Ensure GitHub Releases include asc files (#632)

jodastephen · web-flow · commit 5a595be9df8a · 2022-08-25T12:19:36.000+01:00
Add OpenSSF badge https://bestpractices.coreinfrastructure.org/en/projects/6310
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,9 +9,9 @@ on:
     tags:
       - 'v*'
       - 'website*'
-  pull_request_target:
+  pull_request:
     branches:
-      - '*'
+      - 'main'
 
 permissions:
   contents: read
diff --git a/.github/workflows/tzdbupdate.yml b/.github/workflows/tzdbupdate.yml
@@ -8,8 +8,14 @@ on:
   schedule:
     - cron: '50 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   tzdbcheck:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
 
     steps:
diff --git a/README.md b/README.md
@@ -39,6 +39,9 @@ public String getBirthMonthText(LocalDate dateOfBirth) {
 
 Joda-Time is licensed under the business-friendly [Apache 2.0 licence](https://www.joda.org/joda-time/licenses.html).
 
+![Tidelift dependency check](https://tidelift.com/badges/github/JodaOrg/joda-time)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6310/badge)](https://bestpractices.coreinfrastructure.org/projects/6310)
+
 
 ### Documentation
 Various documentation is available:
@@ -71,8 +74,6 @@ Available in the [Maven Central repository](https://search.maven.org/search?q=g:
 compile 'joda-time:joda-time:2.11.0'
 ```
 
-![Tidelift dependency check](https://tidelift.com/badges/github/JodaOrg/joda-time)
-
 
 ### Related projects
 Related projects at GitHub:
diff --git a/pom.xml b/pom.xml
@@ -867,37 +867,61 @@
       </activation>
       <build>
         <plugins>
-          <!-- Sign artifacts -->
+          <!-- Use nexus plugin to directly release -->
+          <plugin>
+            <groupId>org.sonatype.plugins</groupId>
+            <artifactId>nexus-staging-maven-plugin</artifactId>
+            <version>${nexus-staging-maven-plugin.version}</version>
+            <extensions>true</extensions>
+            <configuration>
+              <nexusUrl>https://oss.sonatype.org/</nexusUrl>
+              <serverId>sonatype-joda-staging</serverId>
+              <description>Releasing ${project.groupId}:${project.artifactId}:${project.version}</description>
+              <keepStagingRepositoryOnCloseRuleFailure>true</keepStagingRepositoryOnCloseRuleFailure>
+              <autoReleaseAfterClose>true</autoReleaseAfterClose>
+            </configuration>
+          </plugin>
+          <!-- Create dist files -->
+          <!-- Since we cannot sign a single file, we put everything in the deploy phase -->
+          <!-- The standard files are signed in the verify phase and then deployed to Maven Central using nexus-staging-maven-plugin -->
+          <!-- Then (and only then) we create and attach the dist files, sign them, and release them to GitHub Releases -->
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-gpg-plugin</artifactId>
+            <artifactId>maven-assembly-plugin</artifactId>
             <executions>
               <execution>
-                <id>sign-artifacts</id>
-                <phase>verify</phase>
+                <id>make-assembly</id>
+                <phase>deploy</phase>
                 <goals>
-                  <goal>sign</goal>
+                  <goal>single</goal>
                 </goals>
+                <configuration>
+                  <descriptors>
+                    <descriptor>src/main/assembly/dist.xml</descriptor>
+                  </descriptors>
+                  <tarLongFileMode>gnu</tarLongFileMode>
+                </configuration>
               </execution>
             </executions>
           </plugin>
-          <!-- Create dist files -->
+          <!-- Sign artifacts, which now includes the dist files -->
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-assembly-plugin</artifactId>
-            <configuration>
-              <attach>false</attach>
-              <descriptors>
-                <descriptor>src/main/assembly/dist.xml</descriptor>
-              </descriptors>
-              <tarLongFileMode>gnu</tarLongFileMode>
-            </configuration>
+            <artifactId>maven-gpg-plugin</artifactId>
             <executions>
               <execution>
-                <id>make-assembly</id>
-                <phase>install</phase>
+                <id>sign-artifacts</id>
+                <phase>verify</phase>
                 <goals>
-                  <goal>single</goal>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+              <!-- this execution must be located after nexus-staging-maven-plugin (see comment above about ordering) -->
+              <execution>
+                <id>sign-dist-artifacts</id>
+                <phase>deploy</phase>
+                <goals>
+                  <goal>sign</goal>
                 </goals>
               </execution>
             </executions>
@@ -907,45 +931,34 @@
             <groupId>de.jutzig</groupId>
             <artifactId>github-release-plugin</artifactId>
             <version>1.4.0</version>
-            <configuration>
-              <releaseName>Release v${project.version}</releaseName>
-              <description>See the [change notes](https://www.joda.org/joda-time/changes-report.html#a${project.version}) for more information.</description>
-              <tag>v${project.version}</tag>
-              <overwriteArtifact>true</overwriteArtifact>
-              <fileSets>
-                <fileSet>
-                  <directory>${project.build.directory}</directory>
-                  <includes>
-                    <include>${project.artifactId}*-dist.tar.gz</include>
-                    <include>${project.artifactId}*-dist.zip</include>
-                  </includes>
-                </fileSet>
-              </fileSets>
-            </configuration>
             <executions>
               <execution>
                 <id>github-releases</id>
                 <phase>deploy</phase>
                 <goals>
                   <goal>release</goal>
                 </goals>
+                <configuration>
+                  <releaseName>Release v${project.version}</releaseName>
+                  <description>See the [change notes](https://www.joda.org/joda-time/changes-report.html#a${project.version}) for more information.</description>
+                  <tag>v${project.version}</tag>
+                  <overwriteArtifact>true</overwriteArtifact>
+                  <fileSets>
+                    <fileSet>
+                      <directory>${project.build.directory}</directory>
+                      <includes>
+                        <include>${project.artifactId}-${project.version}-dist.tar.gz</include>
+                        <include>${project.artifactId}-${project.version}-dist.tar.gz.asc</include>
+                        <include>${project.artifactId}-${project.version}-dist.zip</include>
+                        <include>${project.artifactId}-${project.version}-dist.zip.asc</include>
+                        <include>${project.artifactId}-${project.version}.jar.asc</include>
+                      </includes>
+                    </fileSet>
+                  </fileSets>
+                </configuration>
               </execution>
             </executions>
           </plugin>
-          <!-- Use nexus plugin to directly release -->
-          <plugin>
-            <groupId>org.sonatype.plugins</groupId>
-            <artifactId>nexus-staging-maven-plugin</artifactId>
-            <version>${nexus-staging-maven-plugin.version}</version>
-            <extensions>true</extensions>
-            <configuration>
-              <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-              <serverId>sonatype-joda-staging</serverId>
-              <description>Releasing ${project.groupId}:${project.artifactId}:${project.version}</description>
-              <keepStagingRepositoryOnCloseRuleFailure>true</keepStagingRepositoryOnCloseRuleFailure>
-              <autoReleaseAfterClose>true</autoReleaseAfterClose>
-            </configuration>
-          </plugin>
         </plugins>
       </build>
       <properties>
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -9,9 +9,15 @@
 
     <!-- types are add, fix, remove, update -->
     <release version="SNAPSHOT" date="SNAPSHOT" description="SNAPSHOT">
+      <action dev="jodastephen" type="update">
+        Update build scripts and fix static analysis warnings.
+      </action>
       <action dev="jodastephen" type="update">
         Switch master to main.
       </action>
+      <action dev="jodastephen" type="update">
+        DateTimeZone data updated to version 2022cgtz.
+      </action>
     </release>
     <release version="2.11.0" date="2022-08-12" description="v2.11.0">
       <action dev="jodastephen" type="fix">
