build: experimenting -- do not merge

Author: nicklasl

.github/workflows/secrets-testing.yml

@@ -0,0 +1,56 @@
+name: Secrets Testing
+
+on:
+  push:
+    branches: [main,build-secrets-testing]
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  secrets-testing:
+    name: Secrets Testing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Construct Maven settings file
+        run: |
+          cat > /tmp/maven_settings.xml <<'EOF'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
+                                http://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <servers>
+              <server>
+                <id>central</id>
+                <username>${{ secrets.MAVEN_CENTRAL_USERNAME }}</username>
+                <password>${{ secrets.MAVEN_CENTRAL_PASSWORD }}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      - name: Write GPG key and passphrase to files
+        run: |
+          echo "${{ secrets.GPG_PRIVATE_KEY }}" > /tmp/gpg_private_key.asc
+          echo "${{ secrets.SIGN_KEY_PASS }}" > /tmp/gpg_pass.txt
+
+      - name: Publish Java package with Docker
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: openfeature-provider-java.install
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/cache:main
+          secret-files: |
+            maven_settings=/tmp/maven_settings.xml
+            gpg_private_key=/tmp/gpg_private_key.asc
+            gpg_pass=/tmp/gpg_pass.txt

Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1
 
 # ==============================================================================
 # Base image with Rust toolchain (Alpine - more reliable than Debian)
@@ -416,6 +416,15 @@ FROM openfeature-provider-js.test AS openfeature-provider-js.test_e2e
 RUN --mount=type=secret,id=js_e2e_test_env,target=.env.test \
     make test-e2e
 
+# ==============================================================================
+# Test Secrets
+# ==============================================================================
+FROM alpine AS secrets-testing.print
+
+# Never do this at home kids!
+RUN --mount=type=secret,id=test_secret,target=/run/secrets/secret.txt \
+    cp /run/secrets/secret.txt /secret.txt 
+
 # ==============================================================================
 # Build OpenFeature Provider
 # ==============================================================================
@@ -485,19 +494,32 @@ FROM openfeature-provider-java-base AS openfeature-provider-java.build
 
 RUN make build
 
+# ==============================================================================
+# Publish OpenFeature Provider (Java) to Maven Central
+# ==============================================================================
+FROM openfeature-provider-java.build AS openfeature-provider-java.install
+
+RUN --mount=type=secret,id=gpg_private_key \
+    gpg --batch --pinentry-mode loopback --import /run/secrets/gpg_private_key
+
+RUN --mount=type=secret,id=maven_settings \
+    --mount=type=secret,id=gpg_pass,env=MAVEN_GPG_PASSPHRASE \
+    mvn -q -s /run/secrets/maven_settings --batch-mode install \
+        -Dgpg.pinentry-mode=loopback
+
 # ==============================================================================
 # Publish OpenFeature Provider (Java) to Maven Central
 # ==============================================================================
 FROM openfeature-provider-java.build AS openfeature-provider-java.publish
 
 # Import GPG private key and deploy to Maven Central
-RUN --mount=type=secret,id=maven_settings,target=/root/.m2/settings.xml \
-    --mount=type=secret,id=gpg_private_key \
-    --mount=type=secret,id=gpg_pass \
-    # Import GPG key
-    cat /run/secrets/gpg_private_key | gpg --batch --import && \
-    # Deploy to Maven Central
-    mvn -Dgpg.passphrase="$(cat /run/secrets/gpg_pass)" --batch-mode deploy
+RUN --mount=type=secret,id=gpg_private_key \
+    gpg --batch --pinentry-mode loopback --import /run/secrets/gpg_private_key
+
+RUN --mount=type=secret,id=maven_settings \
+    --mount=type=secret,id=gpg_pass,env=MAVEN_GPG_PASSPHRASE \
+    mvn -s /run/secrets/maven_settings --batch-mode deploy \
+        -Dgpg.pinentry-mode=loopback
 
 # ==============================================================================
 # All - Build and validate everything (default target)

openfeature-provider/java/Makefile

@@ -24,7 +24,7 @@ $(RESOURCES_WASM): $(LOCAL_WASM)
 	@cp -p $(LOCAL_WASM) $@
 
 $(BUILD_STAMP): pom.xml $(RESOURCES_WASM) $(SRC)
-	mvn package -DskipTests
+	mvn -q package -DskipTests
 	@touch $@
 
 build: $(BUILD_STAMP)