.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BCPG v1.49 + +mQENBFSA7OUBCACJr0pqlTj37dACmNdB6i4IzxkJZCj+MdIfxHI0DxIEtFadpSd3 +qQgR42jv6AuxuSAEDJgFooRmMyBuNScjYTn/CCE68VVpsE8eVHOOytPJmRR0fmNu +6tDaH/rrYTOGOrPDs9OflkgX9Z53u+dymDCQulP08+VLJxxrzDeYNRtQucrWhMjh +xe6/9riLaUBEzsJXQRmLlUdumdySTjE8y7nJZK79EerzrLaIs0IjRukPRmbICaT8 +hJJf2uYvUjNIhHkwkpoFZGYHO/SKhFaJIAN6jjiwDrNglSHzIjOC7Ki8v6oi9P6I +ytmhEJO8Rd0Ui3UF5iNA70Pmaq7xhUniZlk1ABEBAAG0NnNjYWxhLWNvbnRpbnVh +dGlvbnMgPHNjYWxhLWludGVybmFsc0Bnb29nbGVncm91cHMuY29tPokBHAQTAQIA +BgUCVIDs5QAKCRBEBWr9V9a4yv9VB/kBayFLxJROabtv3rXqH0wePlsHXevOH8ny +GcVdZKDUredTJxXZiWIA0AvH+OsHdysNdHdwGm/xMZ6ckCayre4gzWSyfyhc2yUu +WcHm3vt1mlubJC2TpvijbmTWcjjpnHl/kIF1DhsSnhwSi8WpOjVy086MHaXh/g58 +7WnOxYqN+9Fob6BxBxbzbi0C3TQHOiu+OxtuJ85N/JZS7GhxgL1T+Rqq3zpt+3AE +b6yCkhxR4fdk1polZA1w7i6rBdObJWOdyGr/EmskrCTo2iW6p/IZoYthQG8HSTmd +UVOAWmPLrQWEekM2lyPi9Mj+wauGQj8Pg1k96Ac56Z5BlFo8dewi +=mUA6 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/admin/secring.asc.enc b/admin/secring.asc.enc new file mode 100644 index 0000000..80a5a89 --- /dev/null +++ b/admin/secring.asc.enc @@ -0,0 +1,40 @@ +U2FsdGVkX18WGZkch8VZQ/PaDceoo1emXzroz/OVoLdwCg3NprxvQYRGWZNjRJP9 +mQfCw7vR/Cf8muONU70FsPWBDj5dDeU7guqxa9M4hovXEIJRZNAYetMycwJo9dUi +4JUkMzlY62glDwU6GnmQFLHudSOZIsGiKn2NUZUA68UG05klncOfBtie2kUzR4wl +j3pDfP0Ws/vBQ7S5G0zIZ/JXdb/hgD1kIrq3GJHlTqQsWftXPcTxwOndLhxzHvB3 ++Exg3UH4kVI5JAEZVy+j1r5t2dawL9KwUJEAPLhmL4SmwMcphWLQfTnyo4atQD5N +bK6irbUBmL/MQJCG7agto5nkt1X724Z7cOu7+M022mYBtUq7CUDsCXyZjLo0Ee0q +DDE0nzBblTK6rkBR6oSCX0FM43csUUpr0UXgq3yEEyJ6O96IFqHgUwELlqm2DQRR +CYbtMv12Wo2ofwfkDHmUE6mooX5VguhsBku8s8RykpU+fqD7UXpJJyKTAxM0cOf/ +/pkrIuIAUSSM+B0Qd5/3ToshbwVTzpGroO7QsyTz7KRdJ//wq3ztAHWjw8Bt780+ +iLxnf4FPE3Yy2W0K7berFSAGVBvghnA0Ih0YiBgKjn8YitUDoPoShSQz6ynBfNsh +lhwv8FxSVQT9JWdesf8NXIaLoIBpDBxwNWnGOZ4S2wEmc1ZakxP1YaLQDbuxAbkW +Ux2uqqgt+CUhl+Ie17IjeDc6L7VsLzsGK5wxcksOwHOB/xZWeMPjfZtl4nySd974 +cNwvtlkoE+6wNgto7QOClYM/qL4+c1ozT5LGBLNMN/8Ek3SeRIfaPkwjeo52TgsO +cSoeeZyQzaoq/0VfZXmt5d7zz2PPrSh4iyD7JxBmF/suQ2Eelq39bj8eUIJTKztC +hC3Xl3q3m80RqmpXi/e6xVR7849f77yPg9wNEcnT8rnYqGH/exgWurt8AYJeI+Qv +UZuZFKa79wfyVjF5xjOZr8SQaNQqMfu0AXHc+8Gr1odXSDUWS+smhF0N34gzFNyk +redFS2rFRc9Ke2HbM7dkQ6B/g1e63OXNj6dYuOtaxSZB9xuyhwsMGOuWOqH5pAlj +F0BkGbBnJyHJHIb/UQnZC4FKcjqOILxxWK7g0Fw7Dy3zDSg2bwF3JVicfiotJ0ha ++G72hPElyjSEesowH8oM1DXrEWYzXV8dWMokdJVZi1pI/VApk4rnw3JdgPqeJWRp +xlG7jndSlaZdZyTW5aEBqVYFQFDQecaOkoT3Z0hZwwIeIDg9qJUzqMzTZdHtuZtf +6M8Y58lvU+MI6rbkFz7h3lECKrp0nrFQ5VGCWsLqihcwxWPLG4Aapn7CuNru+2WT +QYOR86PsVoYa0kcvPmizVdjNgxLbdzUftm8ATCfHJ+3NhYKvGlsJ6n7s8DrX+Ovb +pAEQ9lNhedTIw0JAIBEkOT6H7NvWVcWUu47bWrP5jGmGnlS+SSEXmQRa/x6RQbJZ +ic9MbcsbS9gS9Kl/MlbfcY6d6IDy3ZwXuxNq+Rtv807FDSFW50cDEeaQMDCu74+8 +mer30aLrpswNQ57zvfhU42SDzaB78oN5CO2yeYombdXizQszpO81xlvSrSJTVyoY +YXqBoNTHjFPa9brzHA5U7+Y2bnuSJNtlRSkBTgh+JfZD+g1pG/aMlV3R8u4I6KxN +COUtoyXfzXVuNuXlgF3TOOpgIzcoLz0pBwFX0oO15GEmgtTcwdWBLYy4AHqHYqsr +2xAB3uSAjPI7C4o71uBfG0nkFfLdG07eyrWUXhEfAtC1URlzseLNuaZiR6hZEd+/ +k1WpPIGcOLPD+6+P0TyxlCkaqXzx3JBKjWF9Ded3Jcd9n1VJ+SbHALyltn5Gw8bj +GJvsUx6EeTeUI0BXy8JKP/3vTqi1EDsi9lMeN4MZtT9FWpXTsqHFmgTOVRBrE3Qq +MN5JieyPDJK8UG8Wl0T/u5SxP2GS/W06MTlsYVeYHVvCKup9XKqv42RbKKqUp2Qr +dNCZkAyQlsTHZverMfH+82d23v5fXIcvYmvGp8BuONoodplmcqiAX2BCBiU9NiKX +dLRvMG2qha2G6oyCrPaW9AzB90VWV/N+S7Urdx8Ar2Y69KWFwJaLxhrg9d30wwhR +hiIheDZwFD24AEK7/ZESgpu8PlQbPDAo0IKJ6SyG3VDBqDO67G96uxEVQDTt/KHP +J4JXTNMc5Eeqm+sXe9tkHbxCYee+f4COnaUnnIAcKGwsaLh5yIv4RWYnr4uB+U2T +d2yx5FV6lDMiaFFEdGtHQ3aqqSKM8zG6yJ5mCnvD0faFpBDumIBwuA6tkUWwXumG +3c03KmCe5CP/d4lxpLYZa77iWb9VkOpcK6klVD9Vf0qxYaUYmq4LsfdM/+orSP1v +ed057Vl9znx6+X8YqRg5dAUqzbRA1iSFu10XSIg4u6VcW6v0/Hx38FoBz7x8A0tH +Hx6zRbwk21XLKRCTE0UaRFoEAinFWAUgXngJnwvRXcx9OwxG8kkKoL91N7OATfms +kNbt+JbWL34Hr2tU+c1ONA== diff --git a/sensitive.sbt.enc b/sensitive.sbt.enc new file mode 100644 index 0000000..208a22b --- /dev/null +++ b/sensitive.sbt.enc @@ -0,0 +1,7 @@ +U2FsdGVkX1/RzgC9HSTeYRach72pVgDYXGsBVYHXeN/c7MI6pgCepbl2lEPKvsb2 +ey3hPnQYiJ12b8Ho9NbjqquqexCwassjtqZvnKzle3fgpUr6F+WAETYOijKSC4Kb +pU9sJCYZMsjx6b7rLJ6selHWsCSMrogLnKRiHCOY1dnS8zRxN9JeGMT7n0BYipqS +y8o1wLkX49DWEF96+6OlypNqjismP+R7K8wZb4TU0tf/7swwzdhJDx+W1fkNFdxD +JdPUyDGBsY0wF61nxLiTBWK3/d/JIjpmsMukIrsKYL2/tatTlTo9SbcDecg59jNq +Gvjq0Bxb9HU9gri5bNpwWsSKH+S4NPVNopNiMdO7TcaD5Ni8ohzyJlx15YR+3kGj +4ypplC04s9iFNfFX3PfGew==