How to use GPG key in github actions?

Question

I am trying to do a maven deploy via GitHub actions and i am getting the below error:-

gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  13.272 s
[INFO] Finished at: 2020-04-06T12:18:44Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.5:sign (sign-artifacts) on project pretty-simple-jar: Exit code: 2 -> [Help 1]

I understand that I need to somehow import my gpg secret key in the virtual runner where the actions workflow is running, but i cannot figure out a way to import my secret key in the virtual runner via the GitHub actions workflow ?

Below is my workflow:-

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Maven Central Repository
        uses: actions/setup-java@v1
        with:
          java-version: 1.8
      - name: Display settings.xml
        run: |
          echo "<settings><servers><server><id>ossrh</id><username>${{ secrets.OSSRH_USERNAME }}</username><password>${{ secrets.OSSRH_TOKEN }}</password></server></servers><profiles><profile><id>ossrh</id><activation><activeByDefault>true</activeByDefault></activation><properties><gpg.keyname>${{ secrets.GPG_KEY_ID }}</gpg.keyname><gpg.passphrase>'${{ secrets.GPG_PASSPHRASE }}'</gpg.passphrase></properties></profile></profiles></settings>" > /home/runner/.m2/settings.xml
          cat /home/runner/.m2/settings.xml
      - name: Build Maven Project
        run: mvn clean install
      - name: Publish to Apache Maven Central
        run: mvn deploy

Answer 1

As GitHub Actions is basically a container that runs commands, have you considered define your key as a secret on your project and then importing it in your Github Action definition?

Here are the steps I previously used on a project to publish the generated artifacts to Sonatype's staging repository:

• Open a terminal window.
• If you don't know your key ID, search it by e-mail: gpg --list-secret-keys [email protected]
• Export your key as Base64: gpg --export-secret-keys YOUR_ID_HERE | base64 > private.key
• In your Github project, create a new Secret named GPG_SIGNING_KEY and paste the Base64 content of your key.
• In your yml workflow file, include a step to import the key from your just defined secret.

- name: Configure GPG Key
  run: |
    echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
  env:
    GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}

So far, it works very well although there are a few limitations I couldn't solve:

• Your GPG Key should not be protected by a password. I couldn't figure out a way to import the protected keys without being asked for their secret.
• I couldn't find a way to use my GitHub GPG Key for this process.

Just in case, here is a working example of a project using this approach to publish Maven artifacts. The only difference from the steps above, though, is that the commands were externalized into a bash script file.