Skip to content

Commit

Permalink
Explicitly switch to Sonatype token authentication
Browse files Browse the repository at this point in the history
As of January 2024, Sonatype is actively discouraging the legacy
username & password method of authentication, recommending token
authentication instead:

* https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests
* https://central.sonatype.org/publish/generate-token/

In this new scheme, the token is still split into a username/password
format, and both are randomised strings, making the username portion
a meaningful secret (ie one that can be revoked) and so worthy of being
treated as a secret. Consequently, in this change username is now a
GitHub workflow 'secret' parameter, rather than a simple input.
  • Loading branch information
rtyley committed Jan 18, 2024
1 parent 58cfc06 commit 8bd424a
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 14 deletions.
16 changes: 6 additions & 10 deletions .github/workflows/reusable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,9 @@ on:
default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
required: false # ...but if you're not the Guardian, you'll want to set this explicitly
type: string
SONATYPE_USERNAME:
description: 'Sonatype username'
default: 'guardian.automated.maven.release' # Only for use by the Guardian!
required: false # Must be supplied if used by a non-Guardian project
type: string
secrets:
SONATYPE_PASSWORD:
description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
SONATYPE_TOKEN:
description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
required: true
PGP_PRIVATE_KEY:
description:
Expand Down Expand Up @@ -328,9 +323,10 @@ jobs:
cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
- name: Release
env:
SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
run: |
SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
run:
SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
sbt "sonatypeBundleRelease"

github-release:
Expand Down
20 changes: 18 additions & 2 deletions docs/credentials/generating-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,22 @@ should be plaintext, not BASE64-encoded.
gpg --armor --export-secret-key [insert key fingerprint here] | pbcopy
```

## Updating a Sonatype OSSRH user's password
## Updating a Sonatype OSSRH Token username & password

See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).
As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
Sonatype is actively discouraging the legacy username & password method of authentication, recommending
[token authentication](https://central.sonatype.org/publish/generate-token/)
(see link for token-regenerating instructions).

Note these points:

* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
secret strings.
* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
**a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
is hosted on.
**Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
use must be generated [there](https://s01.oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
account.
9 changes: 7 additions & 2 deletions docs/credentials/supplying-credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,13 @@ has _access_ to those secrets.
### Guardian-specific access

**Guardian developers:** We use [`guardian/github-secret-access`](https://github.com/guardian/github-secret-access)
to grant repos access to the `AUTOMATED_MAVEN_RELEASE_PGP_SECRET` & `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
secrets - you need to raise a PR there (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
to grant repos access to these secrets:

* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
* `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`

You need to raise a PR on the `guardian/github-secret-access` repo (like
[this example PR](https://github.com/guardian/github-secret-access/pull/24))
to grant your repo access to the organisation-wide secrets.

### Generating new credentials
Expand Down

0 comments on commit 8bd424a

Please sign in to comment.