Maven dependency or JAR dependency?
Closed this issue ยท 13 comments
Maven Dependency
Just like how we can do dart pub add at_client for our flutter apps,
could there be a way we can add a <dependency>...</dependency> in our own Java project's pom.xml?
JAR Dependency
Would it be reasonable to add a .jar file to the at_java repository under Releases?
For developers to download and add it as a dependency in their own Java projects (just like how I did it for Minecraft)
Yes, we should create a release workflow which could package up for download, make available via maven central etc
I got maven deployment working on my own personal java project
For uploading the artifact to maven central (via maven deploy) I followed instructions on Apache Maven which led me to instructions on Sonatype
I was able to get a maven project deployed on my own personal java project here.
To prove that it works, I added this dependency to another maven project and worked fine:
<dependency>
<groupId>io.github.jeremytubongbanua</groupId>
<artifactId>java_repo_test</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>Slight Problem for at_java
There was a lot of things that had to be done like configuring pom.xml but a few things stood out to me @gkc that I don't know how to approach:
- A Sonatype JIRA account needs to be created so that we can submit a ticket to request permission to upload to maven central (see step 1). Here is the ticket that I made to get permission from them to upload my own personal java artifact
- A set of GPG keys are needed for signing the artifact, then the public key needs to be uploaded to a public key server like
pgp.mit.edu. - A hidden
settings.xmlfile needs to be added to this repository which should contains the gpg key passphrase and the Sonatype JIRA username & password - so that when we runmvn deploy -s ~/settings.xml, it will authenticate us into Sonatype and upload the artifact to maven central. See example below
settings.xml (see the <password> </password> lines, these need to be kept secret)
<settings>
<servers>
<server>
<id>ossrh</id>
<username>x23mark</username>
<password>SONATYPE JIRA PASSWORD</password>
</server>
</servers>
<profiles>
<profile>
<id>ossrh</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg2</gpg.executable>
<gpg.passphrase>GPG KEY PASSPHRASE</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>Where do we put store the GPG keys and private hidden settings.xml? And is there a company account we can use to create an account on Sonatype JIRA?
This is one solution I've figured out on my own @gkc.. Perhaps you know of any better/easier solutions?
Continuing in PR45
@JeremyTubongbanua Maven dependency is the right solution (and there's nothing to stop people build their own jars if they wish). Let's try to get this done in PR46
Thank you @ksanty sorry for missing sprint
I'll try to get this done PR47 @gkc. It'll be the 2nd highest priority thing on my list this week
No worries @JeremyTubongbanua
Had to make a temporary repository to prove ownership to the OSSRH. https://github.com/atsign-foundation/OSSRH-85052
Found this link: https://central.sonatype.org/faq/verify-ownership/#answer. Later on, we can have our group id be com.atsign
Ticket was approved
Congratulations! Welcome to the Central Repository!
io.github.atsign-foundation has been prepared, now user(s) smoothalligator can:
Publish snapshot and release artifacts to s01.oss.sonatype.org
Have a look at this section of our official guide for deployment instructions:
https://central.sonatype.org/publish/publish-guide/#deployment
Depending on your build configuration, your first component(s) might be released automatically after a successful deployment.
If that happens, you will see a comment on this ticket confirming that your artifact has synced to Maven Central.
If you do not see this comment within an hour or two, you can follow the steps in this section of our guide:
https://central.sonatype.org/publish/release/
######
As part of our efforts to improve the security and quality posture of the open source supply chain,
we plan to enable additional scanning of dependencies for security alerts soon. Since you're already
hosting your source code in Github, you can get these insights today by enabling Sonatype Lift.
Sonatype Lift is free forever on public repositories! Lift tells you about open source vulnerabilities
during code review, and goes beyond open source to scan your code for both code quality and security issues,
providing feedback right in your pull requests.
More information can be found at https://links.sonatype.com/products/lift/github-integration
######
I privated the temporary repository and will delete it when I get the maven dependency working for certain.
If we want to give more users permission to release artifacts, then you will need a sonatype account. Instructions on adding/removing permissions can be found here
๐๐๐
We're on the nexus repository manager https://s01.oss.sonatype.org/#nexus-search;quick~atsign
This should be the code as of Oct 4 4:49PM ET
<dependency>
<groupId>io.github.atsign-foundation</groupId>
<artifactId>client</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>Maven dependency is working now
<dependency>
<groupId>io.github.atsign-foundation</groupId>
<artifactId>client</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>But still a few issues if we want to automate this:
- Had to comment out the
maven-javadoc-pluginbecause lots of javadocs are empty and are using incompatible(?) tags. Have to go through some tag dependency issues and empty javadocs so that we can deploy with javadocs. - We need to make an Atsign account registered with [Sonatype JIRA] so that the account details (username and password) can be put in a settings.xml. The current
pom.xmlconfiguration looks into my local~/.m2/settings.xmlwhich has the username and password to my sonatype account. Read more here: https://central.sonatype.org/publish/publish-maven/#distribution-management-and-authentication
The settings.xml in my ~/.m2/ looks like this
settings.xml
<settings>
<servers>
<server>
<id>ossrh</id>
<username>smoothalligator</username>
<password>*************</password>
</server>
</servers>
<profiles>
<profile>
<id>ossrh</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg2</gpg.executable>
<gpg.passphrase>*********</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>- The GPG keys for signing the artifacts are on my local machine... need to figure out how to keep them a secret in this repo while using them in ci/cd. So only I am able to do
mvn deployto maven central..
The <keyname> and <passphraseServerId> I think point to my local GPG keys.
pom.xml
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.5</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<keyname>Jeremy Tubongbanua</keyname>
<passphraseServerId>********</passphraseServerId>
</configuration>
</execution>
</executions>
</plugin>The pom.xml is in my own fork: https://github.com/JeremyTubongbanua/at_java/blob/maven-dependency/at_client/pom.xml
@JeremyTubongbanua Can you link the PR please - is this complete now?