fix: review issues; pass params as action_envs

Author: kc-vl

.github/workflows/publish.yaml

@@ -21,12 +21,13 @@ jobs:
       - name: Publish package
         run: |
           bazel run \
-            --define signing_key=${PGP_SECRET} \
-            --define signing_passwd=${PGP_PASSPHRASE} \
-            --define sonatype_token=$(printf $SONATYPE_USERNAME:$SONATYPE_PASSWORD | base64 -w0) \
-            //server/install:publish
+            //server/install:publish \
+            --action_env=SONATYPE_USERNAME \
+            --action_env=SONATYPE_PASSWORD \
+            --action_env=SONATYPE_SIGNING_KEY \
+            --action_env=SONATYPE_SIGNING_KEY_PASSWORD
         env:
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-          PGP_PASSPHRASE: $${{ secrets.PGP_PASSPHRASE }}
-          PGP_SECRET: $${{ secrets.PGP_SECRET }}
+          SONATYPE_SIGNING_KEY: $${{ secrets.PGP_SECRET }}
+          SONATYPE_SIGNING_KEY_PASSWORD: $${{ secrets.PGP_PASSPHRASE }}

MODULE.bazel

@@ -10,7 +10,7 @@ bazel_dep(name = "ape", version = "1.0.1")
 bazel_dep(name = "rules_shell", version = "0.5.0")
 
 cosmos = use_extension("@ape//ape/cosmos:defs.bzl", "ape_cosmos")
-use_repo(cosmos, "curl", "md5sum", "sha1sum", "sha256sum", "sha512sum")
+use_repo(cosmos, "base64", "curl", "echo", "md5sum", "sha1sum", "sha256sum", "sha512sum")
 
 register_toolchains(
     "//:kotlin_toolchain",

rules/publishing/MavenSigning.java

@@ -37,8 +37,8 @@ public class MavenSigning {
 
   public static void main(String[] args) {
     var toSign = Paths.get(System.getenv("MAVEN_SIGNING_TOSIGN"));
-    var pass = System.getenv("MAVEN_SIGNING_PASSWD").strip();
-    var key = System.getenv("MAVEN_SIGNING_KEY").strip();
+    var pass = System.getenv("SONATYPE_SIGNING_KEY_PASSWORD").strip();
+    var key = System.getenv("SONATYPE_SIGNING_KEY").strip();
     var output = Paths.get(System.getenv("MAVEN_SIGNING_OUTPUT_PATH"));
     Path result = null;
     try {

rules/publishing/publish_sonatype.bzl

@@ -101,29 +101,31 @@ def publish_sonatype(
         tags = ["manual"],
     )
 
+    data = [
+        "@curl",
+        "@echo",
+        "@base64",
+        ":{}_bundle".format(name),
+    ]
+
     expand_template_rule(
         name = "{}.sh".format(name),
-        data = [
-            "@curl",
-            ":{}_bundle".format(name),
-        ],
+        data = data,
         out = "{}_upload.sh".format(name),
         is_executable = True,
         substitutions = {
             "{CURL}": "$(rootpath @curl)",
+            "{ECHO}": "$(rootpath @echo)",
+            "{BASE64}": "$(rootpath @base64)",
             "{BUNDLE}": "$(rootpath :{}_bundle)".format(name),
-            "{SONATYPE_TOKEN}": "$(sonatype_token)",
         },
         template = "//rules/publishing:upload.sh.tpl",
         tags = ["manual"],
     )
 
     sh_binary(
         name = name,
-        data = [
-            "@curl",
-            ":{}_bundle".format(name),
-        ],
+        data = data,
         srcs = [":{}.sh".format(name)],
         tags = ["manual"],
     )
@@ -154,8 +156,6 @@ def _sign(
         srcs = [artifact],
         outs = [out],
         cmd = """
-MAVEN_SIGNING_KEY=$(signing_key) \
-MAVEN_SIGNING_PASSWD=$(signing_passwd) \
 MAVEN_SIGNING_TOSIGN=$(location {}) \
 MAVEN_SIGNING_OUTPUT_PATH=$(location {}) \
 $(location //rules/publishing:pgp_signer)""".format(artifact, out),

rules/publishing/upload.sh.tpl

@@ -1,8 +1,15 @@
 #!/usr/bin/env bash
 
+if [[ -z "${SONATYPE_USERNAME}" || -z ${SONATYPE_PASSWORD} ]]; then
+    echo "Missing SONATYPE_PASSWORD and/or SONATYPE_USERNAME envs. Exiting with error." 1>&2
+    exit -1
+fi
+
+SONATYPE_TOKEN=$({ECHO} -n $SONATYPE_USERNAME:$SONATYPE_PASSWORD | {BASE64} -w0)
+
 {CURL} \
    --request POST \
-   --verbose \
-   --header 'Authorization: Bearer {SONATYPE_TOKEN}' \
+   --silent \
+   --header 'Authorization: Bearer ${SONATYPE_TOKEN}' \
    --form bundle=@{BUNDLE} \
    https://central.sonatype.com/api/v1/publisher/upload?publishingType=AUTOMATIC