added blurb about private key file and cleanup for hosted runners

actions · Jul 16, 2020 · 91d1667 · 91d1667
1 parent 7f23828
commit 91d1667
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -166,6 +166,8 @@ The two `settings.xml` files created from the above example look like the follow
 
 ***NOTE: The `settings.xml` file is created in the Actions $HOME directory. If you have an existing `settings.xml` file at that location, it will be overwritten. See below for using the `settings-path` to change your `settings.xml` file location.***
 
+If `gpg-private-key` and `gpg-passphrase` inputs are provided, the private key will be written to a file in the runner's temp directory, the private key file will be imported into the GPG keychain, and then the file will be promptly removed before proceeding with the rest of the setup process. A cleanup step will remove the imported private key from the GPG keychain after the job completes regardless of the job status. This ensures that the private key is no longer accessible on self-hosted runners and cannot "leak" between jobs (hosted runners are always clean instances).
+
 See the help docs on [Publishing a Package](https://help.github.com/en/github/managing-packages-with-github-packages/configuring-apache-maven-for-use-with-github-packages#publishing-a-package) for more information on the `pom.xml` file.
 
 ## Publishing using Gradle

diff --git a/src/auth.ts b/src/auth.ts
@@ -4,6 +4,7 @@ import * as path from 'path';
 import * as core from '@actions/core';
 import * as io from '@actions/io';
 import {create as xmlCreate} from 'xmlbuilder2';
+import * as constants from './constants';
 
 export const M2_DIR = '.m2';
 export const SETTINGS_FILE = 'settings.xml';
@@ -24,8 +25,8 @@ export async function configAuthentication(
   // when an alternate m2 location is specified use only that location (no .m2 directory)
   // otherwise use the home/.m2/ path
   const settingsDirectory: string = path.join(
-    core.getInput('settings-path') || os.homedir(),
-    core.getInput('settings-path') ? '' : M2_DIR
+    core.getInput(constants.INPUT_SETTINGS_PATH) || os.homedir(),
+    core.getInput(constants.INPUT_SETTINGS_PATH) ? '' : M2_DIR
   );
   await io.mkdirP(settingsDirectory);
   core.debug(`created directory ${settingsDirectory}`);

diff --git a/src/constants.ts b/src/constants.ts
@@ -6,6 +6,7 @@ export const INPUT_JDK_FILE = 'jdkFile';
 export const INPUT_SERVER_ID = 'server-id';
 export const INPUT_SERVER_USERNAME = 'server-username';
 export const INPUT_SERVER_PASSWORD = 'server-password';
+export const INPUT_SETTINGS_PATH = 'settings-path';
 export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
 export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase';