Rework tag driven release infrastructure

The previous approach of encrypying sensitive.sbt was prone
to leaking passwords to the build log if SBT were to report
an error on a line of code containing a secret.

The commit now switches to encrypting the PGP passphrase and
Sonatype credentials as environment variables. The private key
is still encrypted on disk as it is too large, but now that
we only need to encrypt a single file we can revert to using
the built in `encrypt-file` command in the Travis CI command
line tool.

Author: retronym

.travis.yml

@@ -1,6 +1,15 @@
 language: scala
+env:
+  global:
+    - PUBLISH_JDK=oraclejdk8
+    # PGP_PASSPHRASE
+    - secure: "BzgzRZLYa52rS/hBfzf43b++CfDhdcd3Mmu8tsyBHgThSQOd2YBLbV5kWD8aYVFKVHfW7XX0PTe3F+rR/fFZqGItE6o8Px0Y7Vzb5pqjlaQdxFEJ+WrsnshS0xuAKZ7OwVHRp+d+jznaCwRxEo2vpW3ko1OPAJ8cxfhVL/4C1I0="
+    # SONA_USER
+    - secure: "lx2qFeFxh9AFmyHR7hH4Qf9flIEx8VgYj6ebzuxp1cc1ZZiXHC1256x0bHFDUH9bhJACOazOrco/+v6MBAriBkWxLBc98FrC6OkVeQMFW2ffWSBuHRclilKsQA/Lsgc81Wg+WV105hOqUNAkTXgroblInNt+KS+DhC/8FVoh9ZY="
+    # SONA_PASS
+    - secure: "FZC+FZnBNeklA150vW5QDZJ5J7t+DExJrgyXWM46Wh0MobjH8cvydgC3qatItb0rDBV8l7zO1LDwl2KEi92aefw2a8E49z6qVOHgUXiI3SAx7M0UO0FFeKPmTXCLcBlbnGLcUqNjIZfuIEufQvPblKTl8qN4eMmcMn9jsNzJr28="
 script:
-  - sbt ++$TRAVIS_SCALA_VERSION clean test publishLocal
+  - admin/build.sh
 scala:
   - 2.10.4
   - 2.11.4

admin/README.md

@@ -0,0 +1,58 @@
+## Tag Driven Releasing
+
+### Background Reading
+
+  - http://docs.travis-ci.com/user/environment-variables/
+  - http://docs.travis-ci.com/user/encryption-keys/
+  - http://docs.travis-ci.com/user/encrypting-files/
+
+### Initial setup for the repository
+
+To configure tag driven releases from Travis CI.
+
+  1. Generate a key pair for this repository with `./admin/genKeyPair.sh`.
+     Edit `.travis.yml` and `admin/build.sh` as prompted.
+  2. Publish the public key to https://pgp.mit.edu
+  3. Store other secrets as encrypted environment variables with `admin/encryptEnvVars.sh`.
+     Edit `.travis.yml` as prompted.
+  4. Edit `.travis.yml` to use `./admin/build.sh` as the build script,
+     and edit that script to use the tasks required for this project.
+  5. Edit `.travis.yml` to select which JDK will be used for publishing.
+
+It is important to add comments in .travis.yml to identify the name
+of each environment variable encoded in a `:secure` section.
+
+After all of these steps, your .travis.yml should contain config of the
+form:
+
+	language: scala
+	env:
+	  global:
+	    - PUBLISH_JDK=openjdk6
+	    # PGP_PASSPHRASE
+	    - secure: "XXXXXX"
+	    # SONA_USER
+	    - secure: "XXXXXX"
+	    # SONA_PASS
+	    - secure: "XXXXXX"
+	script:
+	  - admin/build.sh
+
+If Sonatype credentials change in the future, step 3 can be repeated
+without generating a new key.
+
+### Testing
+
+  1. Follow the release process below to create a dummy release (e.g. 0.1.0-TEST1).
+     Confirm that the release was staged to Sonatype but do not release it to Maven
+     central. Instead, drop the staging repository.
+
+### Performing a release
+
+  1. Create a GitHub "Release" (with a corresponding tag) via the GitHub
+     web interface.
+  2. Travis CI will schedule a build for this release. Review the build logs.
+  3. Log into https://oss.sonatype.org/ and identify the staging repository.
+  4. Sanity check its contents
+  5. Release staging repository to Maven and send out release announcement.
+

admin/build.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# prep environment for publish to sonatype staging if the HEAD commit is tagged
+
+# git on travis does not fetch tags, but we have TRAVIS_TAG
+# headTag=$(git describe --exact-match ||:)
+
+if [ "$TRAVIS_JDK_VERSION" == "$PUBLISH_JDK" ] && [[ "$TRAVIS_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9-]+)? ]]; then
+  echo "Going to release from tag $TRAVIS_TAG!"
+  myVer=$(echo $TRAVIS_TAG | sed -e s/^v// | sed -e 's/_[0-9]*\.[0-9]*//')
+  publishVersion='set every version := "'$myVer'"'
+  extraTarget="publish-signed"
+  cat admin/gpg.sbt >> project/plugins.sbt
+  cp admin/publish-settings.sbt .
+
+  # Copied from the output of genKeyPair.sh
+  K=$encrypted_1ce132863fa7_key
+  IV=$encrypted_1ce132863fa7_iv
+
+  aes-256-cbc -K $K -iv $IV -in admin/secring.asc.enc -out admin/secring.asc -d
+fi
+
+sbt ++$TRAVIS_SCALA_VERSION "$publishVersion" clean update test publishLocal $extraTarget

admin/encryptEnvVars.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# Encrypt sonatype credentials so that they can be
+# decrypted in trusted builds on Travis CI.
+#
+set -e
+
+read -s -p 'SONA_USER: ' SONA_USER
+travis encrypt SONA_USER="$SONA_USER"
+read -s -p 'SONA_PASS: ' SONA_PASS
+travis encrypt SONA_PASS="$SONA_PASS"

admin/genKeyPair.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+#
+# Generates a key pair for this repository to sign artifacts.
+# Encrypt the private key and its passphrase in trusted builds
+# on Travis CI.
+#
+set -e
+
+# Based on https://gist.github.com/kzap/5819745:
+function promptDelete() {
+    if [[ -f "$1" ]]; then
+        echo About to delete $1, Enter for okay / CTRL-C to cancel
+        read
+        rm "$1"
+    fi
+}
+for f in admin/secring.asc.enc admin/secring.asc admin/pubring.asc; do promptDelete "$f"; done
+
+echo Generating key pair. Please enter 1. repo name 2. [email protected], 3. a new passphrase
+cp admin/gpg.sbt project
+sbt 'set pgpReadOnly := false' \
+    'set pgpPublicRing := file("admin/pubring.asc")' \
+    'set pgpSecretRing := file("admin/secring.asc")' \
+    'pgp-cmd gen-key'
+rm project/gpg.sbt
+
+echo ============================================================================================
+echo Encrypting admin/secring.asc. Update K and IV variables in admin/build.sh accordingly.
+echo ============================================================================================
+travis encrypt-file admin/secring.asc
+rm admin/secring.asc
+mv secring.asc.enc admin
+
+echo ============================================================================================
+echo Encrypting environment variables. Add each to a line in .travis.yml. Include a comment
+echo with the name of the corresponding variable
+echo ============================================================================================
+read -s -p 'PGP_PASSPHRASE: ' PGP_PASSPHRASE
+travis encrypt PGP_PASSPHRASE="$PGP_PASSPHRASE"
+

admin/gpg.sbt

@@ -0,0 +1,2 @@
+
+addSbtPlugin("com.typesafe.sbt" % "sbt-pgp" % "0.8.3") // only added when publishing:

admin/publish-settings.sbt

@@ -0,0 +1,7 @@
+pgpPassphrase := Some(sys.prop("PGP_PASSPHRASE").toArray)
+
+pgpPublicRing := file("admin/pubring.asc")
+
+pgpSecretRing := file("admin/secring.asc")
+
+credentials   += Credentials("Sonatype Nexus Repository Manager", "oss.sonatype.org", sys.prop("SONA_USER"), sys.prop("SONA_PASS"))

admin/pubring.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.49
+
+mQENBFS1xA0BCAC0t2c5MhkWyUbkWsZM4DmIN+/pDjNCr2DNmbIG3gB8i4MI71q/
+fj+Ob0lemjJNnNc4ii6+s9RrOcwR1EU4IA8mO79NN+i2yVUhe0LmOWgyfXvG8Qpg
+hLmdMrkgOHK0hpWbXJ0i2NGPch4gI6YRJF95yLojz2KENmiYGmSD8p1It06O2824
+Xhqc5Cm72/qXvonHP1+MugjiPxmyZN3ajSol0P7tZlgB7ikqpyL3kZXkc162bJ+H
+U6y6qUCcQqS5VQ7Fv9bIbTNOjN4ELLJn2ffLVe3ujRG6seioL0MfuQ/gV9IpGcGO
+Dew8Xu79QdDyVHQKgDy9N/J276JZ4j9nYCCxABEBAAG0NXNjYWxhLWphdmE4LWNv
+bXBhdCA8c2NhbGEtaW50ZXJuYWxzQGdvb2dsZWdyb3Vwcy5jb20+iQEcBBMBAgAG
+BQJUtcQNAAoJEGQWNEmlKase8pAH/Rb45Px88u7DDT53DU68zh84oDZLv9i46g7g
+16KI97nz17F9OEHdkzNEUA3EgCD1d2k+c/GIdQKg3avVdpNM7krK5SSNgHKcwe/F
+0YGMxvh+LgeK1JDuXFbwLJKR+7VIGVKkjw+Z2TC8hZfnD6Qy6c4xkukoBs6yfWQO
+tf8gSH6oQox4UIOB/+ADyypl9mnRxgdi1uPvd6UJnL/n9UDE8v1k+8WzO34nTVZr
+xWN28pAun5VpLuEq4GAr2JRfRiF+N0hGuS+htiU6hnO81BBK+NusWxI9Aitu8Zyh
+eulWpROXvUOw1eJequutgyGwEEQkRi+Yu+2eSM2/EPCWiLXkODk=
+=Qro7
+-----END PGP PUBLIC KEY BLOCK-----