2727 java-version : ' 17'
2828 cache : maven
2929
30- # Import GPG only when secrets are present AND this isn't a forked PR
30+ # Import GPG only for trusted contexts (not forked PRs).
31+ # Don't reference the `secrets` context in this `if:`.
3132 - name : Import GPG (trusted contexts only)
32- if : ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && secrets.OSSRH_GPG_SECRET_KEY_PASSWORD != '' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
33+ if : ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
3334 uses : actions/setup-java@v5
3435 with :
3536 distribution : temurin
@@ -39,15 +40,15 @@ jobs:
3940 gpg-passphrase : ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
4041
4142 - name : Configure pinentry & show key (trusted only)
42- if : ${{ secrets.OSSRH_GPG_SECRET_KEY != '' && secrets.OSSRH_GPG_SECRET_KEY_PASSWORD != '' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
43+ if : ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
4344 run : |
4445 mkdir -p ~/.gnupg && chmod 700 ~/.gnupg
4546 echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf || true
4647 gpgconf --kill gpg-agent || true
4748 echo "=== Secret keys in CI keyring (if any) ==="
4849 gpg --batch --list-secret-keys --keyid-format LONG || true
4950
50- # Decide if we can sign (i.e., a signing-capable key is present)
51+ # Decide if a signing-capable key is present (works in all contexts )
5152 - name : Decide whether we can sign
5253 id : signable
5354 shell : bash
6061
6162name : Build & Verify (sign if possible, otherwise skip)
6263 env :
64+ # Passphrase will only exist in trusted contexts where secrets are injected
6365 MAVEN_GPG_PASSPHRASE : ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
6466 shell : bash
6567 run : |
0 commit comments