Skip to content

Bind publish job to Main environment#189

Merged
kirich1409 merged 1 commit into
mainfrom
ci/publish-environment
May 17, 2026
Merged

Bind publish job to Main environment#189
kirich1409 merged 1 commit into
mainfrom
ci/publish-environment

Conversation

@kirich1409
Copy link
Copy Markdown
Contributor

@kirich1409 kirich1409 commented May 17, 2026

Summary

  • Secrets (MAVEN_CENTRAL_, GPG_) are declared at the environment level (Main), not at the repo level.
  • Without environment: Main on the publish job, GitHub Actions injects empty values into ${{ secrets.* }}, surfacing as Could not read PGP secret key when Gradle's signing plugin tries to use an empty signingInMemoryKey.
  • This is the actual root cause of the failing tag publish (Prepare 1.0.0-Beta1 release #188 v1.0.0-Beta1) — the secret values themselves were fine.

Test plan

@kirich1409
Bind publish job to Main environment
cd65d5a 
Secrets are declared at the environment level (Main), not at the
repo level. Without binding the publish job to that environment,
GitHub Actions injects empty values for MAVEN_CENTRAL_* and GPG_*,
causing signing to fail with "Could not read PGP secret key".
Copilot AI review requested due to automatic review settings May 17, 2026 16:12
@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented May 17, 2026

Review Summary by Qodo

Bind publish job to Main environment for secrets

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Bind publish job to Main environment for secret access
• Fixes signing failures due to empty secret injection
• Resolves root cause of failed v1.0.0-Beta1 tag publish
Diagram 
flowchart LR
  A["Publish Job"] -- "environment: Main" --> B["Access Environment Secrets"]
  B --> C["MAVEN_CENTRAL_* & GPG_*"]
  C --> D["Gradle Signing Plugin"]
  D --> E["Successful Maven Central Upload"]
Loading

Grey Divider

File Changes

1. .github/workflows/publish.yml 🐞 Bug fix +1/-0

Add environment binding to publish job

• Added environment: Main binding to publish job
• Ensures GitHub Actions injects secret values from Main environment
• Fixes "Could not read PGP secret key" error during signing

.github/workflows/publish.yml

Grey Divider

Qodo Logo

Copilot AI reviewed May 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Binds the publish job in publish.yml to the Main GitHub Actions environment so that environment-scoped secrets (Maven Central credentials and GPG signing key) are injected into the workflow, fixing the failing tag publish where empty secrets caused Could not read PGP secret key.

Changes:

  • Add environment: Main to the publish job in .github/workflows/publish.yml.

@kirich1409 kirich1409 merged commit 7c9c9e7 into main May 17, 2026
11 of 12 checks passed
@kirich1409 kirich1409 deleted the ci/publish-environment branch May 17, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kirich1409