gradle-node-plugin icon indicating copy to clipboard operation
gradle-node-plugin copied to clipboard

Published 20 hours ago verified publisher icon node-gradle

Sign plugin releases with PGP

Open vlsi opened this issue 4 weeks ago • 0 comments

Currently, the plugin is not signed, so dependency verification has to use checksums.

See:

  • https://docs.gradle.org/current/userguide/dependency_verification.html

Note: if you release with GitHub Actions workflow, then you can generate PGP key and keep it in GitHub secrets. See: https://github.com/vlsi/provision-release-pgp-key

The idea is that you add a workflow to trigger key provisioning like in https://github.com/pgjdbc/pgjdbc/blob/ee09a2f3bf2cb9031e2e325503281f2c1b2d4761/.github/workflows/pgp-key-maintenance.yaml Then you manually trigger it and it generates and stores the key to GitHub variables. The same workflow can extends the key lifetime.

vlsi avatar Nov 02 '25 15:11 vlsi