Skip to content

Maven central deploy gpg expires#3029

Merged
predic8 merged 5 commits into
masterfrom
maven-central-deploy-gpg-expires
Jun 30, 2026
Merged

Maven central deploy gpg expires#3029
predic8 merged 5 commits into
masterfrom
maven-central-deploy-gpg-expires

Conversation

@predic8

@predic8 predic8 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Improved the release publishing workflow by adding an extra “Check GPG key expiry” step before publishing.
    • The workflow now compares the signing key’s expiration date to the current time and fails the job if it has expired.
    • If no expiration date is found, it logs the result and continues normally.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7459b18f-e805-4c9c-84a2-31cfa347e632

📥 Commits

Reviewing files that changed from the base of the PR and between a2eac4e and 635fa92.

📒 Files selected for processing (1)
  • .github/workflows/maven-publish.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/maven-publish.yml

📝 Walkthrough

Walkthrough

The Maven publish workflow now checks the imported GPG key’s expiry date. It parses expires: from gpg --list-secret-keys, converts it to a timestamp, and fails the job when the key is expired. Keys without expiry are logged.

Changes

GPG Key Expiry Validation

Layer / File(s) Summary
GPG key import and expiry validation
.github/workflows/maven-publish.yml
Imports the OSSRH GPG secret key, lists the secret keys, and adds a step that reads the expires: value, compares it with the current time, fails on expiration, and logs when no expiry is configured.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐇 I sniffed the key and checked the date,
If it’s gone stale, I stop the gate.
If it has no end, I give a cheer,
Then hop along and publish here.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and clearly matches the main change: adding GPG expiry handling to the Maven Central deploy workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch maven-central-deploy-gpg-expires

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven-publish.yml:
- Around line 28-29: The expiry extraction in the workflow’s GPG key check is
too brittle: the current `EXPIRY` parsing in the publish step can capture a
trailing bracket and the pipeline can fail before the empty-expiry branch is
reached. Update the parsing logic in the maven-publish workflow step that
computes `EXPIRY` so it safely strips the bracketed value from `gpg
--list-secret-keys`, and make the command substitution tolerant of
no-match/no-expiry cases before the `date` comparison runs.
- Around line 28-30: The EXPIRY assignment in the Maven publish workflow is
aborting early when the `grep` in the shell pipeline finds no match, so the
no-expiry branch is never reached. Update the shell logic around the
`EXPIRY=$(gpg --list-secret-keys --keyid-format LONG ...)` block to tolerate a
no-match result from `grep -oP '(?<=expires: )\S+'`, using a non-failing
fallback so the `if [ -z "$EXPIRY" ]` path can still execute as intended.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e9452d83-2cb9-4936-93f8-845d501662e5

📥 Commits

Reviewing files that changed from the base of the PR and between 90bd962 and a2eac4e.

📒 Files selected for processing (1)
  • .github/workflows/maven-publish.yml

Comment thread .github/workflows/maven-publish.yml Outdated
Comment thread .github/workflows/maven-publish.yml
@membrane-ci-server

Copy link
Copy Markdown

This pull request needs "/ok-to-test" from an authorized committer.

@predic8 predic8 merged commit b9ba427 into master Jun 30, 2026
4 of 5 checks passed
@predic8 predic8 deleted the maven-central-deploy-gpg-expires branch June 30, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants