I'm thinking about configuring https://github.com/clj-commons/camel-snake-kebab/ to let GitHub handle deploy to Clojars to make it less dependent on myself, but I feel a bit uneasy about storing the GPG private key in "secrets" since so many people will have access to it. Has this been discussed before?
@qerub I do store clojars tokens in CircleCI
to deploy
but I don't use the signing stuff
Interesting: "[CircleCI] environment variables let you add sensitive data (e.g. API keys) to your jobs rather than placing them in the repository. The value of the variables cannot be read or edited in the app once they are set."
That will make it hard to extract the secrets without leaving a trail.
I think Github supports the same
In fact, I'm also using that (as a backup for when CircleCI doesn't work)
I think you're right: "[GitHub] secrets are environment variables that are encrypted and only exposed to selected actions. Anyone with collaborator access to this repository can use these secrets in a workflow."
@qerub I'm curious as to why you bother signing stuff? Clojars no longer has the two-tier/promotion system and basically ignores the signed stuff.
@seancorfield: Old habit, I guess. Thanks for bringing this to my attention.
Unless you have a widespread "web of trust" the signatures really don't provide any security anyway. Phil Hagelberg (technomancy) tried hard to get that going by doing in-person key exchanges at conferences etc but it never became widespread, and the Clojars' maintainers decided to abandon all of the two-tier promotion system because hardly anyone was using it, so it just wasn't worth maintaining the complexity of it...
I just sign because lein tells me to by default.
> cat ~/.lein/profiles.clj
{:socket
{:jvm-opts ["-Dclojure.server.lein={:port 55555, :accept clojure.core.server/repl}"]}
:clojars {:repositories {"clojars" {:url "" :sign-releases false}}}
}
🙂 🙂 🙂lein with-profile clojars deploy clojars
(not that I've actually used lein to deploy anything for a very long time)
@slipset I'm surprised you, in particular, use Leiningen to deploy anything?
It’s quite ironic. Up until yesterday I was not able to sign releases with depa-deploy. And I thought that was somewhat a thing to do.