Where to keep a GPG secret key for a Maven project in CI environment?

Question

I'm trying to use maven-gpg-plugin:sign in order to sign project artifacts before deployment to Sonatype OSS repository. The question is where shall I keep my secret key secring.gpg:

1. In continuous integration ~/.gnupg directory
2. In project source code, e.g. src/test/resources/gpg/secring.gpg

And why?

Answer 1

If key is sensitive put it in ~/.gnupg directory on CI server and protect that directory with proper access modifiers. 2nd approach will allow every developer with access to project to see key.