fix(security): close 3 low-severity account/side-channel findings #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tag Release to Maven Central | |
| # Triggered when a `vX.Y.Z` (or `vX.Y.Z-suffix`) tag is pushed. Builds, signs, and uploads every | |
| # pk-auth library module to Sonatype Central Portal in a single aggregated bundle, then creates a | |
| # matching GitHub release with the per-module jars attached. | |
| # | |
| # Required repository secrets (shared with hofmann-elimination under the same org): | |
| # - CENTRAL_PORTAL_USERNAME / CENTRAL_PORTAL_PASSWORD — Central Portal user-token credentials | |
| # - GPG_PRIVATE_KEY (base64-encoded) / GPG_PASSPHRASE / GPG_KEY_ID — for artifact signing | |
| on: | |
| push: | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+' | |
| - 'v[0-9]+.[0-9]+.[0-9]+-*' | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # full history so `git describe --tags` resolves the tag in settings.gradle.kts | |
| - name: Validate tag format | |
| run: | | |
| TAG=${GITHUB_REF#refs/tags/} | |
| echo "Tag: $TAG" | |
| if ! [[ $TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then | |
| echo "ERROR: Tag must match semantic versioning (vX.Y.Z or vX.Y.Z-suffix)" | |
| exit 1 | |
| fi | |
| echo "VERSION=${TAG#v}" >> $GITHUB_ENV | |
| echo "TAG=$TAG" >> $GITHUB_ENV | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v5 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| - name: Set up Gradle | |
| uses: gradle/actions/setup-gradle@v6 | |
| - name: Verify version matches tag | |
| run: | | |
| GRADLE_VERSION=$(./gradlew properties -q | grep "^version:" | awk '{print $2}') | |
| echo "Gradle version: $GRADLE_VERSION" | |
| echo "Expected version: $VERSION" | |
| if [ "$GRADLE_VERSION" != "$VERSION" ]; then | |
| echo "ERROR: Gradle version ($GRADLE_VERSION) does not match tag version ($VERSION)" | |
| exit 1 | |
| fi | |
| - name: Build and test | |
| run: ./gradlew clean build test --stacktrace | |
| - name: Import GPG key | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: | | |
| echo "$GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import | |
| echo "test" | gpg --clearsign --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" > /dev/null | |
| echo "GPG key imported and tested successfully" | |
| - name: Configure GPG for signing | |
| run: | | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf | |
| gpg-connect-agent reloadagent /bye | |
| - name: Publish to Maven Central | |
| env: | |
| CENTRAL_PORTAL_USERNAME: ${{ secrets.CENTRAL_PORTAL_USERNAME }} | |
| CENTRAL_PORTAL_PASSWORD: ${{ secrets.CENTRAL_PORTAL_PASSWORD }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} | |
| run: | | |
| export GPG_TTY=$(tty) | |
| cat > ~/.gradle/gradle.properties << EOF | |
| signing.gnupg.keyName=$GPG_KEY_ID | |
| signing.gnupg.passphrase=$GPG_PASSPHRASE | |
| EOF | |
| chmod 600 ~/.gradle/gradle.properties | |
| ./gradlew publishAggregationToCentralPortal --no-daemon --stacktrace | |
| - name: Build distribution archives | |
| run: | | |
| ./gradlew \ | |
| :pk-auth-core:jar :pk-auth-core:javadocJar :pk-auth-core:sourcesJar \ | |
| :pk-auth-jwt:jar :pk-auth-jwt:javadocJar :pk-auth-jwt:sourcesJar \ | |
| :pk-auth-admin-api:jar :pk-auth-admin-api:javadocJar :pk-auth-admin-api:sourcesJar \ | |
| :pk-auth-backup-codes:jar :pk-auth-backup-codes:javadocJar :pk-auth-backup-codes:sourcesJar \ | |
| :pk-auth-magic-link:jar :pk-auth-magic-link:javadocJar :pk-auth-magic-link:sourcesJar \ | |
| :pk-auth-otp:jar :pk-auth-otp:javadocJar :pk-auth-otp:sourcesJar \ | |
| :pk-auth-persistence-jdbi:jar :pk-auth-persistence-jdbi:javadocJar :pk-auth-persistence-jdbi:sourcesJar \ | |
| :pk-auth-persistence-dynamodb:jar :pk-auth-persistence-dynamodb:javadocJar :pk-auth-persistence-dynamodb:sourcesJar \ | |
| :pk-auth-testkit:jar :pk-auth-testkit:javadocJar :pk-auth-testkit:sourcesJar \ | |
| :pk-auth-spring-boot-starter:jar :pk-auth-spring-boot-starter:javadocJar :pk-auth-spring-boot-starter:sourcesJar \ | |
| :pk-auth-dropwizard:jar :pk-auth-dropwizard:javadocJar :pk-auth-dropwizard:sourcesJar \ | |
| :pk-auth-micronaut:jar :pk-auth-micronaut:javadocJar :pk-auth-micronaut:sourcesJar | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v3 | |
| with: | |
| name: Release ${{ env.VERSION }} | |
| body: | | |
| ## pk-auth ${{ env.VERSION }} | |
| ### Maven Central | |
| Add the modules you need (all share the same version): | |
| ```gradle | |
| implementation("com.codeheadsystems:pk-auth-spring-boot-starter:${{ env.VERSION }}") | |
| // or :pk-auth-dropwizard / :pk-auth-micronaut for the other adapters | |
| implementation("com.codeheadsystems:pk-auth-persistence-jdbi:${{ env.VERSION }}") | |
| // testImplementation("com.codeheadsystems:pk-auth-testkit:${{ env.VERSION }}") | |
| ``` | |
| ```xml | |
| <dependency> | |
| <groupId>com.codeheadsystems</groupId> | |
| <artifactId>pk-auth-spring-boot-starter</artifactId> | |
| <version>${{ env.VERSION }}</version> | |
| </dependency> | |
| ``` | |
| ### Modules Published | |
| - `com.codeheadsystems:pk-auth-core:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-jwt:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-admin-api:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-backup-codes:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-magic-link:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-otp:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-persistence-jdbi:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-persistence-dynamodb:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-testkit:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-spring-boot-starter:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-dropwizard:${{ env.VERSION }}` | |
| - `com.codeheadsystems:pk-auth-micronaut:${{ env.VERSION }}` | |
| ### What's Changed | |
| See commits since last release for details. | |
| **Note:** Artifacts may take up to 2 hours to appear in Maven Central after release. | |
| files: | | |
| pk-auth-core/build/libs/*.jar | |
| pk-auth-jwt/build/libs/*.jar | |
| pk-auth-admin-api/build/libs/*.jar | |
| pk-auth-backup-codes/build/libs/*.jar | |
| pk-auth-magic-link/build/libs/*.jar | |
| pk-auth-otp/build/libs/*.jar | |
| pk-auth-persistence-jdbi/build/libs/*.jar | |
| pk-auth-persistence-dynamodb/build/libs/*.jar | |
| pk-auth-testkit/build/libs/*.jar | |
| pk-auth-spring-boot-starter/build/libs/*.jar | |
| pk-auth-dropwizard/build/libs/*.jar | |
| pk-auth-micronaut/build/libs/*.jar | |
| draft: false | |
| prerelease: ${{ contains(env.VERSION, '-') }} | |
| generate_release_notes: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Notify on failure | |
| if: failure() | |
| run: | | |
| echo "::error::Release failed! Check logs for details." |