How to use GPG key in github actions?

Question

I am trying to do a maven deploy via GitHub actions and i am getting the below error:-

gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  13.272 s
[INFO] Finished at: 2020-04-06T12:18:44Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.5:sign (sign-artifacts) on project pretty-simple-jar: Exit code: 2 -> [Help 1]

I understand that I need to somehow import my gpg secret key in the virtual runner where the actions workflow is running, but i cannot figure out a way to import my secret key in the virtual runner via the GitHub actions workflow ?

Below is my workflow:-

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Maven Central Repository
        uses: actions/setup-java@v1
        with:
          java-version: 1.8
      - name: Display settings.xml
        run: |
          echo "<settings><servers><server><id>ossrh</id><username>${{ secrets.OSSRH_USERNAME }}</username><password>${{ secrets.OSSRH_TOKEN }}</password></server></servers><profiles><profile><id>ossrh</id><activation><activeByDefault>true</activeByDefault></activation><properties><gpg.keyname>${{ secrets.GPG_KEY_ID }}</gpg.keyname><gpg.passphrase>'${{ secrets.GPG_PASSPHRASE }}'</gpg.passphrase></properties></profile></profiles></settings>" > /home/runner/.m2/settings.xml
          cat /home/runner/.m2/settings.xml
      - name: Build Maven Project
        run: mvn clean install
      - name: Publish to Apache Maven Central
        run: mvn deploy

Answer 1

Thank You everyone for your response. I now use this GitHub actions which makes the process much more simpler:

Step 1: Extract the secret key

gpg --list-secret-keys --keyid-format LONG
gpg --export-secret-keys --armor {your_keyId}

Step 2: Store the extracted GPG key and passphrase as secrets

step 3: Include this step in your workflow

- name: Import GPG Key
  uses: crazy-max/ghaction-import-gpg@v1
  env:
     GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
     PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

Answer 2

As GitHub Actions is basically a container that runs commands, have you considered define your key as a secret on your project and then importing it in your Github Action definition?

Here are the steps I previously used on a project to publish the generated artifacts to Sonatype's staging repository:

• Open a terminal window.
• If you don't know your key ID, search it by e-mail: gpg --list-secret-keys [email protected]
• Export your key as Base64: gpg --export-secret-keys YOUR_ID_HERE | base64 > private.key
• In your Github project, create a new Secret named GPG_SIGNING_KEY and paste the Base64 content of your key.
• In your yml workflow file, include a step to import the key from your just defined secret.

- name: Configure GPG Key
  run: |
    echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
  env:
    GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}

So far, it works very well although there are a few limitations I couldn't solve:

• Your GPG Key should not be protected by a password. I couldn't figure out a way to import the protected keys without being asked for their secret.
• I couldn't find a way to use my GitHub GPG Key for this process.

Just in case, here is a working example of a project using this approach to publish Maven artifacts. The only difference from the steps above, though, is that the commands were externalized into a bash script file.

Answer 3

Adding a new answer, since this question is about using the GPG key in maven deployments in particular:

In the meantime, the setup-java action supports everything out of the box, as documented in the README file:

    - name: Set up Apache Maven Central
      uses: actions/setup-java@v3
      with: # running setup-java again overwrites the settings.xml
        java-version: 8
        distribution: 'temurin'
        cache: 'maven'
        server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
        server-username: OSSRH_USERNAME # env variable for username in deploy
        server-password: OSSRH_TOKEN # env variable for token in deploy
        gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
        gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase

    - name: Publish to Apache Maven Central
      run: mvn deploy
      env:
        OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
        OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
        MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

Note that the setup-java action configures Maven's settings.xml file for you automatically and imports the GPG key from the given stored secret.

Be aware, that during setup-java you only configure the names of the environment variables. I.e. you need to provide the (secret) values for these env variables in later steps, where you want to use them.

Answer 4

You can also use another plugin https://www.simplify4u.org/sign-maven-plugin/ for signing artifacts.

sign-maven-plugin simply takes signing key and rest configuration items from environment variables without special configuration.

Another advantage of sign-maven-plugin is that you need not use profiles for activate or deactivate plugin, because when signing key is not preset for plugin, plugin skip execution without error.