Skip to content

Commit db2dffb

Browse files
peterzhuamazonpeterzhuamazon
authored
[Backport 2.19] Onboarding new maven snapshots publishing to s3 (security) (#5716)
Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
1 parent 2884769 commit db2dffb

3 files changed

Lines changed: 17 additions & 11 deletions

File tree

.github/workflows/maven-publish.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
- uses: actions/setup-java@v4
2121
with:
2222
distribution: temurin # Temurin is a distribution of adoptium
23-
java-version: 11
23+
java-version: 21
2424
- uses: actions/checkout@v4
2525
- name: Load secret
2626
uses: 1password/load-secrets-action@v2
@@ -29,8 +29,13 @@ jobs:
2929
export-env: true
3030
env:
3131
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
32-
SONATYPE_USERNAME: op://opensearch-infra-secrets/maven-central-portal-credentials/username
33-
SONATYPE_PASSWORD: op://opensearch-infra-secrets/maven-central-portal-credentials/password
32+
MAVEN_SNAPSHOTS_S3_REPO: op://opensearch-infra-secrets/maven-snapshots-s3/repo
33+
MAVEN_SNAPSHOTS_S3_ROLE: op://opensearch-infra-secrets/maven-snapshots-s3/role
34+
- name: Configure AWS credentials
35+
uses: aws-actions/configure-aws-credentials@v5
36+
with:
37+
role-to-assume: ${{ env.MAVEN_SNAPSHOTS_S3_ROLE }}
38+
aws-region: us-east-1
3439
- name: publish snapshots to maven
3540
run: |
3641
./gradlew --no-daemon publishPluginZipPublicationToSnapshotsRepository

build.gradle

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ buildscript {
4444
mavenLocal()
4545
mavenCentral()
4646
maven { url "https://plugins.gradle.org/m2/" }
47-
maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
47+
maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
4848
maven { url "https://artifacts.opensearch.org/snapshots/lucene/" }
4949
maven { url "https://build.shibboleth.net/nexus/content/groups/public" }
5050
maven { url "https://build.shibboleth.net/nexus/content/repositories/releases" }
@@ -420,10 +420,11 @@ publishing {
420420
repositories {
421421
maven {
422422
name = "Snapshots" // optional target repository name
423-
url = "https://central.sonatype.com/repository/maven-snapshots/"
424-
credentials {
425-
username "$System.env.SONATYPE_USERNAME"
426-
password "$System.env.SONATYPE_PASSWORD"
423+
url = System.getenv("MAVEN_SNAPSHOTS_S3_REPO")
424+
credentials(AwsCredentials) {
425+
accessKey = System.getenv("AWS_ACCESS_KEY_ID")
426+
secretKey = System.getenv("AWS_SECRET_ACCESS_KEY")
427+
sessionToken = System.getenv("AWS_SESSION_TOKEN")
427428
}
428429
}
429430
}
@@ -433,7 +434,7 @@ repositories {
433434
mavenLocal()
434435
mavenCentral()
435436
maven { url "https://plugins.gradle.org/m2/" }
436-
maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
437+
maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
437438
maven { url "https://artifacts.opensearch.org/snapshots/lucene/" }
438439
maven { url "https://build.shibboleth.net/nexus/content/repositories/releases" }
439440
}

bwc-test/build.gradle

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ buildscript {
5151
}
5252
repositories {
5353
mavenLocal()
54-
maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
54+
maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
5555
mavenCentral()
5656
maven { url "https://plugins.gradle.org/m2/" }
5757
}
@@ -63,7 +63,7 @@ buildscript {
6363

6464
repositories {
6565
mavenLocal()
66-
maven { url "https://central.sonatype.com/repository/maven-snapshots/" }
66+
maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" }
6767
mavenCentral()
6868
maven { url "https://plugins.gradle.org/m2/" }
6969
}

0 commit comments

Comments
 (0)