From 23a148a03cf71bb2093a91f047d3c368adcdf45c Mon Sep 17 00:00:00 2001 From: Roberto Tyley Date: Tue, 16 Jan 2024 11:55:21 +0000 Subject: [PATCH] Explicitly switch to Sonatype token authentication Token auth is now mandatory: https://github.com/xerial/sbt-sonatype/pull/464#issuecomment-2179047911 In January 2024, Sonatype started actively discouraging the legacy username & password method of authentication, recommending token authentication instead: * https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests * https://central.sonatype.org/publish/generate-token/ In this new scheme, the token is still split into a username/password format, and both are randomised strings, making the username portion a meaningful secret (ie one that can be revoked) and so worthy of being treated as a secret. --- .github/workflows/reusable-release.yml | 14 +++++-------- docs/credentials/generating-credentials.md | 24 ++++++++++++++++++---- docs/credentials/supplying-credentials.md | 2 +- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index ee384a6..8688694 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -20,14 +20,9 @@ on: default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using required: false # ...but if you're not the Guardian, you'll want to set this explicitly type: string - SONATYPE_USERNAME: - description: 'Sonatype username' - default: 'guardian.automated.maven.release' # Only for use by the Guardian! - required: false # Must be supplied if used by a non-Guardian project - type: string secrets: - SONATYPE_PASSWORD: - description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts' + SONATYPE_TOKEN: + description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/' required: true PGP_PRIVATE_KEY: description: @@ -416,9 +411,10 @@ jobs: cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt) - name: Release env: - SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }} - SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} + SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }} run: | + export SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62 + export SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}" sbt "sonatypeBundleRelease" github-release: diff --git a/docs/credentials/generating-credentials.md b/docs/credentials/generating-credentials.md index 5f94aa3..cafc9e8 100644 --- a/docs/credentials/generating-credentials.md +++ b/docs/credentials/generating-credentials.md @@ -3,9 +3,25 @@ Normally you'll be using [shared organisation-wide credentials](supplying-credentials.md), but if you need to rotate those credentials, or just create some new ones for your organisation: -## Updating a Sonatype OSSRH user's password - -See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/). +## Updating a Sonatype OSSRH Token username & password + +As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests), +Sonatype is actively discouraging the legacy username & password method of authentication, recommending +[token authentication](https://central.sonatype.org/publish/generate-token/) +(see link for token-regenerating instructions). + +Note these points: + +* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable + secret strings. +* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and + **a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`, + you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you + use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile** + is hosted on. + **Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we + use must be generated [there](https://oss.sonatype.org/), logged in with the `guardian.automated.maven.release` + account. ## Generating a new PGP key @@ -26,4 +42,4 @@ See [GitHub's instructions](https://docs.github.com/en/apps/creating-github-apps release workflow, see [Setting up the GitHub App](github-app.md) first. **Guardian developers:** Here's a direct link to our GitHub App settings page, where you can generate a new private key: -https://github.com/organizations/guardian/settings/apps/gu-scala-library-release \ No newline at end of file +https://github.com/organizations/guardian/settings/apps/gu-scala-library-release diff --git a/docs/credentials/supplying-credentials.md b/docs/credentials/supplying-credentials.md index 5ecc0c6..12e97a4 100644 --- a/docs/credentials/supplying-credentials.md +++ b/docs/credentials/supplying-credentials.md @@ -20,7 +20,7 @@ has _access_ to those secrets. to grant repos access to the necessary Organisation secrets - you need to raise a PR (like [this example PR](https://github.com/guardian/github-secret-access/pull/24)) which will grant access to these: -* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD` +* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN` * `AUTOMATED_MAVEN_RELEASE_PGP_SECRET` * `AUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`