fix(jsii): unable to publish to Maven GitHub Packages (projen#950)

This pull request adapts the GitHub Actions job generation for Maven in a way that publishing to GitHub Packages (a) is possible again and (b) roughly matches the steps required for publishing npm to Packages. To do this, I ended up changing two things: - the permissions of the job are set correctly to `packages: write` when needed (same logic as for npm) - the `MAVEN_USERNAME` is set to be the GitHub Actor automatically if no override was given, like shown in the GitHub docs To do the latter I introduced a concept of `expressions` to the `PublishJobOptions`, which allow more freedom than the secrets option, but use the same logic. I also converted the secrets implementation to use these expressions under the hood, so they are essentially a shortcut for an expression now. Jobs that publish to Maven Central or other repositories will be generated in the same way still, however the `MAVEN_USERNAME` env variable moved spots (hence the change in release.yml). I tested it in a private project and can confirm that it works now, see below for an excerpt from my test config and the result as a screenshot. ```typescript const project = new AwsCdkConstructLibrary({ publishToMaven: { javaPackage: 'com.github.mkerix.projenmaventest', mavenArtifactId: 'projen-maven-test', mavenGroupId: 'com.github.mkerix', mavenServerId: 'github', mavenRepositoryUrl: 'https://maven.pkg.github.com/mKeRix/projen-maven-test', mavenPassword: 'GITHUB_TOKEN', }, }); ``` ![Bildschirmfoto 2021-07-25 um 15 23 12](https://user-images.githubusercontent.com/770596/126900642-c5232aed-64f8-4835-a33b-0a791cff2add.png) Closes projen#947.
FitX · Jul 28, 2021 · 7db7b04 · 7db7b04
1 parent 18606bb
commit 7db7b04
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 53 deletions.
diff --git a/API.md b/API.md
@@ -6631,13 +6631,13 @@ publishToMaven(options?: JsiiReleaseMaven): void
 
 * **options** (<code>[release.JsiiReleaseMaven](#projen-release-jsiireleasemaven)</code>)  Options.
   * **mavenEndpoint** (<code>string</code>)  URL of Nexus repository. __*Default*__: "https://oss.sonatype.org"
-  * **mavenGpgPrivateKeyPassphrase** (<code>string</code>)  GitHub secret name which contains the GPG private key or file that includes it. __*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE"
-  * **mavenGpgPrivateKeySecret** (<code>string</code>)  GitHub secret name which contains the GPG private key or file that includes it. __*Default*__: "MAVEN_GPG_PRIVATE_KEY"
-  * **mavenPassword** (<code>string</code>)  GitHub secret name which contains the Password for maven repository. __*Default*__: "MAVEN_PASSWORD"
+  * **mavenGpgPrivateKeyPassphrase** (<code>string</code>)  GitHub secret name which contains the GPG private key or file that includes it. __*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
+  * **mavenGpgPrivateKeySecret** (<code>string</code>)  GitHub secret name which contains the GPG private key or file that includes it. __*Default*__: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
+  * **mavenPassword** (<code>string</code>)  GitHub secret name which contains the Password for maven repository. __*Default*__: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
   * **mavenRepositoryUrl** (<code>string</code>)  Deployment repository when not deploying to Maven Central. __*Default*__: not set
-  * **mavenServerId** (<code>string</code>)  Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). __*Default*__: "ossrh" Defaults to Maven Central.
-  * **mavenStagingProfileId** (<code>string</code>)  GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521. __*Default*__: "MAVEN_STAGING_PROFILE_ID"
-  * **mavenUsername** (<code>string</code>)  GitHub secret name which contains the Username for maven repository. __*Default*__: "MAVEN_USERNAME"
+  * **mavenServerId** (<code>string</code>)  Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). __*Default*__: "ossrh" (Maven Central) or "github" when using GitHub Packages
+  * **mavenStagingProfileId** (<code>string</code>)  GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521). __*Default*__: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
+  * **mavenUsername** (<code>string</code>)  GitHub secret name which contains the Username for maven repository. __*Default*__: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
 
 
 
@@ -9642,13 +9642,13 @@ Name | Type | Description
 **mavenArtifactId**🔹 | <code>string</code> | <span></span>
 **mavenGroupId**🔹 | <code>string</code> | <span></span>
 **mavenEndpoint**?🔹 | <code>string</code> | URL of Nexus repository.<br/>__*Default*__: "https://oss.sonatype.org"
-**mavenGpgPrivateKeyPassphrase**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE"
-**mavenGpgPrivateKeySecret**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY"
-**mavenPassword**?🔹 | <code>string</code> | GitHub secret name which contains the Password for maven repository.<br/>__*Default*__: "MAVEN_PASSWORD"
+**mavenGpgPrivateKeyPassphrase**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
+**mavenGpgPrivateKeySecret**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
+**mavenPassword**?🔹 | <code>string</code> | GitHub secret name which contains the Password for maven repository.<br/>__*Default*__: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
 **mavenRepositoryUrl**?🔹 | <code>string</code> | Deployment repository when not deploying to Maven Central.<br/>__*Default*__: not set
-**mavenServerId**?🔹 | <code>string</code> | Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).<br/>__*Default*__: "ossrh" Defaults to Maven Central.
-**mavenStagingProfileId**?🔹 | <code>string</code> | GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521.<br/>__*Default*__: "MAVEN_STAGING_PROFILE_ID"
-**mavenUsername**?🔹 | <code>string</code> | GitHub secret name which contains the Username for maven repository.<br/>__*Default*__: "MAVEN_USERNAME"
+**mavenServerId**?🔹 | <code>string</code> | Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).<br/>__*Default*__: "ossrh" (Maven Central) or "github" when using GitHub Packages
+**mavenStagingProfileId**?🔹 | <code>string</code> | GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521).<br/>__*Default*__: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
+**mavenUsername**?🔹 | <code>string</code> | GitHub secret name which contains the Username for maven repository.<br/>__*Default*__: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
 
 
 
@@ -11422,13 +11422,13 @@ Options for Maven releases.
 Name | Type | Description 
 -----|------|-------------
 **mavenEndpoint**?🔹 | <code>string</code> | URL of Nexus repository.<br/>__*Default*__: "https://oss.sonatype.org"
-**mavenGpgPrivateKeyPassphrase**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE"
-**mavenGpgPrivateKeySecret**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY"
-**mavenPassword**?🔹 | <code>string</code> | GitHub secret name which contains the Password for maven repository.<br/>__*Default*__: "MAVEN_PASSWORD"
+**mavenGpgPrivateKeyPassphrase**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
+**mavenGpgPrivateKeySecret**?🔹 | <code>string</code> | GitHub secret name which contains the GPG private key or file that includes it.<br/>__*Default*__: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
+**mavenPassword**?🔹 | <code>string</code> | GitHub secret name which contains the Password for maven repository.<br/>__*Default*__: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
 **mavenRepositoryUrl**?🔹 | <code>string</code> | Deployment repository when not deploying to Maven Central.<br/>__*Default*__: not set
-**mavenServerId**?🔹 | <code>string</code> | Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).<br/>__*Default*__: "ossrh" Defaults to Maven Central.
-**mavenStagingProfileId**?🔹 | <code>string</code> | GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521.<br/>__*Default*__: "MAVEN_STAGING_PROFILE_ID"
-**mavenUsername**?🔹 | <code>string</code> | GitHub secret name which contains the Username for maven repository.<br/>__*Default*__: "MAVEN_USERNAME"
+**mavenServerId**?🔹 | <code>string</code> | Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).<br/>__*Default*__: "ossrh" (Maven Central) or "github" when using GitHub Packages
+**mavenStagingProfileId**?🔹 | <code>string</code> | GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521).<br/>__*Default*__: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
+**mavenUsername**?🔹 | <code>string</code> | GitHub secret name which contains the Username for maven repository.<br/>__*Default*__: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
 
 
 

diff --git a/docs/publisher.md b/docs/publisher.md
@@ -48,3 +48,25 @@ publisher.publishToMaven(/* options */);
 
 See API reference for options for each target.
 
+## Publishing to GitHub Packages
+
+Some targets come with dynamic defaults that support GitHub Packages.
+If the respective registry URL is detected to be GitHub, other relevant options will automatically be set to fitting values.
+It will also ensure that the workflow token has write permissions for Packages.
+
+**npm**
+```ts
+publisher.publishToNpm({ 
+  registry: 'npm.pkg.github.com'
+  // also sets npmTokenSecret
+})
+```
+
+**Maven**
+```ts
+publisher.publishToMaven({
+  mavenRepositoryUrl: 'https://maven.pkg.github.com/USER/REPO'
+  // also sets mavenServerId, mavenUsername, mavenPassword
+  // disables mavenGpgPrivateKeySecret, mavenGpgPrivateKeyPassphrase, mavenStagingProfileId
+})
+```
diff --git a/src/__tests__/jsii.test.ts b/src/__tests__/jsii.test.ts
@@ -72,8 +72,10 @@ describe('maven repository options', () => {
 
     const workflow = outdir['.github/workflows/release.yml'];
     expect(workflow).toContain('run: npx -p jsii-release@latest jsii-release-maven');
+    expect(workflow).toContain('MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}');
     expect(workflow).not.toContainEqual('MAVEN_SERVER_ID');
     expect(workflow).not.toContainEqual('MAVEN_REPOSITORY_URL');
+    expect(workflow).not.toContain('packages: write');
   });
 
   test('use nexus repo new endpoint', () => {
@@ -113,8 +115,10 @@ describe('maven repository options', () => {
     const workflow = outdir['.github/workflows/release.yml'];
     expect(workflow).toContain('run: npx -p jsii-release@latest jsii-release-maven');
     expect(workflow).toContain('MAVEN_ENDPOINT: https://s01.oss.sonatype.org');
+    expect(workflow).toContain('MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}');
     expect(workflow).not.toContainEqual('MAVEN_SERVER_ID');
     expect(workflow).not.toContainEqual('MAVEN_REPOSITORY_URL');
+    expect(workflow).not.toContain('packages: write');
   });
 
   test('use github as repository', () => {
@@ -128,7 +132,6 @@ describe('maven repository options', () => {
         javaPackage: 'com.github.eladb.watchful',
         mavenGroupId: 'com.github.eladb',
         mavenArtifactId: 'cdk-watchful',
-        mavenServerId: 'github',
         mavenRepositoryUrl: 'https://maven.pkg.github.com/eladb',
       },
       defaultReleaseBranch: 'master',
@@ -144,18 +147,36 @@ describe('maven repository options', () => {
         MAVEN_REPOSITORY_URL: 'https://maven.pkg.github.com/eladb',
       },
       requiredEnv: [
-        'MAVEN_GPG_PRIVATE_KEY',
-        'MAVEN_GPG_PRIVATE_KEY_PASSPHRASE',
         'MAVEN_PASSWORD',
         'MAVEN_USERNAME',
-        'MAVEN_STAGING_PROFILE_ID',
       ],
       steps: [{ exec: 'npx -p jsii-release@latest jsii-release-maven' }],
     });
 
     const workflow = outdir['.github/workflows/release.yml'];
     expect(workflow).toContain('MAVEN_SERVER_ID: github');
     expect(workflow).toContain('MAVEN_REPOSITORY_URL: https://maven.pkg.github.com/eladb');
+    expect(workflow).toContain('MAVEN_USERNAME: ${{ github.actor }}');
+    expect(workflow).toContain('MAVEN_PASSWORD: ${{ secrets.GITHUB_TOKEN }}');
+    expect(workflow).toContain('packages: write');
+  });
+
+  test('using github as repository with incorrect server id should throw', () => {
+    expect(() => new TestJsiiProject({
+      authorAddress: 'https://foo.bar',
+      authorUrl: 'https://foo.bar',
+      repositoryUrl: 'https://github.com/foo/bar.git',
+      author: 'My Name',
+      name: 'testproject',
+      publishToMaven: {
+        javaPackage: 'com.github.eladb.watchful',
+        mavenGroupId: 'com.github.eladb',
+        mavenArtifactId: 'cdk-watchful',
+        mavenServerId: 'something-else',
+        mavenRepositoryUrl: 'https://maven.pkg.github.com/eladb',
+      },
+      defaultReleaseBranch: 'master',
+    })).toThrow('publishing to GitHub Packages requires the "mavenServerId" to be "github"');
   });
 });