jflex
jflex copied to clipboard
jflex-de
Deploy to Sonatype automatically
By storing the Sonatype user/password and the signing key in secure environment variables in Travis, it should be able to deploy on every build on master.
Some people have already done this
- https://coderwall.com/p/9b_lfq/deploying-maven-artifacts-from-travis
- http://www.debonair.io/post/maven-cd/
- https://github.com/making/travis-ci-maven-deploy-skelton
- https://gist.github.com/letmaik/4060735
Alternatively, use a third-party artifact manager https://packagecloud.io/ https://blog.travis-ci.com/2017-03-30-deploy-maven-travis-ci-packagecloud/
I’m not a big fan of storing those kinds of things anywhere externally, esp not if that account and key has my name attached. Travis is a high value target (thousands of oss projects) and they are providing a free service, i.e. the amount of time they can spend on their own security is minimal.
Maybe I know too many penetration testers and their stories, but it’s much easier to be a single entirely uninteresting target (jflex) with a low attack surface.
Would we really get that much out of fully automating deployment instead of the semi-automation we have now? It sounds like a lot of ongoing work for a benefit that pays back once every year or so.
We could do that. Would it be easier to store the snapshots as github build artefacts with each build?
Closing this, because I don't think it makes sense to deploy the snapshot version. The snapshot version is not stable and should not be used outside JFlex development.