I've a question regarding the release of artifacts to the Maven Repository: In the repository I am talking about, we have a multi-module maven project with a pom.xml defined as follows:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>some.group.id</groupId>
<artifactId>mvn.reactor</artifactId>
<version>0.1.1-SNAPSHOT</version>
<packaging>pom</packaging>
<modules>
<module>A</module>
<module>B</module>
<module>C</module>
<module>D</module>
<module>E</module>
<module>F</module>
</modules>
</project>
For the current state of the project we wanted to publish one single module, for example, module B. For this, we used a GitHub Action which follows pretty much this (actions/setup-java) guide.
Sidenote: Since the Action runs for the parent pom.xml we defined the module, which should be deployed, with the -pl B parameter. mvn deploy -pl B.
Unfortunately this workflow didn't worked out even tho the settings.xml was created correctly. The following error message occurred when the publishing-process should've been executed:
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
Error: Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project ...
[INFO] Signer 'gpg' is signing 5 files
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
Error: Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.2.0:sign (sign-artifacts) on project ...
I tried it with version 1.6 as well as 3.2.0 of the maven-gpg-plugin. Additionally I added the path of the settings.xml, which is created by the setup-java action in the prior step, with -s $HOME/.m2/settings.xml. Neither the version-change nor the passed path to the settings.xml changed anything.
To "verify" that this approach works for single-module maven projects I created a repository for such a single-module maven project and tried the same GitHub Action - et voila, it worked and the artifact was signed.
However, after trying several more approaches and changes, the following one worked:
mvn deploy -Dgpg.keyname=<KEYNAME> -pl B
Now the final question: Why does this one work and the other doesn't? In my understanding, this implies, that the passphrase must be available and accessible. Otherwise the files couldn't be signed, could they? Furthermore, that circumstance means, that the settings.xml cannot be the "problem"?
Maybe someone faced that issue before and found out the reason for that behaviour. Thanks in advance!