https://linen.dev logo
o

Oleg Nenashev

06/26/2023, 3:45 PM
Hi @Tom, where do we stand with the Maven Central structure at the moment? Did you reserve
org.wiremock
at some point, or is it up for grabs? I think it would be nice to document the structure for the package group and allow other contributors like @Dirk Bolte to release there
d

Dirk Bolte

06/30/2023, 11:52 AM
are the secrets for sonatype configured on organizational level + can I "just copy" the publishing configuration from wiremock?
t

Tom

06/30/2023, 12:30 PM
We need to do some work on this. Currently only I have access to the Sonatype keys, which isn’t a great situation.
o

Oleg Nenashev

06/30/2023, 6:46 PM
I think we want to have something on a per package basis. We could also use GitHub packages as the main repository and raise a request to Sonatype to mirror that
^ @Tom WDYT? Maybe it would be the best option if we want to maintain some kind of a permission model
t

Tom

06/30/2023, 7:53 PM
Yeah, if we can get Sonatype to mirror GH that might be a easier to live with than trying to make it work in Nexus
d

Dirk Bolte

07/02/2023, 10:52 AM
ok - will adapt the publishing part of the extension to push to GH then.
o

Oleg Nenashev

07/02/2023, 11:47 AM
I am exploring the options ATM
@Dirk Bolte @Tom from your points of view, how critical is it to use Maven Central for the extensions and libraries at all? I see some benefits for WireMock Core to simplify the startup, but for the whole ecosystem it's likely to be a pain It's quite easy to synchronize GitHub Packages to Maven Central, but if and only if we have the compliant artifacts including GPG signing & metadata. It is generally a good thing to do but it will definitely require some aux GitHub Actions
d

Dirk Bolte

07/02/2023, 12:17 PM
Personally, I just need to have a repository to add to maven/gradle. Having it on maven central is pretty convenient and increase acceptance for extensions in general, but adding a custom repo for this extension would definitely work for the time being.
t

Tom

07/03/2023, 4:11 PM
We ought to start using Actions to publish artifacts anyway, so how about we get a service account set up by Sonatype, put the credentials in the wiremock GH org and then any projects we host can set up publishing actions to the
org.wiremock
group?
o

Oleg Nenashev

07/03/2023, 4:16 PM
If the credentials are free-to-use by any maintainer, they can be accidentally leaked or intentionally stolen by any user with Write permissions to GitHub actions, and then used to deploy a malicious version. So we would need to set up some guardrails about usage of these credentials, ideally by making the release pipeline fully protected from tinkering
Also includes all Gradle/Maven plugins that would have access to the environment
t

Tom

07/03/2023, 4:22 PM
I presume there’s some precedent around how to do this? A service account per project?
o

Oleg Nenashev

07/05/2023, 9:50 AM
A service account per project?
Ideally yes
t

Tom

07/05/2023, 10:42 AM
As far as you know do we just submit a JIRA ticket to get supplementary accounts created?
o

Oleg Nenashev

07/05/2023, 1:07 PM
yes