Fix Maven Central publish for vespera-bridge + gradle plugin#134
Merged
Conversation
Three independent bugs blocked the 0.1.0 publish run (https://github.com/dev-five-git/vespera/actions/runs/26458007485): 1. `shouldSign` probed `signingInMemoryKeyId` instead of `signingInMemoryKey`. CI only sets the latter (the actual PGP private key), so `shouldSign` evaluated to `false` and the `signAllPublications()` call was skipped, leaving unsigned artifacts that Maven Central's Central Portal rejected during validation (gradle log ended at `Deployment is being validated` instead of progressing to `is being published`). 2. `libs/vespera-bridge-gradle-plugin/gradlew` lacked the executable bit, and the workflow's chmod step only touched `libs/vespera-bridge/gradlew`. changepacks invokes `./gradlew publishToMavenCentral` per package, so the plugin publish failed immediately with no log output. 3. `.changepacks/config.json` did not list the gradle plugin in `updateOn`, so future Cargo bumps would not auto-bump the plugin alongside vespera-bridge. Fixes: - Both `build.gradle.kts` now probe `signingInMemoryKey` (both as a Gradle property and as `ORG_GRADLE_PROJECT_signingInMemoryKey` env var). - `CI.yml` chmods +x both gradlew binaries. - Both gradlew files are also marked `100755` in the index so the chmod step is defense-in-depth. - `.changepacks/config.json` updates both Java packages on Cargo changes. - Added a Patch changepack to drive the 0.1.0 -> 0.1.1 republish (Maven Central does not allow re-uploading the rejected 0.1.0).
Changepacksvespera@0.2.0 - Cargo.tomlMaybe you forgot to write the following files to the latest version vespera-bridge@0.1.0 → 0.1.1 - libs/vespera-bridge/build.gradle.ktsPatch
vespera-bridge-gradle-plugin@0.1.0 → 0.1.1 - libs/vespera-bridge-gradle-plugin/build.gradle.ktsPatch
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Run #26458007485 failed to publish
vespera-bridge@0.1.0andvespera-bridge-gradle-plugin@0.1.0to Maven Central. Three independent regressions stacked together caused it:1.
shouldSignprobed the wrong property → unsigned artifacts → Central Portal rejection32b712areplaced the unconditionalsignAllPublications()call with:But
CI.ymlonly sets:ORG_GRADLE_PROJECT_mavenCentralUsername / PasswordORG_GRADLE_PROJECT_signingInMemoryKey← the actual keyORG_GRADLE_PROJECT_signingInMemoryKeyPasswordsigningInMemoryKeyIdis never set anywhere, soshouldSignevaluated tofalseandsignAllPublications()was skipped. Central Portal received unsigned artifacts and rejected the deployment — the gradle log ends atDeployment is being validatedand never progresses tois being published(the successful 0.0.14 log shows both lines).Maven Centralconfirms 0.0.14 was the last published version.2. Plugin's
gradlewhad no executable bitThe new
libs/vespera-bridge-gradle-plugindirectory was added by32b712abut the workflow's chmod step still only touchedlibs/vespera-bridge/gradlew.changepacksruns./gradlew publishToMavenCentralfrom each Java project's directory, so the plugin invocation failed immediately with no log output (the failing run'spublish output for libs/vespera-bridge-gradle-plugin/build.gradle.kts:line is empty).3.
.changepacks/config.jsondidn't track the new pluginCargo-driven version bumps only bumped
vespera-bridge, never the plugin. Future Cargo bumps would silently leave the plugin behind.Changes
libs/vespera-bridge/build.gradle.kts,libs/vespera-bridge-gradle-plugin/build.gradle.kts— probesigningInMemoryKey(the actual key) instead ofsigningInMemoryKeyId..github/workflows/CI.yml—chmod +xboth gradlew binaries.libs/vespera-bridge*/gradlew— index filemode set to100755(defense-in-depth so the workflow chmod is no longer load-bearing on Linux runners)..changepacks/config.json—updateOnnow lists both Java packages..changepacks/changepack_log_*.json— Patch bump for both Java packages (Maven Central does not allow re-uploading the rejected 0.1.0, so this triggers anUpdate VersionsPR for 0.1.1).Verification plan
After merging this PR, the auto-generated
Update VersionsPR will bump bridge/plugin 0.1.0 → 0.1.1. When that PR merges, the CI publish step should now:chmod +xboth gradlew binaries (defense; index already has100755)../gradlew publishToMavenCentral --stacktracefor both Java packages.shouldSign = true→signAllPublications()runs → signed artifacts → Central Portal validation passes → release.Cargo 0.2.0 was already published successfully and stays unchanged.