Skip to content

Commit

Permalink
Explicitly switch to Sonatype token authentication
Browse files Browse the repository at this point in the history
Token auth is now mandatory:

xerial/sbt-sonatype#464 (comment)

In January 2024, Sonatype started actively discouraging the legacy
username & password method of authentication, recommending token
authentication instead:

* https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests
* https://central.sonatype.org/publish/generate-token/

In this new scheme, the token is still split into a username/password
format, and both are randomised strings, making the username portion
a meaningful secret (ie one that can be revoked) and so worthy of being
treated as a secret.
  • Loading branch information
rtyley committed Jun 19, 2024
1 parent cccaa32 commit 10a173c
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 15 deletions.
15 changes: 6 additions & 9 deletions .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,9 @@ on:
default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
required: false # ...but if you're not the Guardian, you'll want to set this explicitly
type: string
SONATYPE_USERNAME:
description: 'Sonatype username'
default: 'guardian.automated.maven.release' # Only for use by the Guardian!
required: false # Must be supplied if used by a non-Guardian project
type: string
secrets:
SONATYPE_PASSWORD:
description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
SONATYPE_TOKEN:
description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
required: true
PGP_PRIVATE_KEY:
description:
Expand Down Expand Up @@ -416,9 +411,11 @@ jobs:
cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
- name: Release
env:
SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
run: |
SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
echo "Credential lengths... username=${#SONATYPE_USERNAME} password=${#SONATYPE_PASSWORD}"
sbt "sonatypeBundleRelease"
github-release:
Expand Down
26 changes: 21 additions & 5 deletions docs/credentials/generating-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,6 @@
Normally you'll be using [shared organisation-wide credentials](supplying-credentials.md),
but if you need to rotate those credentials, or just create some new ones for your organisation:

## Updating a Sonatype OSSRH user's password

See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).

## Generating a new PGP key

See [Sonatype's instructions](https://central.sonatype.org/publish/requirements/gpg/#generating-a-key-pair) for
Expand All @@ -26,4 +22,24 @@ See [GitHub's instructions](https://docs.github.com/en/apps/creating-github-apps
release workflow, see [Setting up the GitHub App](github-app.md) first.

**Guardian developers:** Here's a direct link to our GitHub App settings page, where you can generate a new private key:
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
https://github.com/organizations/guardian/settings/apps/gu-scala-library-release

## Updating a Sonatype OSSRH Token username & password

As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
Sonatype is actively discouraging the legacy username & password method of authentication, recommending
[token authentication](https://central.sonatype.org/publish/generate-token/)
(see link for token-regenerating instructions).

Note these points:

* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
secret strings.
* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
**a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
is hosted on.
**Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
use must be generated [there](https://s01.oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
account.
2 changes: 1 addition & 1 deletion docs/credentials/supplying-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ has _access_ to those secrets.
to grant repos access to the necessary Organisation secrets - you need to raise a PR (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
which will grant access to these:

* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`
* `AUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`

Expand Down

0 comments on commit 10a173c

Please sign in to comment.