build: experimenting -- do not merge

nicklasl · nicklasl · commit 2f168da0d9bf · 2025-10-24T15:36:09.000+02:00
diff --git a/.github/workflows/secrets-testing.yml b/.github/workflows/secrets-testing.yml
@@ -0,0 +1,51 @@
+name: Secrets Testing
+
+on:
+  push:
+    branches: [main,build-secrets-testing]
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  secrets-testing:
+    name: Secrets Testing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Construct Maven settings file
+        run: |
+          cat > /tmp/maven_settings.xml <<'EOF'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
+                                http://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <servers>
+              <server>
+                <id>central</id>
+                <username>${{ secrets.MAVEN_USERNAME }}</username>
+                <password>${{ secrets.MAVEN_PASSWORD }}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+      - name: Publish Java package with Docker
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: openfeature-provider-java.install
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/cache:main
+          secrets: |
+            maven_settings=/tmp/maven_settings.xml
+            gpg_private_key=${{ secrets.GPG_PRIVATE_KEY }}
+            gpg_pass=${{ secrets.SIGN_KEY_PASS }}
diff --git a/Dockerfile b/Dockerfile
@@ -416,6 +416,15 @@ FROM openfeature-provider-js.test AS openfeature-provider-js.test_e2e
 RUN --mount=type=secret,id=js_e2e_test_env,target=.env.test \
     make test-e2e
 
+# ==============================================================================
+# Test Secrets
+# ==============================================================================
+FROM alpine AS secrets-testing.print
+
+# Never do this at home kids!
+RUN --mount=type=secret,id=test_secret,target=/run/secrets/secret.txt \
+    cp /run/secrets/secret.txt /secret.txt 
+
 # ==============================================================================
 # Build OpenFeature Provider
 # ==============================================================================
@@ -485,19 +494,35 @@ FROM openfeature-provider-java-base AS openfeature-provider-java.build
 
 RUN make build
 
+# ==============================================================================
+# Publish OpenFeature Provider (Java) to Maven Central
+# ==============================================================================
+FROM openfeature-provider-java.build AS openfeature-provider-java.install
+
+# Import GPG private key and deploy to Maven Central
+RUN --mount=type=secret,id=maven_settings \
+    --mount=type=secret,id=gpg_private_key \
+    --mount=type=secret,id=gpg_pass \
+    # Import GPG key
+    cat /run/secrets/gpg_private_key | gpg --batch --quiet --import && \
+    export MAVEN_GPG_PASSPHRASE=$(cat /run/secrets/gpg_pass) && \
+    # Install to Maven Local
+    mvn -s /run/secrets/maven_settings --batch-mode install
+
 # ==============================================================================
 # Publish OpenFeature Provider (Java) to Maven Central
 # ==============================================================================
 FROM openfeature-provider-java.build AS openfeature-provider-java.publish
 
 # Import GPG private key and deploy to Maven Central
-RUN --mount=type=secret,id=maven_settings,target=/root/.m2/settings.xml \
+RUN --mount=type=secret,id=maven_settings \
     --mount=type=secret,id=gpg_private_key \
     --mount=type=secret,id=gpg_pass \
+    --env=GPG_PASS=$(cat /run/secrets/gpg_pass) \
     # Import GPG key
     cat /run/secrets/gpg_private_key | gpg --batch --import && \
     # Deploy to Maven Central
-    mvn -Dgpg.passphrase="$(cat /run/secrets/gpg_pass)" --batch-mode deploy
+    mvn -s /run/secrets/maven_settings -Dgpg.passphrase="$(cat /run/secrets/gpg_pass)" --batch-mode deploy
 
 # ==============================================================================
 # All - Build and validate everything (default target)
