Document both file-based and in-memory GPG signing for publishing#9
Document both file-based and in-memory GPG signing for publishing#9perNyfelt merged 3 commits intosecurity_dependenciesfrom
Conversation
…ISHING.md Co-authored-by: perNyfelt <13261538+perNyfelt@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR enhances the PUBLISHING.md documentation by clearly differentiating between file-based and in-memory GPG signing approaches, addressing previous inconsistencies in the documentation. The changes provide comprehensive guidance for both local development (file-based) and CI/CD environments (in-memory signing).
Key Changes:
- Split GPG Key Setup into file-based (traditional) and in-memory (CI/CD) subsections with specific export instructions for each
- Restructured environment variable configuration with clear examples for both in-memory and file-based approaches
- Enhanced CI/CD section to explicitly recommend in-memory signing and clarify required GitHub secrets
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| Use this approach for local development: | ||
|
|
||
| # Export your secret key ring (legacy approach for GPG < 2.1) |
There was a problem hiding this comment.
Missing opening code fence. The code block needs to start with three backticks (```) before the bash commands to properly format the code block.
| export ORG_GRADLE_PROJECT_signingKey="$(cat private-key.asc)" | ||
| ``` | ||
|
|
||
| Alternatively, for file-based signing in CI/CD: |
There was a problem hiding this comment.
The section title "Alternatively, for file-based signing in CI/CD:" is misleading. Looking at lines 114-118, this section actually shows the in-memory signing approach (using signingKey with GPG_PRIVATE_KEY_SECRET), not file-based signing. The only file-based option shown is the "Alternative" on line 123 which uses signingSecretKeyRingFile. Consider revising this section title to accurately reflect that it shows an alternative way to provide the in-memory key (from a secret variable) versus the recommended approach on line 108 which reads from a file.
| run: ./gradlew publish | ||
| ``` | ||
|
|
||
| **Note:** The `signingKey` property uses the in-memory approach, which avoids creating temporary key files on CI runners. The base64-encoded key from `GPG_SIGNING_KEY` is decoded automatically by Gradle. |
There was a problem hiding this comment.
The statement "The base64-encoded key from GPG_SIGNING_KEY is decoded automatically by Gradle" is inaccurate. According to the earlier documentation (line 234), GPG_SIGNING_KEY should contain the ASCII-armored private key from "gpg --armor --export-secret-keys", not a base64-encoded key. ASCII-armored format is already a base64-like encoding but in PGP's specific format. Gradle's signing plugin expects the ASCII-armored format directly, not an additional base64 encoding. This note should be corrected to avoid confusion about the expected key format.
The PUBLISHING.md documentation showed inconsistency between GPG Key Setup (file-based
secretKeyRingFile) and CI/CD Integration (in-memorysigningKey).Changes
Both approaches now documented with clear use cases:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.