PES-2566: Using github packages to build maven artifact#5
Merged
Conversation
Enables publishing the auth sample SDK as a Maven artifact (me.id.auth:idme-auth-sample) to GitHub Packages via a manual workflow_dispatch trigger with version input. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- CI build workflow runs on PRs and master pushes (assembleRelease + tests) - Release workflow: manual dispatch with version input, builds AAR, publishes to GitHub Packages, creates git tag and GitHub Release - Uses default GITHUB_TOKEN (all operations within same public repo) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Use configure<PublishingExtension> and MavenPublication::class syntax
instead of type-safe accessors which require the plugins {} block.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Uses GitHub's attest-build-provenance action (same pattern as publish-public-artifact.yml) to provide Sigstore-based proof that artifacts were built by the IDme org. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Inline attestation with separate release asset and Maven artifact attestations, matching publish-public-artifact.yml capabilities - Attestation bundle uploaded to GitHub Release for consumer verification - Attestation bundle (.intoto.jsonl) deployed alongside Maven artifacts - GITHUB_TOKEN scoped to step-level env only where needed - Version passed as Gradle property (-Pversion) instead of sed mutation - Maven publish via curl with individual artifact upload (POM, AAR, module metadata, attestation bundle) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
siyuanmaIDME
approved these changes
Apr 1, 2026
idme-ramin
approved these changes
Apr 1, 2026
Maven publish to GitHub Packages is now handled via curl in the release workflow. Only mavenLocal() is needed for staging artifacts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
findProperty('version') returns 'unspecified' by default in Gradle.
Using 'releaseVersion' as a custom property name avoids this issue.
Workflow passes -PreleaseVersion, build.gradle.kts falls back to 1.0.0
for local dev and CI builds.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
antspriggs
added a commit
that referenced
this pull request
Apr 7, 2026
Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
antspriggs
added a commit
that referenced
this pull request
Apr 7, 2026
* Address pre-release security audit findings (all Critical + High) Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add GitHub Packages Maven publishing workflow - Apply maven-publish plugin to :sdk with release publication (com.idme:idme-auth-sdk) - Configure GitHubPackages repository using GITHUB_TOKEN - Add GROUP and VERSION_NAME to gradle.properties - Add publish.yml workflow triggered on GitHub Release or workflow_dispatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Rename artifactId to android-auth-sample-code Aligns Maven coordinates with the repository name: me.id.auth:android-auth-sample-code:<version> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
antspriggs
added a commit
that referenced
this pull request
Apr 14, 2026
Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
gclaro-idme
pushed a commit
that referenced
this pull request
Apr 15, 2026
* Address pre-release security audit findings (all Critical + High) Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add GitHub Packages Maven publishing workflow - Apply maven-publish plugin to :sdk with release publication (com.idme:idme-auth-sdk) - Configure GitHubPackages repository using GITHUB_TOKEN - Add GROUP and VERSION_NAME to gradle.properties - Add publish.yml workflow triggered on GitHub Release or workflow_dispatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Rename artifactId to android-auth-sample-code Aligns Maven coordinates with the repository name: me.id.auth:android-auth-sample-code:<version> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add Sonatype Maven Central publishing support - Add Dokka plugin for Javadoc JAR generation (required by Sonatype) - Add sources JAR task (required by Sonatype) - Apply signing plugin with in-memory PGP key support for CI - Complete POM metadata: url, licenses, developers, and SCM (required by Sonatype) - Wire Dokka + nexus-publish plugin into root buildscript classpath - Configure Sonatype OSSRH staging repository via nexus-publish plugin - Add Sonatype publish step to release workflow using five new secrets: SONATYPE_USERNAME, SONATYPE_PASSWORD, SIGNING_KEY_ID, SIGNING_KEY, SIGNING_PASSWORD Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Nat Ray <nathaniel.ray@id.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
building the CI pipelines to publish - need to test after it gets merged to master
CI pipelines - Build -> runs off any PR / push. tests to make sure that the artifact can be built
release -> builds and then releases to github packages via gradle