From 53f36b2ca9b2a80c279612f20240e51a71c70885 Mon Sep 17 00:00:00 2001 From: jadamcrain Date: Thu, 28 May 2026 15:02:25 -0700 Subject: [PATCH 1/2] ci: sign Maven artifacts with explicit GPG key fingerprint ghaction-import-gpg v7 (bumped from v3 in #177) does not configure a default signing key, so the bare 'gpg --detach-sign' in the Maven deploy step failed with 'no default secret key: No secret key' even though the secret key imported successfully. Capture the import step's fingerprint output and pass it via --local-user, which is the action's recommended way to select the key. Resolves the release-maven failure for 1.5.0-RC2. --- .github/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f6b300a1..7336739a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -360,6 +360,7 @@ jobs: path: artifacts pattern: java-bindings-* - name: Import PGP key + id: import_gpg uses: crazy-max/ghaction-import-gpg@v7 with: gpg_private_key: ${{ secrets.SFIO_PGP_PRIVATE_KEY }} @@ -389,10 +390,12 @@ jobs: cp java-bindings-jar/rodbus-${{github.ref_name}}-sources.jar io/stepfunc/rodbus/${{github.ref_name}}/ cp java-bindings-jar/rodbus-${{github.ref_name}}-javadoc.jar io/stepfunc/rodbus/${{github.ref_name}}/ - # Sign all files + # Sign all files. v7 of ghaction-import-gpg does not configure a default + # signing key, so select it explicitly by fingerprint (the action's + # recommended user ID) to avoid "no default secret key" errors. cd io/stepfunc/rodbus/${{github.ref_name}} for file in *.jar *.pom; do - gpg --batch --yes --pinentry-mode loopback --passphrase "${{ secrets.SFIO_PGP_PRIVATE_KEY_PASSPHRASE }}" --armor --detach-sign "$file" + gpg --batch --yes --pinentry-mode loopback --local-user "${{ steps.import_gpg.outputs.fingerprint }}" --passphrase "${{ secrets.SFIO_PGP_PRIVATE_KEY_PASSPHRASE }}" --armor --detach-sign "$file" done # Generate checksums From b222f89930dc672346e193ef8e953a6b0dcb3eed Mon Sep 17 00:00:00 2001 From: jadamcrain Date: Thu, 28 May 2026 15:10:52 -0700 Subject: [PATCH 2/2] ci: make crates.io publish idempotent via sparse-index check The old existence probe hit the crates.io web API with curl's default User-Agent, which is rejected (403), so it fell through and ran cargo publish unconditionally -- hard-failing the job when the version was already published. Check the sparse index (index.crates.io) instead, the same source cargo reads; on a match we skip, otherwise any cargo publish failure is a genuine failure. --- .github/workflows/ci.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7336739a..9ccf408f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -472,10 +472,14 @@ jobs: - name: Publish to crates.io shell: bash run: | - # Check if version already exists on crates.io + # Authoritative existence check via the sparse index (the same source + # cargo reads) so re-running the release is idempotent. Each line is one + # published version as compact JSON. This avoids the crates.io web API, + # which 403s on default curl User-Agents. If the version is absent we + # publish, and any cargo failure is a genuine failure. VERSION=${{github.ref_name}} - if curl -f -s "https://crates.io/api/v1/crates/rodbus/$VERSION" > /dev/null 2>&1; then - echo "✅ rodbus $VERSION already published to crates.io - skipping" + if curl -sf "https://index.crates.io/ro/db/rodbus" | grep -qF "\"vers\":\"$VERSION\""; then + echo "✅ rodbus $VERSION already on crates.io - skipping" else echo "Publishing rodbus $VERSION to crates.io..." cargo publish -p rodbus --token ${{ secrets.CRATES_PUBLISH_TOKEN }}