Add Sonatype Maven Central publishing support#9
Merged
Conversation
Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Apply maven-publish plugin to :sdk with release publication (com.idme:idme-auth-sdk) - Configure GitHubPackages repository using GITHUB_TOKEN - Add GROUP and VERSION_NAME to gradle.properties - Add publish.yml workflow triggered on GitHub Release or workflow_dispatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Accept master's release.yml and build.yml workflows (comprehensive publishing with build attestations and curl-based GitHub Packages upload) - Resolve sdk/build.gradle.kts conflict: use master's me.id.auth:idme-auth-sample coordinates and version from -PreleaseVersion flag instead of gradle.properties - Remove redundant publish.yml (superseded by release.yml) - Remove GROUP/VERSION_NAME from gradle.properties (version is passed at release time) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Aligns Maven coordinates with the repository name: me.id.auth:android-auth-sample-code:<version> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Dokka plugin for Javadoc JAR generation (required by Sonatype) - Add sources JAR task (required by Sonatype) - Apply signing plugin with in-memory PGP key support for CI - Complete POM metadata: url, licenses, developers, and SCM (required by Sonatype) - Wire Dokka + nexus-publish plugin into root buildscript classpath - Configure Sonatype OSSRH staging repository via nexus-publish plugin - Add Sonatype publish step to release workflow using five new secrets: SONATYPE_USERNAME, SONATYPE_PASSWORD, SIGNING_KEY_ID, SIGNING_KEY, SIGNING_PASSWORD Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
seftena
reviewed
Apr 14, 2026
|
|
||
| jobs: | ||
| execute: | ||
| uses: IDme/workflow-library/.github/workflows/secure-pipeline-ast.yml@7a259bb101fd4f20d7cd0137c1f99e8d60af0859 |
Contributor
There was a problem hiding this comment.
@antspriggs Where is this ID coming from to replace @master
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
- Keep Sonatype OSSRH publish step and Maven Central summary in release.yml - Keep secure-pipeline-ast.yml (reject master's deletion) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nat-ray
pushed a commit
that referenced
this pull request
Apr 15, 2026
* Address pre-release security audit findings (all Critical + High) Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3 Low findings from the pre-release security audit. Critical: - [#1] State validation is now unconditional; missing state throws StateMismatch, closing the CSRF / authorization code injection vector - [#2] Public IDmeAuth constructor now requires Context and defaults to EncryptedCredentialStore; CredentialStore demoted to internal - [#3] JWKSClient cache fields are @volatile and all access is serialised through a Mutex, eliminating the race condition - [#4] policies() sends credentials via HTTP Basic Auth header instead of GET query parameter, keeping the client secret out of server logs High: - [#5] Demo network_security_config.xml removes user-cert trust and sets cleartextTrafficPermitted=false - [#6] iss and aud JWT claims are now mandatory; tokens that omit either throw JWTClaimInvalid instead of silently passing - [#7] JWTValidator validates nbf with 30-second clock skew tolerance and applies the same skew window to exp - [#8] IDmeAuthManager replaces the single CompletableDeferred with a ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId so callbacks cannot be routed to the wrong flow - [#9] extractJSON is now suspend and calls JWTValidator before decoding, ensuring userinfo JWT signatures are verified before claims are exposed Medium: - [#10] Log.isEnabled flag (default false) gates all SDK log output to prevent credential leakage in release builds - [#11] Redirect URI validation rejects http/https/javascript/file/data schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest - [#12] clearSync() cancels the refresh deferred before nulling state, reducing the window for concurrent-write races - [#13] expiresIn is coerced to [0, 86400] seconds before multiplication, preventing integer-overflow-induced negative expiry timestamps - [#14] AuthViewModel extends AndroidViewModel (provides Context to IDmeAuth); clientSecret is only forwarded in OAUTH mode Low: - [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead of mutable @master ref - [#17] Demo release build enables minification - [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure instead of returning null; JWTDecoder call sites cleaned up accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add GitHub Packages Maven publishing workflow - Apply maven-publish plugin to :sdk with release publication (com.idme:idme-auth-sdk) - Configure GitHubPackages repository using GITHUB_TOKEN - Add GROUP and VERSION_NAME to gradle.properties - Add publish.yml workflow triggered on GitHub Release or workflow_dispatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Rename artifactId to android-auth-sample-code Aligns Maven coordinates with the repository name: me.id.auth:android-auth-sample-code:<version> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
nat-ray
approved these changes
Apr 15, 2026
gclaro-idme
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
-javadoc.jarsourcesJartask packagingsrc/main/java+src/main/kotlinas a-sources.jarsigningplugin with in-memory PGP key support; signing activates whenSIGNING_KEY+SIGNING_PASSWORDenv vars are present (no-op locally without keys)url,licenses,developers, andscmblocks required by Sonatype's validation rulesio.github.gradle-nexus:publish-pluginat root; configuress01.oss.sonatype.orgstaging/snapshot URLs; release workflow publishes then closes+releases the staging repositoryRequired GitHub secrets
Add these to the
releaseenvironment before running the workflow:SONATYPE_USERNAMESONATYPE_PASSWORDSIGNING_KEY_IDSIGNING_KEYgpg --armor --export-secret-keys KEY_ID)SIGNING_PASSWORDTest plan
./gradlew :sdk:publishReleasePublicationToMavenLocalRepositorylocally to verify POM, sources JAR, and Javadoc JAR are generated~/.m2/repository/me/id/auth/android-auth-sample-code/to confirm all five artifacts:.aar,.pom,-sources.jar,-javadoc.jar,.module.ascsignature files appear alongside the artifacts🤖 Generated with Claude Code