Skip to content

Maven central deploy gpg expires#3030

Merged
rrayst merged 8 commits into
masterfrom
maven-central-deploy-gpg-expires
Jun 30, 2026
Merged

Maven central deploy gpg expires#3030
rrayst merged 8 commits into
masterfrom
maven-central-deploy-gpg-expires

Conversation

@christiangoerdes

@christiangoerdes christiangoerdes commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Chores
    • Improved the release publishing workflow with a GPG key expiry check.
    • The publish process now reports remaining key validity and fails early if the signing key has expired.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e02b8827-daa2-424e-b609-56a739a4cc66

📥 Commits

Reviewing files that changed from the base of the PR and between b9ba427 and ed209cf.

📒 Files selected for processing (1)
  • .github/workflows/maven-publish.yml

📝 Walkthrough

Walkthrough

The Maven publish workflow adds a new "Check GPG key expiry" step that parses the expires: field from GPG output after importing the secret key. It fails the workflow with exit 1 if the key's expiry date is in the past, and prints the expiry and remaining days otherwise.

Changes

GPG Key Expiry Check in CI

Layer / File(s) Summary
GPG import and expiry validation
.github/workflows/maven-publish.yml
Separates GPG key import into its own step and adds a new step that extracts the key's expires: date, fails the workflow if the key is expired, and prints remaining days otherwise.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐇 Hop hop, the GPG key must be fresh,
No expired keys shall slip through the mesh.
I parse the date with a clever shell trick,
And exit 1 if the numbers don't click.
The pipeline stays healthy, secrets in bloom —
A rabbit ensures there's no cryptic doom! 🔑

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding a GPG expiry check to the Maven Central deploy workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch maven-central-deploy-gpg-expires
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch maven-central-deploy-gpg-expires

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@rrayst rrayst merged commit 508600f into master Jun 30, 2026
2 of 3 checks passed
@rrayst rrayst deleted the maven-central-deploy-gpg-expires branch June 30, 2026 09:46

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven-publish.yml:
- Around line 28-42: The GPG expiry check in the maven-publish workflow only
matches the “expires:” text from gpg output, so already-expired keys can be
misclassified as having no expiry. Update the expiry parsing logic in this step
to use gpg’s machine-readable --with-colons output, read the expiration from the
sec record’s 7th field, and keep the existing comparison/exit behavior in the
same workflow step.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e02b8827-daa2-424e-b609-56a739a4cc66

📥 Commits

Reviewing files that changed from the base of the PR and between b9ba427 and ed209cf.

📒 Files selected for processing (1)
  • .github/workflows/maven-publish.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven-publish.yml:
- Around line 28-42: The GPG expiry check in the maven-publish workflow only
matches the “expires:” text from gpg output, so already-expired keys can be
misclassified as having no expiry. Update the expiry parsing logic in this step
to use gpg’s machine-readable --with-colons output, read the expiration from the
sec record’s 7th field, and keep the existing comparison/exit behavior in the
same workflow step.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e02b8827-daa2-424e-b609-56a739a4cc66

📥 Commits

Reviewing files that changed from the base of the PR and between b9ba427 and ed209cf.

📒 Files selected for processing (1)
  • .github/workflows/maven-publish.yml
🛑 Comments failed to post (1)
.github/workflows/maven-publish.yml (1)

28-42: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

gpg --list-secret-keys output "[expired:" vs "[expires:" format and --with-colons sec record field 7 expiration timestamp

💡 Result:

In the human-readable output of GPG (e.g., gpg --list-secret-keys), the labels "[expired: YYYY-MM-DD]" and "[expires: YYYY-MM-DD]" indicate the status of the key or subkey [1]. Specifically, "[expired:...]" denotes that the key has already passed its expiration date, while "[expires:...]" indicates a key that is currently valid but set to expire at the specified future date [1]. These labels are part of the user-facing output intended for human readability and are not recommended for automated scripts [2][3]. For automated processing, GnuPG provides the --with-colons option, which outputs data in a stable, machine-parseable format documented in the GnuPG source file doc/DETAILS [4][2][5]. Regarding the --with-colons output format: - The "sec" (or "ssb") record type is used for secret keys and subkeys [6][7]. - Field 7 contains the expiration date [8][9]. - The expiration date in this field is represented either as a numeric timestamp (seconds since the Epoch) or, in some contexts, as an ISO 8601 string (detectable by the presence of the letter 'T') [4][8]. - If the field is empty, it indicates that the key does not expire [8][9]. Because the default human-readable output format is subject to change, scripts should rely exclusively on the --with-colons output for parsing key metadata [2][3].

Citations:


Already-expired GPG keys can pass this check. gpg --list-secret-keys can emit [expired: YYYY-MM-DD], but this grep only matches expires:. When the key is already expired, EXPIRY stays empty and the step reports “no expiry date set,” so the expired key is treated as valid. Parse gpg --with-colons instead and read the expiry from the sec record’s 7th field.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-publish.yml around lines 28 - 42, The GPG expiry
check in the maven-publish workflow only matches the “expires:” text from gpg
output, so already-expired keys can be misclassified as having no expiry. Update
the expiry parsing logic in this step to use gpg’s machine-readable
--with-colons output, read the expiration from the sec record’s 7th field, and
keep the existing comparison/exit behavior in the same workflow step.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants