Any repo that wants to use gha-scala-library-release-workflow needs to supply release credentials
to the workflow:
- Sonatype OSSRH username & password
- PGP signing key - used for signing artifacts, and the Git release tag.
- GitHub App private key - used for jobs in the release workflow to authenticate & perform actions as the GitHub App with the GitHub API.
For any given organisation, a single set of credentials can be shared as GitHub Organization-level secrets (so that each individual developer doesn't need their own set of credentials) - you just need to make sure your repo has access to those secrets.
Guardian developers: We use guardian/github-secret-access
to grant repos access to the necessary Organisation secrets - you need to raise a PR (like this example PR)
which will grant access to these:
AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKENAUTOMATED_MAVEN_RELEASE_PGP_SECRETAUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY
See the docs on generating new credentials if your organisation is working with
gha-scala-library-release-workflow for the very first time, or if you need to rotate the shared credentials.