Add GPG signing key preflight checks to CI pipeline#306
Merged
Conversation
Adds the standalone `verify-signing-key` job to publish.yml, byte-identical to the other sibling repos. It reproduces what maven-gpg-plugin does at deploy time (import key, check expiry + signing capability, passphrase unlock + sign/verify roundtrip) so a bad/expired key or wrong passphrase is caught in ~20s instead of failing the publish stage. - No `needs:` — runs in parallel at pipeline start on every trigger. - `environment: maven-central` — reads the SAME GPG_PRIVATE_KEY / GPG_PASSPHRASE secret the publish jobs use; on refs where the secret is not delivered (fork PRs, other branches) it goes red by design. - Prints only PUBLIC key metadata; passphrase on fd 3 (never argv/logs), `set -x` never enabled, passphrase `::add-mask::`ed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
Adds `verify-signing-key-gradle`, a second standalone preflight job that tests the Gradle `signing` + `useInMemoryPgpKeys` (BouncyCastle) path — the one the `llama-android` AAR publish uses, and the exact path that failed with a null PGPPrivateKey. The sibling `verify-signing-key` job covers the gpg/maven-gpg-plugin path (shared across all repos); this covers the path gpg cannot exercise (BouncyCastle is stricter at parsing the armored key). It signs a throwaway Zip through a 6-line Gradle project that mirrors llama-android/build.gradle.kts (same MAVEN_GPG_PRIVATE_KEY/MAVEN_GPG_PASSPHRASE env, same useInMemoryPgpKeys call), on the same Gradle 8.14.3 the AAR uses. - No `needs:`, parallel at pipeline start; environment: maven-central. - Prints no secret material: key/passphrase reach Gradle only via env, `set -x` never enabled, passphrase `::add-mask::`ed, Gradle runs --stacktrace only. Asserts only the produced .asc (exit code). - Red-by-design where the secret is not delivered, same as the gpg job. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
|
This was referenced Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
verify-signing-keyandverify-signing-key-gradle) that validate GPG signing keys and passphrases before the publish stageverify-signing-keyjob tests thegpgCLI path (used by maven-gpg-plugin) by importing the key, checking expiration, verifying signing capability, and performing a sign/verify roundtripverify-signing-key-gradlejob tests the Gradle/BouncyCastle path (used by the llama-android AAR publish) by attempting to sign a throwaway artifact viauseInMemoryPgpKeysmaven-centralenvironment, and are designed to fail gracefully (red-by-design) on refs where secrets are not delivered (fork PRs, contributor branches)Test plan
maven-centralenvironment secret is not delivered) — this is the intended signal that the ref cannot sign a releaseRelated issues / PRs
Checklist
CONTRIBUTING.mdandCODE_OF_CONDUCT.mdhttps://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG