diff --git a/.github/workflows/maven_central_release.yml b/.github/workflows/maven_central_release.yml index 1b5d0d10..bc29a686 100644 --- a/.github/workflows/maven_central_release.yml +++ b/.github/workflows/maven_central_release.yml @@ -507,12 +507,30 @@ jobs: fi done + - name: Validate release GitHub App private key + env: + RAW_PRIVATE_KEY: ${{ secrets.MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY }} + run: | + private_key="${RAW_PRIVATE_KEY//$'\r'/}" + private_key="${private_key//\\n/$'\n'}" + + if [[ "${private_key}" != *"-----BEGIN PRIVATE KEY-----"* && "${private_key}" != *"-----BEGIN RSA PRIVATE KEY-----"* ]]; then + echo "::error::MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY must be the GitHub App private key PEM, including BEGIN/END lines. Do not use the app client secret or webhook secret." + exit 1 + fi + if ! printf '%s\n' "${private_key}" | openssl pkey -noout >/dev/null 2>&1; then + echo "::error::MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY is present but is not a parseable PEM private key." + exit 1 + fi + - name: Create release GitHub App token id: release-app-token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ vars.MAVEN_RELEASE_GITHUB_APP_CLIENT_ID }} private-key: ${{ secrets.MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} permission-contents: write - name: Check out release source @@ -773,7 +791,7 @@ jobs: exit 0 fi - git commit -am "Bump version to ${NEXT_DEVELOPMENT_VERSION}" + git commit -am "build: ${NEXT_DEVELOPMENT_VERSION}" # Plain --force: this branch is a throwaway owned solely by this workflow, # and the job never fetches it, so --force-with-lease has no lease ref and # would be rejected ("stale info") when the branch already exists. @@ -784,7 +802,7 @@ jobs: gh pr create \ --base "${SOURCE_REF}" \ --head "${branch}" \ - --title "Bump version to ${NEXT_DEVELOPMENT_VERSION}" \ + --title "build: ${NEXT_DEVELOPMENT_VERSION}" \ --body "Post-release housekeeping after publishing questdb-client ${RELEASE_VERSION}. Merge before the next release." else echo "A bump PR for ${branch} already exists." diff --git a/artifacts/release/README.md b/artifacts/release/README.md index 931079ec..ea5dd5c2 100644 --- a/artifacts/release/README.md +++ b/artifacts/release/README.md @@ -22,11 +22,17 @@ actor** on the ruleset (Organization settings -> Rules -> `restrict-tag-pushing` Store the app credentials for the workflow: - repository variable `MAVEN_RELEASE_GITHUB_APP_CLIENT_ID`: the app's client ID -- `maven-release` environment secret `MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`: a private key for the app +- `maven-release` environment secret `MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`: a GitHub App private key for the app, + generated from the app's settings page The branch ruleset on `main` is intentionally **not** bypassed. The next-development snapshot bump lands as an ordinary pull request, so `main` keeps its "PR-only, squash, one approval" protection. +`MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY` must be the PEM private key downloaded from the GitHub App's **Private keys** +section, including the `BEGIN`/`END` lines. Do not use the app client secret or webhook secret. The workflow accepts the +key pasted as a raw multi-line PEM or as a PEM with literal `\n` line separators; it validates the key before calling +`actions/create-github-app-token` so setup failures point at the secret instead of surfacing as `Invalid keyData`. + The AWS secret referenced by `MAVEN_RELEASE_AWS_SECRET_ARN` must expose these JSON keys (they become environment variables of the same name): `MAVEN_GPG_PRIVATE_KEY`, `MAVEN_CENTRAL_USERNAME`, `MAVEN_CENTRAL_PASSWORD`, and optionally `MAVEN_GPG_PASSPHRASE` (omit or leave empty for a passphrase-less signing key).