Follow-up: Automatic Releases to Maven Central with Travis and SBT

2017-10-02

Recently, the author of monix shared an interesting piece of advice regarding the publication of your libraries artifacts in an automated fashion.

In order to do the same for a fork of courier that I’m maintaining, I followed Alex’s post. During the process, I had a few issues and I’ll share them here, along with the solutions so that it might help others that go the same route.

I published to Sonatype before, I’ve also used Travis and its encrypted data capabilities before, so I might forget some details. If you think anything is missing, let me know, I’ll update the post.

Sonatype

If you use Sonatype, your artifacts will be synched automatically to Maven Central. Unfortunately, to push to Sonatype, there’s a manual process involved.

You will need to create a JIRA and the steps are described here. It’s only after your project’s repository has been created that you will be able to upload artifacts.

GPG

As Alex points out, you need to sign your artifacts to upload to Sonatype. He suggests that you should generate a key for this project. I agree with that.

As of GPG 2.1, --gen-key will use default settings for some options (key length of 2048 and an expiration date of 2 years as of this writing). You might not want this for your project. You can ask GPG to ask all the question with this command instead: --full-generate-key.

@alexelcu shares a command to export the public and private key that you generated for the project:

gpg --no-default-keyring \
  --primary-keyring `pwd`/project/.gnupg/pubring.gpg \
  --secret-keyring `pwd`/project/.gnupg/secring.gpg \
  --keyring `pwd`/project/.gnupg/pubring.gpg \
  --fingerprint \
  --import path/to/my-key.asc

As of GPG 2.1, --secret-keyring has been deprecated. This means the option is completely ignored and the secring.gpg file will not be generated.

To generate the file, you can use the following command:

gpg --export-secret-keys 2673B174C4071B0E > `pwd`/project/.gnupg/secring.gpg

The sbt plugin will eventually be updated. This GitHub issue track the update: https://github.com/sbt/sbt-pgp/issues/72.

Travis encrypted data

The original post explains how to automate the publishing with Travis CI. As we said before, the artifacts must be encrypted before they can be uploaded to Sonatype. To achieve that with Travis, you must provide the build with a few sensitive pieces of information:

Travis allows you to encrypt data as environment variables. You can also encrypt files. If you use a strong and long passphrase, chances are high that it contains special characters like | and ! or >.

When Travis export the data in your build environment, it will process it as a bash statement. So it’s important that you escape your passphrase properly when you encrypt it with the Travis CLI tool. See this section of the documentation for more details.

Example

Here is a list of all the changes I did to enable auto publishing: diff before and after. Note that there is 20 commits, it’s the amount of commits it took me to debug and find what I was doing wrong…

Note that this contains other unrelated changes like removing the Travis build matrix.