claude: silence GPG passphrase-decryption stacktrace in release logs#4
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Claude-written description
Every
releasejob run logs a ~110-lineSecDispatcherExceptionstacktrace (printed three times as a nested cause chain) frommaven-gpg-pluginbefore signing. It is harmless — signing succeeds and the job is green — but it makes the release logs noisy and looks alarming.Root cause:
actions/setup-javatemplates agpg.passphraseserver entry into the runner's~/.m2/settings.xmlwhenevergpg-private-keyis supplied, even though this workflow sets nogpg-passphraseinput.maven-gpg-pluginthen runs that entry through Maven's settings decrypter, which unconditionally tries to read~/.m2/settings-security.xml(absent on a fresh runner), and the plugin logs the resultingFileNotFoundExceptionat WARN with the full cause chain before falling back to the plaintext value. The release key has no passphrase, so the value is never actually needed.Fix: enable
<bestPractices>true</bestPractices>on the gpg plugin's sign execution. Verified against the 3.2.7 plugin source: withbestPracticeson,passphraseServerIdis no longer defaulted togpg.passphrase, so the settings.xml lookup (and its stacktrace + "W A R N I N G" block) is skipped entirely;enforceBestPractices()only throws if a passphrase or server id is explicitly configured, which they aren't. If the key ever gains a passphrase, theMAVEN_GPG_PASSPHRASEenvironment variable still works — it is checked first.Rejected alternative: setting
MAVEN_GPG_PASSPHRASE: ""in the workflow env. The plugin usesisNotBlank()on the env value, so an empty string falls through to the settings lookup anyway.No
RELEASE.md: the published artifact would be bit-for-bit unchanged, so this PR carries theskip releaselabel instead (created the label, sincecheck-release.ymlandRELEASE-sample.mdalready reference it).