release: Migrate artifacts publishing from legacy OSSRH to Central Portal #12156
Conversation
| curl --fail-with-body -X POST \ | ||
| -H "Authorization: Bearer ${BEARER_TOKEN}" \ | ||
| -H "Content-Type: application/json" \ | ||
| "${MANUAL_API_URL}/upload/repository/${REPOID}?publishing_type=automatic" |
| BEARER_TOKEN=$(echo -n "$USERPASS" | base64) | ||
|
|
||
| curl --fail-with-body -X POST \ | ||
| -H "Authorization: Bearer ${BEARER_TOKEN}" \ |
There was a problem hiding this comment.
I know the documentation said it is Bearer, but I'm suspicious it is actually Basic. You can see in the old API we passed -u to curl, which does HTTP basic (because servers rarely request HTTP digest these days). The same for Gradle; it looks configured for Basic. The base64 scheme it talks about is actually Basic, except they replaced the Authorization header prefix with Bearer.
There was a problem hiding this comment.
I found more on how we were using -u earlier, there it is explicitly shown the usage in the doc, on page 172. No mention of bearer in their the documentation. Why would they say in the new central portal! Thats unconventional by Sonatype.
There was a problem hiding this comment.
I'm suspicious it was actually a typo or someone less familiar didn't realize the difference it was actually Basic. Bearer is very common, but for user:pass authentication should generally be Basic. They both start with B; someone might not realize the error.
There was a problem hiding this comment.
Yeah could be.
Even I found couple of typos at places in their migration documentations.
We will be using Publish By Using the Portal OSSRH Staging API to have minimal changes in our release process.
We will generate new token by following the Generating a Portal Token for Publishing documentation that gives us Central Portal Token through UI and update the same in our GCS file
sonatype-uploadwith new token. We will also update our g3 docs defining#auto-releasing-using-kokoroand#how-the-kokoro-release-job-is-structuredas required. (I'm not adding links because it's Google internal.)