Update github-build.yml

Author: skavanagh

.github/workflows/github-build.yml

@@ -12,20 +12,24 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@v5
 
-      - name: Set up Java (always)
+      # Always set up Java + Maven cache
+      - name: Set up Java (baseline)
         uses: actions/setup-java@v5
         with:
           distribution: temurin
           java-version: '17'
           cache: maven
 
-      # Only import the GPG key when secrets are available AND the PR is from this repo
+      # Import GPG only when secrets are present AND this isn't a forked PR
       - name: Import GPG (trusted contexts only)
-        if: ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        if: ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && secrets.OSSRH_GPG_SECRET_KEY_PASSWORD != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         uses: actions/setup-java@v5
         with:
           distribution: temurin
@@ -34,27 +38,40 @@ jobs:
           gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
           gpg-passphrase:  ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
 
-      - name: Allow loopback pinentry + show key (trusted only)
-        if: ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+      - name: Configure pinentry & show key (trusted only)
+        if: ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && secrets.OSSRH_GPG_SECRET_KEY_PASSWORD != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         run: |
           mkdir -p ~/.gnupg && chmod 700 ~/.gnupg
           echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf || true
           gpgconf --kill gpg-agent || true
-          gpg --batch --list-secret-keys --keyid-format LONG
+          echo "=== Secret keys in CI keyring (if any) ==="
+          gpg --batch --list-secret-keys --keyid-format LONG || true
+
+      # Decide if we can sign (i.e., a signing-capable key is present)
+      - name: Decide whether we can sign
+        id: signable
+        shell: bash
+        run: |
+          if gpg --batch --with-colons --list-secret-keys 2>/dev/null | grep -E '^(sec|ssb):' >/dev/null; then
+            echo "sign=true"  >> "$GITHUB_OUTPUT"
+          else
+            echo "sign=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Build & Verify (sign if possible, otherwise skip)
         env:
           MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+        shell: bash
         run: |
-          KEYID=$(gpg --batch --with-colons --list-secret-keys \
-            | awk -F: '($1=="ssb" && $12 ~ /s/) || ($1=="sec" && $12 ~ /s/){print $5; exit}')
-          if [ -n "$KEYID" ]; then
-            echo "Signing with key $KEYID"
+          if [ "${{ steps.signable.outputs.sign }}" = "true" ]; then
+            KEYID=$(gpg --batch --with-colons --list-secret-keys \
+              | awk -F: '($1=="ssb" && $12 ~ /s/) || ($1=="sec" && $12 ~ /s/){print $5; exit}')
+            echo "Signing with key: $KEYID"
             mvn --no-transfer-progress -B --update-snapshots \
               -Dgpg.keyname="$KEYID" \
               clean verify
           else
-            echo "No signing key in this context; skipping GPG signing."
+            echo "No signing key available in this context; skipping GPG signing."
             mvn --no-transfer-progress -B --update-snapshots \
               -Dgpg.skip=true \
               clean verify