From 49a54b673c6a06254c3c6f48e7c9125d972e9315 Mon Sep 17 00:00:00 2001 From: Jason Zaugg Date: Tue, 13 Jan 2015 16:14:51 +1000 Subject: [PATCH 1/2] Revert "Support tag driven releases" This reverts commit c5fa6780d0ddf72610637e5679c1484131bc1064. --- .travis.yml | 9 +-------- admin/build.sh | 19 ------------------- admin/decrypt.sh | 2 -- admin/encrypt.sh | 2 -- admin/encryptAll.sh | 19 ------------------- admin/gpg.sbt | 26 -------------------------- admin/pubring.asc | 18 ------------------ admin/secring.asc.enc | 40 ---------------------------------------- sensitive.sbt.enc | 7 ------- 9 files changed, 1 insertion(+), 141 deletions(-) delete mode 100755 admin/build.sh delete mode 100755 admin/decrypt.sh delete mode 100755 admin/encrypt.sh delete mode 100755 admin/encryptAll.sh delete mode 100644 admin/gpg.sbt delete mode 100644 admin/pubring.asc delete mode 100644 admin/secring.asc.enc delete mode 100644 sensitive.sbt.enc diff --git a/.travis.yml b/.travis.yml index b964f3c..7859a69 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,13 +1,6 @@ language: scala -env: - global: - - PUBLISH_JDK=oraclejdk8 # admin/build.sh only publishes when running on this jdk -# Don't commit sensitive files, instead commit a version encrypted with $SECRET, -# this environment variable is encrypted with this repo's private key and stored below: -# (See http://docs.travis-ci.com/user/environment-variables/#Secure-Variables.) - secure: "sGB53QddmPmQ4ftCGYxT0gaJcFt0bpMJoGxJRJCFTxdzg6nNMqJ9qDWbyJo7vDFx30axNQlyBH928pUiS5KfsmvzVdoVHUBEUJlF1lBurlpx06tGLuBdcFDwUF5ybi7SGRNdUPuX/6uLdgK5clpcW16/pcfT5Qr5vo/0mvPY85s=" script: - - admin/build.sh + - sbt ++$TRAVIS_SCALA_VERSION clean test publishLocal scala: - 2.10.4 - 2.11.4 diff --git a/admin/build.sh b/admin/build.sh deleted file mode 100755 index d9e2bce..0000000 --- a/admin/build.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# prep environment for publish to sonatype staging if the HEAD commit is tagged - -# git on travis does not fetch tags, but we have TRAVIS_TAG -# headTag=$(git describe --exact-match ||:) - -if [ "$TRAVIS_JDK_VERSION" == "$PUBLISH_JDK" ] && [[ "$TRAVIS_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)? ]]; then - echo "Going to release from tag $TRAVIS_TAG!" - myVer=$(echo $TRAVIS_TAG | sed -e s/^v// | sed -e 's/_[0-9]*\.[0-9]*//') - publishVersion='set every version := "'$myVer'"' - extraTarget="publish-signed" - - cat admin/gpg.sbt >> project/plugins.sbt - admin/decrypt.sh sensitive.sbt - (cd admin/ && ./decrypt.sh secring.asc) -fi - -sbt ++$TRAVIS_SCALA_VERSION "$publishVersion" clean update test publishLocal $extraTarget diff --git a/admin/decrypt.sh b/admin/decrypt.sh deleted file mode 100755 index 3c3c602..0000000 --- a/admin/decrypt.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl aes-256-cbc -pass "pass:$SECRET" -in $1.enc -out $1 -d -a \ No newline at end of file diff --git a/admin/encrypt.sh b/admin/encrypt.sh deleted file mode 100755 index 4bf6c93..0000000 --- a/admin/encrypt.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl aes-256-cbc -pass "pass:$SECRET" -in $1 -out $1.enc -a \ No newline at end of file diff --git a/admin/encryptAll.sh b/admin/encryptAll.sh deleted file mode 100755 index de7016b..0000000 --- a/admin/encryptAll.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# Based on https://gist.github.com/kzap/5819745: - -echo "This will encrypt the cleartext sensitive.sbt and admin/secring.asc, while making the encrypted versions available for decryption on Travis." -echo "Update your .travis.yml as directed, and delete the cleartext versions." -echo "Press enter to continue." -read - -# 1. create a secret, put it in an environment variable while encrypting files -- UNSET IT AFTER -export SECRET=$(cat /dev/urandom | head -c 10000 | openssl sha1) - -# 2. add the "secure: ..." line under the env section -- generate it with `` (install the travis gem first) -travis encrypt SECRET=$SECRET - -admin/encrypt.sh admin/secring.asc -admin/encrypt.sh sensitive.sbt - -echo "Remember to rm sensitive.sbt admin/secring.asc -- once you do, they cannot be recovered (except on Travis)!" \ No newline at end of file diff --git a/admin/gpg.sbt b/admin/gpg.sbt deleted file mode 100644 index 01157e6..0000000 --- a/admin/gpg.sbt +++ /dev/null @@ -1,26 +0,0 @@ - -addSbtPlugin("com.typesafe.sbt" % "sbt-pgp" % "0.8.3") // only added when publishing: - -// There's a companion sensitive.sbt, which was created like this: -// -// 1. in an sbt shell that has the sbt-pgp plugin, create pgp key in admin/: -// -// sbt -// set pgpReadOnly := false -// set pgpPublicRing := file("admin/pubring.asc") -// set pgpSecretRing := file("admin/secring.asc") -// pgp-cmd gen-key // use $passPhrase -// Please enter the name associated with the key: $repoName -// Please enter the email associated with the key: scala-internals@googlegroups.com -// Please enter the passphrase for the key: $passphrase -// -// 2. create sensitive.sbt with contents: -// -// pgpPassphrase := Some($passPhrase.toArray) -// -// pgpPublicRing := file("admin/pubring.asc") -// -// pgpSecretRing := file("admin/secring.asc") -// -// credentials += Credentials("Sonatype Nexus Repository Manager", "oss.sonatype.org", $sonaUser, $sonaPass) - diff --git a/admin/pubring.asc b/admin/pubring.asc deleted file mode 100644 index 4b56eca..0000000 --- a/admin/pubring.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: BCPG v1.49 - -mQENBFSzVhYBCADp261YcgfWCNZ/IrSpvk1LaqnomeDjktUuCy3LD0WQ/B750vpV -gograxIWDfGK3TaHHdiRTV0OmfhhA6Dv/E8wFiHc1psn8mtaL+tQQcFHCLqBnTEe -/VQXZLrHoFsMSBRrFY0rHZGXtCS0DKIxSeqlba4RH9eS4Q35LzBjMBLKewBCwben -mDMOMxLgTS21xqe7OoyrcQGg3nFPLBMM8hgrqmVH9lYc5c2NuTMSHC4/wUozTwMm -SxmEQ1Ga2lEpVAcaJ6r7bz0+QwX62cMs57nkGuf3SP2D5/+igDkkoVb447wESHHG -s3BZw9ThblHXJOZ5Xb64fvQ3/vCjivLqZIepABEBAAG0NXNjYWxhLWphdmE4LWNv -bXBhdCA8c2NhbGEtaW50ZXJuYWxzQGdvb2dsZWdyb3Vwcy5jb20+iQEcBBMBAgAG -BQJUs1YWAAoJEF7zF/88US8Xdw4IAJmPcOka4Tc5s5eYAdwZuNOqUiuNO3/9+Za6 -tdGZQfQxUVN5PdgXhAGiKfRxrtSTjfzN+O/wiF/7NDqOQXBHNEx53Rzucq770WvL -G5hUwr8MJB577OIyU2CQquslva3h2LbOt8lEHplLy0tI00zm6ueJNmxq36C4Mu3h -l6QMs0zd29OqtUjWpkUNRnz+1HSdhRCPZNhX1bjhRaJARrhUtP24+g3wKgjg3H95 -yjPh4951r21w/x7msu+w0vSpdA7j/VJIzql6+2exh14YeLx9AFVDgvkJE6McHXX3 -ccr1eQ0FjYpWWUrBMXpS1Pz4SiwXEOOhs1xtsM7fHuikqhkXfHg= -=oZnQ ------END PGP PUBLIC KEY BLOCK----- diff --git a/admin/secring.asc.enc b/admin/secring.asc.enc deleted file mode 100644 index 1d7d32b..0000000 --- a/admin/secring.asc.enc +++ /dev/null @@ -1,40 +0,0 @@ -U2FsdGVkX1/DTFr0XPXF8oOHqDacn6gihvunVNWyqTWG2EXA5HNZn59hWeflnCXg -lW+dqKqUDhKrlLmLkOvmHKN4Fx/3T0L5xFWvB4P37YzLlxeApzqRcfIteK6j+1Eh -wib8bRZBRwQJw/Se4UhAaofiHQ4V+j76jIjlolatcBNKf9V8+ceG3iyer4fvBdnB -KnhNqG9rIEiDOcGMScqNuHZFcraJ+FZL/3/dNzfm/A/aB15kJ+ukQs6MyzLh/30+ -ttHBzLf3Hbd7j8AcIweNCbQ5/gOqen3PFxzM59OUUTJe7/JtNbFQBQEZFXH+U/cx -DY65izT3UkrUOJ02eNrYsDiTZdKz8VGEKQImiMeFkqX3LjGNHUGOe0rA33LW25dT -cXCNkWWegdXd3KkUPXUjPvABMAhnC+dU8nl4d87UUEVLZvB5wyOV9P5sFUcvvZaH -k7aHL/IYFqutlvCZ2NFjonFolaeVvf+p33A2UIswCa0zCZwR1rvtkL0irAApCQ5g -LCSP5t1LBP/F/O8AAAd5tm6t3XWoQs7POKv3MMEgFdQHKj6KXtMxpI5Il+WiXlKD -aEGY3AH5kia9UkjclHfbrPJS/NkDyINGw9KzZcr/CO29sgm3oxuy3wRhWp2Gbqi1 -eYccgYw4jJw2gmdTf7bOE9WzGqkq7B2/oP1FoS4KPJS5nj57kRjaJRW/0dkzdQVg -LwcnnTL+pJNGRXiN9rAj1fBXvtj3J/Hx19jKcRoXW6OdemSIJw7M2EpWMaXTRDP3 -iLIL00BnU584IwzAM7AXlio4dxRn+Y/U3czCaaCP22uJuFoJo8+ImjerYnU520qD -lIbFS1eNNA2YcWLMs9THCR8eDvYyjHdTtWU67RQluesFRwFhtiPwz9AOa8NJ0tvP -OnBEklN/o75cNYGlTdEfKBh9Q8Qy+j0ini8W7XkV9lXUNMScRngQ9xfASm19W5Ch -QOQWiqTmjz3kUlJ2KS1xD+GlFP/U+wk1vCdQy0gaheDjO15NvqfugFTCebMj2t9Z -RN5wxou+rJZ7RsOpst5UvS78CuIPGi5zbCXCR3NaQVGy1aQ8zLLHIYzmnd1/kLi5 -pZ0DfIsWlqq8kZmnXr6fHJN0QvrEAlMi+KAvdJvPjKEA+GLKcPNBp8BMWsBDEpwg -kNE6fCj/Hd5jvzHVK32JbB5jldml5Em3wqjuIRkATmF8x9jek3t+5OIeDxoaMeOz -GJU3VL2w+L5GKOdbcIyE0bPkdYaIo5XXs+DQNdceZorRtMk6NDh8fzkI6ePMxbk/ -s6/lIsgsX6niZUjHUtASYOGy/3c8Eh/MJmj0UXjhwmMADUaMalvhxU0HBF/5euoC -/lMje7QT2aIyQW18wC4ouSVJpYRAivPm3Qy1TbqnL/FxK8K1D7ympRM9kyGjwoCv -/35LU0XvQgzsd+f/VdcDRUWWx58Cel8sMHwybiJ7rROPBwdm42CL+fTfSfC9xufS -hrzzV/OApp8eHndwNEg3m5ndFZvq7CcWpJZnr9ParQNvy7AYxRjPGJc8wmoBgcND -a4tGLWLjKaVeZYsFHCIE/uPMqsuO1ROEkBeQc7yxKssW+cyCjEkTuFwrAI89ycgk -nzPWzJtc2vSyYKy5qlZkft1gX1S2icVxMFhppQtx7+LRn0gTPjIXCNtA1icMro58 -cY2Yc5sc0y5MdsPU+gS9lm1jOg2iEEhVv7v3PwLrNYy+XuBh3LxMy8Hwf2qCfFHE -CbWOIM1QMaJAN0NyoWhb6zuLewAj2G4L3fstPo0F/GmsQpV++6hIsaPlqunSx/sR -2BUGth2cAKFlNw25nLJp5xbUG/V8BPlLb+B8635R4ATQfQtXkVJDoG7eZ3J32Isu -nI21JFZOBkriTYcOWnt5KJVCl1TRh+OgXzeK54COVDMUa9L/oSqvRT0TUOEoYieI -w6Ji4KpxqIB3tz3QYN3hEooTg1XxN+QGS3l18GGg7fBFNzDD+Yz61co5WZocV6fh -4yZqHx8XHlh564b+x1jBE5sQ06axHJG0lYX/kesf6kwkYAZhCqLS7zBcxcDDmapc -nNCrUnYlunoSf6nt7AU0QlOre3a7CIaMvVivSbkMbheAHLEqRjww/U77va7oGeFv -ipLi1enMmre+ubjS+/VNpurN7e+qVj6RT1JcnTfyGM7/HIj97OGHEzc0YXoyKgKb -H15LZ2qTq1HjvIfVTZGDMv9m9LKW62DHhp0LTBawALQCZzfPaaI3JwBMgTvhFZcT -Cmv0re9DSpgunsX9N5t7bUQ6C/raChhu7UGUwrFkSOu00+3eYn30hqlCyAyR8QU6 -yA/Wxb+7eNZH5ZM5MCAWcCrgsv1IGOMBFB+4i9Ti/USkHapL4L2jdrJcvbhQjfKP -2ktZTg/Ji7RwqJ3wIJReTCd8N0cNI8H2zAtFST9Vgtwx9tVqluOd7Ldn2hUOhImz -64oMMZq+zS+Vquc+7xs/zpTeMN+2cFlRsye+Jrqac522suwPTw9g07gx+BM2cH98 -pCaY3ZBmWKT5lSx0yURiGg== diff --git a/sensitive.sbt.enc b/sensitive.sbt.enc deleted file mode 100644 index 90b6271..0000000 --- a/sensitive.sbt.enc +++ /dev/null @@ -1,7 +0,0 @@ -U2FsdGVkX18PW91o6/n5xLjlSIP+q3wKS3jHVWD5fbGyq6eu9milKZ3bl6i3YmQX -t6NiVtuFuJjix9pqlNgSc4SNInGnvI0kfyYTtcp0/CdZsKsmfUL5lRYxyOo2NIM5 -z/yXD7C9eU1ul48CXNgVOAC2F4w25bdI0iQzvUPRYG5gkiofdP7KL6n0yOlGnSJN -M0KhTrqCLcqVG4cRBZ9Q3+Rip8Lr/F00NSBUcSyL06kag/Zd/iCf3xm76eX/WN59 -Wofi5p+nvPqYSCJc+e/8Dx+aiyj0m2aeXYzwiYDdUQlBGUk8f2+CPy1NlEPGMuET -6p2zc60YT/ohUp1YUGxbvIlZ7S1FzMmiJvpT1VcnouIAYAOVGHqW0ClbPmmXiTkW -W/cGjYYDKiZNQ+8qXhfrF7rxJYiJ8LPMioh5mnzlBSk= From 4a6cfc97cd95227b86650410e1b632e5ff79335b Mon Sep 17 00:00:00 2001 From: Jason Zaugg Date: Tue, 13 Jan 2015 16:21:06 +1000 Subject: [PATCH 2/2] Rework tag driven release infrastructure The previous approach of encrypying sensitive.sbt was prone to leaking passwords to the build log if SBT were to report an error on a line of code containing a secret. The commit now switches to encrypting the PGP passphrase and Sonatype credentials as environment variables. The private key is still encrypted on disk as it is too large, but now that we only need to encrypt a single file we can revert to using the built in `encrypt-file` command in the Travis CI command line tool. --- .travis.yml | 11 ++++++- admin/README.md | 58 +++++++++++++++++++++++++++++++++++++ admin/build.sh | 23 +++++++++++++++ admin/encryptEnvVars.sh | 11 +++++++ admin/genKeyPair.sh | 40 +++++++++++++++++++++++++ admin/gpg.sbt | 2 ++ admin/publish-settings.sbt | 7 +++++ admin/pubring.asc | 18 ++++++++++++ admin/secring.asc.enc | Bin 0 -> 1872 bytes 9 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 admin/README.md create mode 100755 admin/build.sh create mode 100755 admin/encryptEnvVars.sh create mode 100755 admin/genKeyPair.sh create mode 100644 admin/gpg.sbt create mode 100644 admin/publish-settings.sbt create mode 100644 admin/pubring.asc create mode 100644 admin/secring.asc.enc diff --git a/.travis.yml b/.travis.yml index 7859a69..aa17538 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,15 @@ language: scala +env: + global: + - PUBLISH_JDK=oraclejdk8 + # PGP_PASSPHRASE + - secure: "BzgzRZLYa52rS/hBfzf43b++CfDhdcd3Mmu8tsyBHgThSQOd2YBLbV5kWD8aYVFKVHfW7XX0PTe3F+rR/fFZqGItE6o8Px0Y7Vzb5pqjlaQdxFEJ+WrsnshS0xuAKZ7OwVHRp+d+jznaCwRxEo2vpW3ko1OPAJ8cxfhVL/4C1I0=" + # SONA_USER + - secure: "lx2qFeFxh9AFmyHR7hH4Qf9flIEx8VgYj6ebzuxp1cc1ZZiXHC1256x0bHFDUH9bhJACOazOrco/+v6MBAriBkWxLBc98FrC6OkVeQMFW2ffWSBuHRclilKsQA/Lsgc81Wg+WV105hOqUNAkTXgroblInNt+KS+DhC/8FVoh9ZY=" + # SONA_PASS + - secure: "FZC+FZnBNeklA150vW5QDZJ5J7t+DExJrgyXWM46Wh0MobjH8cvydgC3qatItb0rDBV8l7zO1LDwl2KEi92aefw2a8E49z6qVOHgUXiI3SAx7M0UO0FFeKPmTXCLcBlbnGLcUqNjIZfuIEufQvPblKTl8qN4eMmcMn9jsNzJr28=" script: - - sbt ++$TRAVIS_SCALA_VERSION clean test publishLocal + - admin/build.sh scala: - 2.10.4 - 2.11.4 diff --git a/admin/README.md b/admin/README.md new file mode 100644 index 0000000..addabae --- /dev/null +++ b/admin/README.md @@ -0,0 +1,58 @@ +## Tag Driven Releasing + +### Background Reading + + - http://docs.travis-ci.com/user/environment-variables/ + - http://docs.travis-ci.com/user/encryption-keys/ + - http://docs.travis-ci.com/user/encrypting-files/ + +### Initial setup for the repository + +To configure tag driven releases from Travis CI. + + 1. Generate a key pair for this repository with `./admin/genKeyPair.sh`. + Edit `.travis.yml` and `admin/build.sh` as prompted. + 2. Publish the public key to https://pgp.mit.edu + 3. Store other secrets as encrypted environment variables with `admin/encryptEnvVars.sh`. + Edit `.travis.yml` as prompted. + 4. Edit `.travis.yml` to use `./admin/build.sh` as the build script, + and edit that script to use the tasks required for this project. + 5. Edit `.travis.yml` to select which JDK will be used for publishing. + +It is important to add comments in .travis.yml to identify the name +of each environment variable encoded in a `:secure` section. + +After all of these steps, your .travis.yml should contain config of the +form: + + language: scala + env: + global: + - PUBLISH_JDK=openjdk6 + # PGP_PASSPHRASE + - secure: "XXXXXX" + # SONA_USER + - secure: "XXXXXX" + # SONA_PASS + - secure: "XXXXXX" + script: + - admin/build.sh + +If Sonatype credentials change in the future, step 3 can be repeated +without generating a new key. + +### Testing + + 1. Follow the release process below to create a dummy release (e.g. 0.1.0-TEST1). + Confirm that the release was staged to Sonatype but do not release it to Maven + central. Instead, drop the staging repository. + +### Performing a release + + 1. Create a GitHub "Release" (with a corresponding tag) via the GitHub + web interface. + 2. Travis CI will schedule a build for this release. Review the build logs. + 3. Log into https://oss.sonatype.org/ and identify the staging repository. + 4. Sanity check its contents + 5. Release staging repository to Maven and send out release announcement. + diff --git a/admin/build.sh b/admin/build.sh new file mode 100755 index 0000000..2ce0f4b --- /dev/null +++ b/admin/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# prep environment for publish to sonatype staging if the HEAD commit is tagged + +# git on travis does not fetch tags, but we have TRAVIS_TAG +# headTag=$(git describe --exact-match ||:) + +if [ "$TRAVIS_JDK_VERSION" == "$PUBLISH_JDK" ] && [[ "$TRAVIS_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)? ]]; then + echo "Going to release from tag $TRAVIS_TAG!" + myVer=$(echo $TRAVIS_TAG | sed -e s/^v// | sed -e 's/_[0-9]*\.[0-9]*//') + publishVersion='set every version := "'$myVer'"' + extraTarget="publish-signed" + cat admin/gpg.sbt >> project/plugins.sbt + cp admin/publish-settings.sbt . + + # Copied from the output of genKeyPair.sh + K=$encrypted_1ce132863fa7_key + IV=$encrypted_1ce132863fa7_iv + + aes-256-cbc -K $K -iv $IV -in admin/secring.asc.enc -out admin/secring.asc -d +fi + +sbt ++$TRAVIS_SCALA_VERSION "$publishVersion" clean update test publishLocal $extraTarget diff --git a/admin/encryptEnvVars.sh b/admin/encryptEnvVars.sh new file mode 100755 index 0000000..b625667 --- /dev/null +++ b/admin/encryptEnvVars.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# +# Encrypt sonatype credentials so that they can be +# decrypted in trusted builds on Travis CI. +# +set -e + +read -s -p 'SONA_USER: ' SONA_USER +travis encrypt SONA_USER="$SONA_USER" +read -s -p 'SONA_PASS: ' SONA_PASS +travis encrypt SONA_PASS="$SONA_PASS" diff --git a/admin/genKeyPair.sh b/admin/genKeyPair.sh new file mode 100755 index 0000000..11f7a1e --- /dev/null +++ b/admin/genKeyPair.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# +# Generates a key pair for this repository to sign artifacts. +# Encrypt the private key and its passphrase in trusted builds +# on Travis CI. +# +set -e + +# Based on https://gist.github.com/kzap/5819745: +function promptDelete() { + if [[ -f "$1" ]]; then + echo About to delete $1, Enter for okay / CTRL-C to cancel + read + rm "$1" + fi +} +for f in admin/secring.asc.enc admin/secring.asc admin/pubring.asc; do promptDelete "$f"; done + +echo Generating key pair. Please enter 1. repo name 2. scala-internals@googlegroups.com, 3. a new passphrase +cp admin/gpg.sbt project +sbt 'set pgpReadOnly := false' \ + 'set pgpPublicRing := file("admin/pubring.asc")' \ + 'set pgpSecretRing := file("admin/secring.asc")' \ + 'pgp-cmd gen-key' +rm project/gpg.sbt + +echo ============================================================================================ +echo Encrypting admin/secring.asc. Update K and IV variables in admin/build.sh accordingly. +echo ============================================================================================ +travis encrypt-file admin/secring.asc +rm admin/secring.asc +mv secring.asc.enc admin + +echo ============================================================================================ +echo Encrypting environment variables. Add each to a line in .travis.yml. Include a comment +echo with the name of the corresponding variable +echo ============================================================================================ +read -s -p 'PGP_PASSPHRASE: ' PGP_PASSPHRASE +travis encrypt PGP_PASSPHRASE="$PGP_PASSPHRASE" + diff --git a/admin/gpg.sbt b/admin/gpg.sbt new file mode 100644 index 0000000..d60e366 --- /dev/null +++ b/admin/gpg.sbt @@ -0,0 +1,2 @@ + +addSbtPlugin("com.typesafe.sbt" % "sbt-pgp" % "0.8.3") // only added when publishing: diff --git a/admin/publish-settings.sbt b/admin/publish-settings.sbt new file mode 100644 index 0000000..21aa4f2 --- /dev/null +++ b/admin/publish-settings.sbt @@ -0,0 +1,7 @@ +pgpPassphrase := Some(sys.prop("PGP_PASSPHRASE").toArray) + +pgpPublicRing := file("admin/pubring.asc") + +pgpSecretRing := file("admin/secring.asc") + +credentials += Credentials("Sonatype Nexus Repository Manager", "oss.sonatype.org", sys.prop("SONA_USER"), sys.prop("SONA_PASS")) diff --git a/admin/pubring.asc b/admin/pubring.asc new file mode 100644 index 0000000..5d5dd87 --- /dev/null +++ b/admin/pubring.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BCPG v1.49 + +mQENBFS1xA0BCAC0t2c5MhkWyUbkWsZM4DmIN+/pDjNCr2DNmbIG3gB8i4MI71q/ +fj+Ob0lemjJNnNc4ii6+s9RrOcwR1EU4IA8mO79NN+i2yVUhe0LmOWgyfXvG8Qpg +hLmdMrkgOHK0hpWbXJ0i2NGPch4gI6YRJF95yLojz2KENmiYGmSD8p1It06O2824 +Xhqc5Cm72/qXvonHP1+MugjiPxmyZN3ajSol0P7tZlgB7ikqpyL3kZXkc162bJ+H +U6y6qUCcQqS5VQ7Fv9bIbTNOjN4ELLJn2ffLVe3ujRG6seioL0MfuQ/gV9IpGcGO +Dew8Xu79QdDyVHQKgDy9N/J276JZ4j9nYCCxABEBAAG0NXNjYWxhLWphdmE4LWNv +bXBhdCA8c2NhbGEtaW50ZXJuYWxzQGdvb2dsZWdyb3Vwcy5jb20+iQEcBBMBAgAG +BQJUtcQNAAoJEGQWNEmlKase8pAH/Rb45Px88u7DDT53DU68zh84oDZLv9i46g7g +16KI97nz17F9OEHdkzNEUA3EgCD1d2k+c/GIdQKg3avVdpNM7krK5SSNgHKcwe/F +0YGMxvh+LgeK1JDuXFbwLJKR+7VIGVKkjw+Z2TC8hZfnD6Qy6c4xkukoBs6yfWQO +tf8gSH6oQox4UIOB/+ADyypl9mnRxgdi1uPvd6UJnL/n9UDE8v1k+8WzO34nTVZr +xWN28pAun5VpLuEq4GAr2JRfRiF+N0hGuS+htiU6hnO81BBK+NusWxI9Aitu8Zyh +eulWpROXvUOw1eJequutgyGwEEQkRi+Yu+2eSM2/EPCWiLXkODk= +=Qro7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/admin/secring.asc.enc b/admin/secring.asc.enc new file mode 100644 index 0000000000000000000000000000000000000000..bc600f9c5570b1643d7bb99b76e206b99c77901e GIT binary patch literal 1872 zcmV-W2e0_dw!pO7Xu$O+KRZibW}N;fRS+~U^U<)JYdp|s za#k#}E78?%vHvQ`o;LTKuznmHgPJY;Tfr^Kqo5Q1^J=>NpI9Q!Zr`|`Ey@rPcR(`X znG88HFK_+VfGwV!Nz(qw!OM}4SL!%So4}q}u@P=-DpkJj(`Uu!;!#+rc+=$HCo)&6 zdzuxtfwjkcN#%ee?xndT#^d5Fkdop_!UU;oJOY3^>phbtr}kUn zfstYauNuVRT)IPHHr~I0JHkwcc*_nu{5#tcWk^DB71hwt9H}s$2=34RvU1bJyzhRJ zkfES!dUVVdd;q65iXw~Yj;>DvA_|Vly$_r;IUjkpST>mrWK1BwqqwC3F^dhOGCeXK z**1LpiuPqaR4%O4a=uaQ{XwsGlE{^Z0vQyFQ7qLDAGK%wZi(m_;rb{JJbF=j@11-0 zQ;z;DS)2n z86r=doGOQ&Bk;}g0B_DW*XY|5-QAck!wnFvKDN*lzZHzB<~th<-mbH-C}d3PD=d)k zUtVw0p_v}Dq7x%;0B_T>oFQw_Us1>;xNB$sl}bk zU9HN7Qy3R;RuJp-e* zxk5jrCZ9Z<*i%oGEUZ;v(6+N-xK&_^Twc|HWLG{&e-d|Haa8?`wnvi06;@^dPu0Q3 z%N1@)T8P?2xPDnD_Kn*EJkhv^Hs_K_``v_cGMJ`yl zFN%jxS>Y7|lD!7%kO!bagC3q=i6r-I+O`p@zjE=#h!^BAII7C0H5ai5&>7N}^fAsc zvEtLvWfTh|rI&0!#MyCKK7R652P<$MXZ7s7!!r2lL8+Ap{Vnz(d67vG^xk%rZCa;P z0U`HmdO@JJpCni9xawICL0M>L8=A1g+D9VWmA z6Hv=#C*I22-7@Dl-VbLfC561mJkTyA&F+7fAGfZA8SKD3%W9jFZcD&Z;SQG6iC#of z)Cd^Cj-dPJ#ITfeS2_cu6q%h~`#(was8{{BW+~dROWo=e#?a^JJo}b(mtj(kR?tPh zq%k+3v7C-I-F|l-_(grXH);$6D`<-4%R?>4kuOG_Zm_xvFp1SHuyzv< z&T?CK!Bqjn8o&lojTOSw@OmkD-@w6#2(<#+Uknv0R|Qwx(4C7W}#b6PpjE??3?WC`l9*=v>)+|U%3lMdmab4L<$ zm>uQ!#9_`BN8cOSkazpu1tcj*0?e-?T+jNZTm0Thk&q#QRzj0~t zjy|%ugVvp-aXzx{A=2(H2-q>RU-MRbIn`a~|1eU1;6O-F7*9Q4Z4Z)f>IH3sjVi=f za$*9ceuqA;mlO>7OX7QQc1#dzn5&r8OKQhFIv0X-rkg-~Xsab^D`^>q+1kn1;1;#H zvYI?WYYBLq+Y)v8&w3VffLq;pzjsNExCPTboSDd5RSUzodD@78=qfiWbA+*?Y`osq z>?G@k$T-^Gpezcd)v6)ZgVd44Gu(YAIOrrNb*n{&Kr#>8Zc3FZbi-2{S!KF4>3P-U-7WozKa_PTwRkpOhW3{9N&0~nYo|;<_upYs;aGqMBSW$+bzBTgpVupj=9r++saNW2`m;8L6ThI5{{aYtWi_>1tnmwE2y KmJ}*KnDT;JlCO3E literal 0 HcmV?d00001