From 3384951fff0530e41845d5223ea5cf171d282d05 Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Tue, 14 Jul 2026 21:54:47 -0400 Subject: [PATCH 1/6] Use gpg.passphraseEnvName instead of gpg.passphrase server The maven-gpg-plugin's `gpg.passphrase`/`passphraseServerId` mechanism is deprecated and fails when the plugin's `bestPractices` mode is enabled. Stop writing the `gpg.passphrase` server to settings.xml and instead set `gpg.passphraseEnvName` via an active profile when the configured passphrase env var name differs from the plugin default (MAVEN_GPG_PASSPHRASE). The default `gpg-passphrase` input value (GPG_PASSPHRASE) is unchanged, so the plugin reads the same environment variable as before. Fixes #760 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- __tests__/auth.test.ts | 35 +++++++++++++++++++++++++++++++++-- dist/cleanup/index.js | 6 ++++++ dist/setup/index.js | 29 ++++++++++++++++++++++++----- docs/advanced-usage.md | 24 ++++++++++++++++++------ src/auth.ts | 25 ++++++++++++++++++++----- src/constants.ts | 8 ++++++++ 6 files changed, 109 insertions(+), 18 deletions(-) diff --git a/__tests__/auth.test.ts b/__tests__/auth.test.ts index 7ed675616..0c0da081b 100644 --- a/__tests__/auth.test.ts +++ b/__tests__/auth.test.ts @@ -228,9 +228,40 @@ describe('auth tests', () => { \${env.${username}} \${env.&<>"''"><&} + + + + setup-java-gpg + + ${gpgPassphrase} + + + + + setup-java-gpg + +`; + + expect(auth.generate(id, username, password, gpgPassphrase)).toEqual( + expectedSettings + ); + }); + + it('does not add a gpg profile when the passphrase env var is the maven-gpg-plugin default', () => { + const id = 'packages'; + const username = 'USER'; + const password = '&<>"\'\'"><&'; + const gpgPassphrase = 'MAVEN_GPG_PASSPHRASE'; + + const expectedSettings = ` + false + - gpg.passphrase - \${env.${gpgPassphrase}} + ${id} + \${env.${username}} + \${env.&<>"''"><&} `; diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index e710603ce..40b7bac3c 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -95849,6 +95849,12 @@ const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = (/* unused pure expression or super */ null && (undefined)); const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +// The default name of the environment variable the maven-gpg-plugin reads the +// passphrase from (property `gpg.passphraseEnvName`). When the configured +// passphrase env var name matches this, no extra configuration is required. +const MAVEN_GPG_PASSPHRASE_DEFAULT_ENV = 'MAVEN_GPG_PASSPHRASE'; +// Id of the settings.xml profile used to set `gpg.passphraseEnvName`. +const GPG_PASSPHRASE_PROFILE_ID = 'setup-java-gpg'; const INPUT_CACHE = 'cache'; const INPUT_CACHE_DEPENDENCY_PATH = 'cache-dependency-path'; const INPUT_JOB_STATUS = 'job-status'; diff --git a/dist/setup/index.js b/dist/setup/index.js index f34566919..ee21689e6 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -73294,6 +73294,12 @@ const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +// The default name of the environment variable the maven-gpg-plugin reads the +// passphrase from (property `gpg.passphraseEnvName`). When the configured +// passphrase env var name matches this, no extra configuration is required. +const MAVEN_GPG_PASSPHRASE_DEFAULT_ENV = 'MAVEN_GPG_PASSPHRASE'; +// Id of the settings.xml profile used to set `gpg.passphraseEnvName`. +const GPG_PASSPHRASE_PROFILE_ID = 'setup-java-gpg'; const INPUT_CACHE = 'cache'; const INPUT_CACHE_DEPENDENCY_PATH = 'cache-dependency-path'; const constants_INPUT_JOB_STATUS = 'job-status'; @@ -127311,12 +127317,25 @@ function generate(id, username, password, gpgPassphrase) { } } }; - if (gpgPassphrase) { - const gpgServer = { - id: 'gpg.passphrase', - passphrase: `\${env.${gpgPassphrase}}` + // The maven-gpg-plugin reads the passphrase from the environment variable + // named by the `gpg.passphraseEnvName` property (default MAVEN_GPG_PASSPHRASE). + // Only configure it when the requested env var name differs from that default; + // otherwise the plugin already reads the right variable and no extra settings + // are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails + // when the plugin's `bestPractices` mode is enabled. + if (gpgPassphrase && + gpgPassphrase !== MAVEN_GPG_PASSPHRASE_DEFAULT_ENV) { + xmlObj.settings.profiles = { + profile: { + id: GPG_PASSPHRASE_PROFILE_ID, + properties: { + 'gpg.passphraseEnvName': gpgPassphrase + } + } + }; + xmlObj.settings.activeProfiles = { + activeProfile: GPG_PASSPHRASE_PROFILE_ID }; - xmlObj.settings.servers.server.push(gpgServer); } return (0,lib/* create */.vt)(xmlObj).end({ headless: true, diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 28c6d192e..8a112afc3 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -682,15 +682,27 @@ If you use `maven-gpg-plugin` older than 3.2.0, or you prefer signing with the ` MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} ``` -With these inputs, setup-java adds a `gpg.passphrase` server to the generated `settings.xml`: +The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, which defaults to `MAVEN_GPG_PASSPHRASE`. + +- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`. +- If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable: ```xml - - gpg.passphrase - ${env.MAVEN_GPG_PASSPHRASE} - + + + setup-java-gpg + + GPG_PASSPHRASE + + + + + setup-java-gpg + ``` +> **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. + When signing with the `gpg` executable, the Maven GPG Plugin configuration in your `pom.xml` should contain the following structure to avoid possible issues like `Inappropriate ioctl for device` or `gpg: signing failed: No such file or directory`: ```xml @@ -703,7 +715,7 @@ When signing with the `gpg` executable, the Maven GPG Plugin configuration in yo ``` -GPG 2.1 requires `--pinentry-mode` to be set to `loopback` in order to pick up the `gpg.passphrase` value defined in Maven `settings.xml`. +GPG 2.1 requires `--pinentry-mode` to be set to `loopback` in order to read the passphrase non-interactively. ***NOTE***: If, when using the default `gpg` signer, the error `gpg: Sorry, no terminal at all requested - can't get input` [is encountered](https://github.com/actions/setup-java/issues/554), please update the version of `maven-gpg-plugin` to 1.6 or higher. diff --git a/src/auth.ts b/src/auth.ts index 2f0ac6087..4d9dde821 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -93,12 +93,27 @@ export function generate( } }; - if (gpgPassphrase) { - const gpgServer = { - id: 'gpg.passphrase', - passphrase: `\${env.${gpgPassphrase}}` + // The maven-gpg-plugin reads the passphrase from the environment variable + // named by the `gpg.passphraseEnvName` property (default MAVEN_GPG_PASSPHRASE). + // Only configure it when the requested env var name differs from that default; + // otherwise the plugin already reads the right variable and no extra settings + // are needed. Writing `gpg.passphrase` to settings.xml is deprecated and fails + // when the plugin's `bestPractices` mode is enabled. + if ( + gpgPassphrase && + gpgPassphrase !== constants.MAVEN_GPG_PASSPHRASE_DEFAULT_ENV + ) { + xmlObj.settings.profiles = { + profile: { + id: constants.GPG_PASSPHRASE_PROFILE_ID, + properties: { + 'gpg.passphraseEnvName': gpgPassphrase + } + } + }; + xmlObj.settings.activeProfiles = { + activeProfile: constants.GPG_PASSPHRASE_PROFILE_ID }; - xmlObj.settings.servers.server.push(gpgServer); } return xmlCreate(xmlObj).end({ diff --git a/src/constants.ts b/src/constants.ts index 2f7362b05..d3ac9c59c 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -21,6 +21,14 @@ export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +// The default name of the environment variable the maven-gpg-plugin reads the +// passphrase from (property `gpg.passphraseEnvName`). When the configured +// passphrase env var name matches this, no extra configuration is required. +export const MAVEN_GPG_PASSPHRASE_DEFAULT_ENV = 'MAVEN_GPG_PASSPHRASE'; + +// Id of the settings.xml profile used to set `gpg.passphraseEnvName`. +export const GPG_PASSPHRASE_PROFILE_ID = 'setup-java-gpg'; + export const INPUT_CACHE = 'cache'; export const INPUT_CACHE_DEPENDENCY_PATH = 'cache-dependency-path'; export const INPUT_JOB_STATUS = 'job-status'; From ad30989163da66d0d16be5a86568213ca2cd9e9b Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Tue, 14 Jul 2026 22:05:25 -0400 Subject: [PATCH 2/6] Fix settings.xml publishing validation Update the publishing e2e check to assert the settings.xml generated when gpg-passphrase is MAVEN_GPG_PASSPHRASE. In that default case the action no longer writes a gpg.passphrase server entry. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1 --- .github/workflows/e2e-publishing.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/e2e-publishing.yml b/.github/workflows/e2e-publishing.yml index 02a6b2596..873160592 100644 --- a/.github/workflows/e2e-publishing.yml +++ b/.github/workflows/e2e-publishing.yml @@ -46,13 +46,25 @@ jobs: $xmlPath = Join-Path $HOME ".m2" "settings.xml" Get-Content $xmlPath | ForEach-Object { Write-Host $_ } - [xml]$xml = Get-Content $xmlPath - $servers = $xml.settings.servers.server - if (($servers[0].id -ne 'maven') -or ($servers[0].username -ne '${env.MAVEN_USERNAME}') -or ($servers[0].password -ne '${env.MAVEN_CENTRAL_TOKEN}')) { - throw "Generated XML file is incorrect" - } + $content = [System.IO.File]::ReadAllText($xmlPath) + $expected = @( + '' + ' false' + ' ' + ' ' + ' maven' + ' ${env.MAVEN_USERNAME}' + ' ${env.MAVEN_CENTRAL_TOKEN}' + ' ' + ' ' + '' + ) -join "`n" - if (($servers[1].id -ne 'gpg.passphrase') -or ($servers[1].passphrase -ne '${env.MAVEN_GPG_PASSPHRASE}')) { + if ($content -ne $expected) { + Write-Host "Expected settings.xml:" + $expected -split "`n" | ForEach-Object { Write-Host $_ } throw "Generated XML file is incorrect" } From 4dbb381e91d9a7627fc62e9a568c422c8b438bdb Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Tue, 14 Jul 2026 22:18:37 -0400 Subject: [PATCH 3/6] Default gpg-passphrase to MAVEN_GPG_PASSPHRASE Align the default `gpg-passphrase` input value with the maven-gpg-plugin default environment variable name (MAVEN_GPG_PASSPHRASE). With this default, setup-java writes no extra GPG configuration to settings.xml and the plugin reads the passphrase from MAVEN_GPG_PASSPHRASE out of the box. Also document that reading the passphrase from an environment variable via `gpg.passphraseEnvName` requires maven-gpg-plugin 3.2.0 or newer. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1 --- README.md | 2 +- action.yml | 2 +- dist/cleanup/index.js | 2 +- dist/setup/index.js | 2 +- docs/advanced-usage.md | 8 +++++--- src/constants.ts | 2 +- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 199c53d56..607f3733c 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ For more details, see the full release notes on the [releases page](https://git - `gpg-private-key`: GPG private key to import. Default is empty string. - - `gpg-passphrase`: Environment variable name for the GPG private key passphrase. Default is GPG_PASSPHRASE. + - `gpg-passphrase`: Environment variable name for the GPG private key passphrase. Default is MAVEN_GPG_PASSPHRASE. - `mvn-toolchain-id`: Name of Maven Toolchain ID if the default name of `${distribution}_${java-version}` is not wanted. diff --git a/action.yml b/action.yml index f7027a831..611c98f84 100644 --- a/action.yml +++ b/action.yml @@ -68,7 +68,7 @@ inputs: required: false default: '' gpg-passphrase: - description: 'Environment variable name for the GPG private key passphrase. Defaults to GPG_PASSPHRASE when gpg-private-key is set; ignored otherwise.' + description: 'Environment variable name for the GPG private key passphrase. Defaults to MAVEN_GPG_PASSPHRASE when gpg-private-key is set; ignored otherwise.' required: false cache: description: 'Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".' diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 40b7bac3c..1bfe5e3d9 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -95848,7 +95848,7 @@ const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings'; const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = (/* unused pure expression or super */ null && (undefined)); -const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured // passphrase env var name matches this, no extra configuration is required. diff --git a/dist/setup/index.js b/dist/setup/index.js index ee21689e6..192f5f4c3 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -73293,7 +73293,7 @@ const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings'; const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; -const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured // passphrase env var name matches this, no extra configuration is required. diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 8a112afc3..4fa5c55b3 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -682,10 +682,10 @@ If you use `maven-gpg-plugin` older than 3.2.0, or you prefer signing with the ` MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} ``` -The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, which defaults to `MAVEN_GPG_PASSPHRASE`. +The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). It defaults to `MAVEN_GPG_PASSPHRASE`, matching the [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/), which reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property (default `MAVEN_GPG_PASSPHRASE`). -- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`. -- If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable: +- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE` (the default), the plugin already reads that variable, so setup-java writes nothing extra to `settings.xml`. +- If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable. For example, with `gpg-passphrase: GPG_PASSPHRASE`: ```xml @@ -703,6 +703,8 @@ The `gpg-passphrase` input is the **name of the environment variable** that hold > **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. +> **Compatibility note:** Reading the passphrase from an environment variable (`gpg.passphraseEnvName`, default `MAVEN_GPG_PASSPHRASE`) requires `maven-gpg-plugin` 3.2.0 or newer. Older versions do not honor this property and will not pick up the passphrase, because setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`. If you are pinned to `maven-gpg-plugin` older than 3.2.0, upgrade to 3.2.0+ (recommended) or supply the passphrase through a mechanism supported by your plugin version. + When signing with the `gpg` executable, the Maven GPG Plugin configuration in your `pom.xml` should contain the following structure to avoid possible issues like `Inappropriate ioctl for device` or `gpg: signing failed: No such file or directory`: ```xml diff --git a/src/constants.ts b/src/constants.ts index d3ac9c59c..4a7879c45 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -19,7 +19,7 @@ export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; -export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; +export const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured From 171be5af2f05375a5a08fc5ff5c53b450f066e63 Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Tue, 14 Jul 2026 22:22:08 -0400 Subject: [PATCH 4/6] Document gpg-passphrase breaking change in V6 Add a "Breaking changes in V6" section to the README covering the switch to gpg.passphraseEnvName, the new MAVEN_GPG_PASSPHRASE default, and the maven-gpg-plugin 3.2.0+ requirement. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1 --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 607f3733c..a479715fb 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,14 @@ This action allows you to work with Java and Scala projects. - **Migrated to ESM** to enable support for the latest `@actions/*` package versions. This is an internal implementation change only. No changes are required to your workflow configuration, and the action's behavior is unchanged. Existing workflows continue to work as before. +## Breaking changes in V6 + +- **GPG passphrase is now passed to the Maven GPG Plugin via an environment variable instead of a `settings.xml` server.** setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`; it relies on the plugin's `gpg.passphraseEnvName` mechanism instead. As part of this: + - The default value of the `gpg-passphrase` input changed from `GPG_PASSPHRASE` to `MAVEN_GPG_PASSPHRASE` (the Maven GPG Plugin default). If you relied on the old default, set a `MAVEN_GPG_PASSPHRASE` environment variable in your build step, or pass `gpg-passphrase: GPG_PASSPHRASE` explicitly to keep the previous name. + - This requires `maven-gpg-plugin` **3.2.0 or newer**. Older versions do not honor `gpg.passphraseEnvName` and will no longer pick up the passphrase, since the `gpg.passphrase` server is no longer written. Upgrade the plugin to 3.2.0+. + + See [GPG](docs/advanced-usage.md#gpg) for details. + ## Breaking changes in V5 - Upgraded action from node20 to node24 From 0d4af386ec5fd3a8fdc2f705bae15635906b2fcc Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Tue, 14 Jul 2026 22:26:12 -0400 Subject: [PATCH 5/6] Keep GPG_PASSPHRASE default for v5 compatibility Revert the gpg-passphrase input default back to GPG_PASSPHRASE so existing v5 workflows that set the GPG_PASSPHRASE environment variable keep working without changes. setup-java writes gpg.passphraseEnvName=GPG_PASSPHRASE into an active profile, so the maven-gpg-plugin reads the same variable as before. The only remaining compatibility requirement is maven-gpg-plugin 3.2.0+, which is documented in the README and advanced usage guide. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1 --- README.md | 6 ++---- action.yml | 2 +- dist/cleanup/index.js | 2 +- dist/setup/index.js | 2 +- docs/advanced-usage.md | 10 +++++----- src/constants.ts | 2 +- 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index a479715fb..8310fe7de 100644 --- a/README.md +++ b/README.md @@ -24,9 +24,7 @@ This action allows you to work with Java and Scala projects. ## Breaking changes in V6 -- **GPG passphrase is now passed to the Maven GPG Plugin via an environment variable instead of a `settings.xml` server.** setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`; it relies on the plugin's `gpg.passphraseEnvName` mechanism instead. As part of this: - - The default value of the `gpg-passphrase` input changed from `GPG_PASSPHRASE` to `MAVEN_GPG_PASSPHRASE` (the Maven GPG Plugin default). If you relied on the old default, set a `MAVEN_GPG_PASSPHRASE` environment variable in your build step, or pass `gpg-passphrase: GPG_PASSPHRASE` explicitly to keep the previous name. - - This requires `maven-gpg-plugin` **3.2.0 or newer**. Older versions do not honor `gpg.passphraseEnvName` and will no longer pick up the passphrase, since the `gpg.passphrase` server is no longer written. Upgrade the plugin to 3.2.0+. +- **The GPG passphrase is now passed to the Maven GPG Plugin through an environment variable (`gpg.passphraseEnvName`) instead of the deprecated `gpg.passphrase` server in `settings.xml`.** The `gpg-passphrase` input and its default (`GPG_PASSPHRASE`) are unchanged, so if you already set that environment variable in your build step your workflow keeps working. However, this now requires `maven-gpg-plugin` **3.2.0 or newer**; older versions do not honor `gpg.passphraseEnvName` and, because the `gpg.passphrase` server is no longer written, will not pick up the passphrase. Upgrade the plugin to 3.2.0+. See [GPG](docs/advanced-usage.md#gpg) for details. @@ -78,7 +76,7 @@ For more details, see the full release notes on the [releases page](https://git - `gpg-private-key`: GPG private key to import. Default is empty string. - - `gpg-passphrase`: Environment variable name for the GPG private key passphrase. Default is MAVEN_GPG_PASSPHRASE. + - `gpg-passphrase`: Environment variable name for the GPG private key passphrase. Default is GPG_PASSPHRASE. - `mvn-toolchain-id`: Name of Maven Toolchain ID if the default name of `${distribution}_${java-version}` is not wanted. diff --git a/action.yml b/action.yml index 611c98f84..f7027a831 100644 --- a/action.yml +++ b/action.yml @@ -68,7 +68,7 @@ inputs: required: false default: '' gpg-passphrase: - description: 'Environment variable name for the GPG private key passphrase. Defaults to MAVEN_GPG_PASSPHRASE when gpg-private-key is set; ignored otherwise.' + description: 'Environment variable name for the GPG private key passphrase. Defaults to GPG_PASSPHRASE when gpg-private-key is set; ignored otherwise.' required: false cache: description: 'Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".' diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 1bfe5e3d9..40b7bac3c 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -95848,7 +95848,7 @@ const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings'; const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = (/* unused pure expression or super */ null && (undefined)); -const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; +const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured // passphrase env var name matches this, no extra configuration is required. diff --git a/dist/setup/index.js b/dist/setup/index.js index 192f5f4c3..ee21689e6 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -73293,7 +73293,7 @@ const INPUT_OVERWRITE_SETTINGS = 'overwrite-settings'; const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; -const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; +const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured // passphrase env var name matches this, no extra configuration is required. diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 4fa5c55b3..477cc3fca 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -682,10 +682,10 @@ If you use `maven-gpg-plugin` older than 3.2.0, or you prefer signing with the ` MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} ``` -The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). It defaults to `MAVEN_GPG_PASSPHRASE`, matching the [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/), which reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property (default `MAVEN_GPG_PASSPHRASE`). +The `gpg-passphrase` input is the **name of the environment variable** that holds the passphrase (not the passphrase itself). It defaults to `GPG_PASSPHRASE`. The [Maven GPG Plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) reads the passphrase from the environment variable named by its `gpg.passphraseEnvName` property, whose own default is `MAVEN_GPG_PASSPHRASE`. -- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE` (the default), the plugin already reads that variable, so setup-java writes nothing extra to `settings.xml`. -- If `gpg-passphrase` is any other name, setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable. For example, with `gpg-passphrase: GPG_PASSPHRASE`: +- If `gpg-passphrase` is `MAVEN_GPG_PASSPHRASE`, the plugin already reads that variable by default, so setup-java writes nothing extra to `settings.xml`. +- Otherwise (including the default `GPG_PASSPHRASE`), setup-java configures `gpg.passphraseEnvName` through an active profile in the generated `settings.xml` so the plugin reads the passphrase from that variable. For the default `gpg-passphrase: GPG_PASSPHRASE`: ```xml @@ -701,9 +701,9 @@ The `gpg-passphrase` input is the **name of the environment variable** that hold ``` -> **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. +> **Note:** Earlier versions of setup-java wrote a `gpg.passphrase` server to `settings.xml`. That mechanism is deprecated by the Maven GPG Plugin and fails when its `bestPractices` mode is enabled, so setup-java now relies on `gpg.passphraseEnvName` instead. The `gpg-passphrase` input and its `GPG_PASSPHRASE` default are unchanged, so existing workflows that set the `GPG_PASSPHRASE` environment variable keep working. -> **Compatibility note:** Reading the passphrase from an environment variable (`gpg.passphraseEnvName`, default `MAVEN_GPG_PASSPHRASE`) requires `maven-gpg-plugin` 3.2.0 or newer. Older versions do not honor this property and will not pick up the passphrase, because setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`. If you are pinned to `maven-gpg-plugin` older than 3.2.0, upgrade to 3.2.0+ (recommended) or supply the passphrase through a mechanism supported by your plugin version. +> **Compatibility note:** Reading the passphrase from an environment variable (`gpg.passphraseEnvName`) requires `maven-gpg-plugin` 3.2.0 or newer. Older versions do not honor this property and will not pick up the passphrase, because setup-java no longer writes the deprecated `gpg.passphrase` server to `settings.xml`. If you are pinned to `maven-gpg-plugin` older than 3.2.0, upgrade to 3.2.0+. When signing with the `gpg` executable, the Maven GPG Plugin configuration in your `pom.xml` should contain the following structure to avoid possible issues like `Inappropriate ioctl for device` or `gpg: signing failed: No such file or directory`: diff --git a/src/constants.ts b/src/constants.ts index 4a7879c45..d3ac9c59c 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -19,7 +19,7 @@ export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key'; export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase'; export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined; -export const INPUT_DEFAULT_GPG_PASSPHRASE = 'MAVEN_GPG_PASSPHRASE'; +export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE'; // The default name of the environment variable the maven-gpg-plugin reads the // passphrase from (property `gpg.passphraseEnvName`). When the configured From 23a0b517131d6ef9d0281a240317974bbeaaa6bb Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Wed, 15 Jul 2026 10:06:29 -0400 Subject: [PATCH 6/6] Clarify GPG passphrase profile compatibility Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 7d0a510e-aebf-4ec4-a667-efeb3e4edeb1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/advanced-usage.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 477cc3fca..762b31268 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -660,7 +660,9 @@ See the help docs on [Publishing a Package](https://help.github.com/en/github/ma #### Legacy / alternative: let setup-java import the key -If you use `maven-gpg-plugin` older than 3.2.0, or you prefer signing with the `gpg` executable, you can let setup-java import the key instead by providing the `gpg-private-key` and `gpg-passphrase` inputs. The private key is written to a file in the runner's temp directory, imported into the GPG keychain, and the file is promptly removed before proceeding with the rest of the setup process. A cleanup step removes the imported private key from the GPG keychain after the job completes regardless of the job status. This ensures that the private key is no longer accessible on self-hosted runners and cannot "leak" between jobs (hosted runners are always clean instances). +If you prefer signing with the `gpg` executable (for example because you are using `maven-gpg-plugin` older than 3.2.0), you can let setup-java import the key instead by providing the `gpg-private-key` and `gpg-passphrase` inputs. The private key is written to a file in the runner's temp directory, imported into the GPG keychain, and the file is promptly removed before proceeding with the rest of the setup process. A cleanup step removes the imported private key from the GPG keychain after the job completes regardless of the job status. This ensures that the private key is no longer accessible on self-hosted runners and cannot "leak" between jobs (hosted runners are always clean instances). + +setup-java imports the key independently of the plugin version, but the generated passphrase profile described below uses `gpg.passphraseEnvName`, which requires `maven-gpg-plugin` 3.2.0 or newer. Since `gpg-passphrase` defaults to `GPG_PASSPHRASE`, setup-java writes that profile unless you override the input to `MAVEN_GPG_PASSPHRASE`. ```yaml - name: Set up Apache Maven Central