From 3ad474a807469b4dffc23348ead3be597ef016f6 Mon Sep 17 00:00:00 2001
From: Sven Strittmatter <sven.strittmatter@iteratec.com>
Date: Fri, 21 Jul 2023 22:04:42 +0200
Subject: [PATCH 1/3] #35 First parts of documentation for release ceremony

Signed-off-by: Sven Strittmatter <sven.strittmatter@iteratec.com>
---
 release.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 release.md

diff --git a/release.md b/release.md
new file mode 100644
index 00000000..661d1f3d
--- /dev/null
+++ b/release.md
@@ -0,0 +1,70 @@
+# Release Documentation
+
+Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central.
+
+## GPG Guide for Maven Release Signing
+
+This guide is based on [Working with PGP Signatures](https://central.sonatype.org/publish/requirements/gpg/) and [OpenPGP Best Practices](https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices).
+
+### About our key
+
+Real name: `the secureCodeBox authors`
+Email: `securecodebox@iteratec.com`
+Comment: `Maven Release Signing Key`
+Fingerprint: `40AA7D29EB6DE0667D7E723ADE4725604A739BAF`
+Password: [see our password manager]
+
+### Create a new key
+
+We create a new GPG key with:
+
+```shell
+gpg --full-generate-key
+```
+
+### Import the private key
+
+Download private key from 1Password and import it locally
+
+```shell
+gpg --import private.key
+```
+
+### Export the Private Key
+
+#### For GitHub Actions
+
+```shell
+gpg --armor --export-secret-keys 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
+```
+
+#### For 1Password
+
+```shell
+gpg -o private.key --export-secret-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
+```
+
+### Expiration
+
+It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! 
+
+#### How to extend the expiration date?
+
+1. Download the private key file `private.key` from 1Password
+2. Import it locally:  `gpg --import private.key`
+3. Select the key : `gpg --edit-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF`
+4. Now select the subkey and set the expire date (use `2y` for two years):
+```shell
+gpg> key 1
+gpg> expire
+```
+5. Save it:
+```shell
+gpg>  save
+```
+6. Update the private key in out password manager and GitHub Secrets
+
+## TODOs
+
+- How to remember the expirationd date over time & with changing developers?
+- Do we need to import the public key in sonatype?

From e81a0626a61baa7f18375ff603de26cb8ced9937 Mon Sep 17 00:00:00 2001
From: Heiko Kiesel <heiko.kiesel@iteratec.com>
Date: Mon, 24 Jul 2023 16:16:20 +0200
Subject: [PATCH 2/3] Add Credentials description

Signed-off-by: Heiko Kiesel <heiko.kiesel@iteratec.com>
---
 release.md | 45 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 7 deletions(-)

diff --git a/release.md b/release.md
index 661d1f3d..f0f72074 100644
--- a/release.md
+++ b/release.md
@@ -2,7 +2,33 @@
 
 Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central.
 
-## GPG Guide for Maven Release Signing
+
+## Credentials
+
+Publishing to Maven Central requires authentication in the form of a username-password or an User Token (as username and password).
+We use User Tokens [2] for authentication, which are stored in our password manager.
+
+### Local (on device)
+
+The `MAVEN_USERNAME` and `MAVEN_PASSWORD` environment variable needs to be set on the device.
+
+### GitHub Actions
+
+In the GitHub Secrets [1], we need to add two secrets called `MAVEN_USERNAME` and `MAVEN_PASSWORD` (Github enforces a leading `SECRET_TOKEN`).
+They can be accessed in a yaml file with `${{ secrets.MAVEN_USERNAME }}` and `${{ secrets.MAVEN_PASSWORD }}`.
+We pass both these secrets in the `env` block.
+
+For example:
+
+```yaml
+- name: Publish to Maven Central
+  run: ./gradlew publish
+  env:
+    MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
+    MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
+```
+
+## GPG Guide for Maven Signing
 
 This guide is based on [Working with PGP Signatures](https://central.sonatype.org/publish/requirements/gpg/) and [OpenPGP Best Practices](https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices).
 
@@ -24,7 +50,7 @@ gpg --full-generate-key
 
 ### Import the private key
 
-Download private key from 1Password and import it locally
+Download private key from password manager and import it locally
 
 ```shell
 gpg --import private.key
@@ -38,7 +64,7 @@ gpg --import private.key
 gpg --armor --export-secret-keys 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
 ```
 
-#### For 1Password
+#### For Password Manager
 
 ```shell
 gpg -o private.key --export-secret-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
@@ -46,14 +72,17 @@ gpg -o private.key --export-secret-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
 
 ### Expiration
 
-It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! 
+It is recommended to use an expiration date less than two years.
+We use an interval of **two years**.
+This means that we need to extend the expiration date every two years!
+To remember, we added an appointment to the team calendar.
 
 #### How to extend the expiration date?
 
-1. Download the private key file `private.key` from 1Password
+1. Download the private key file `private.key` from password manager
 2. Import it locally:  `gpg --import private.key`
 3. Select the key : `gpg --edit-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF`
-4. Now select the subkey and set the expire date (use `2y` for two years):
+4. Now select the Subkey and set the expire date (use `2y` for two years):
 ```shell
 gpg> key 1
 gpg> expire
@@ -66,5 +95,7 @@ gpg>  save
 
 ## TODOs
 
-- How to remember the expirationd date over time & with changing developers?
 - Do we need to import the public key in sonatype?
+
+[1]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial
+[2]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens

From 0e4645087b8a2965b3a2892e6113efa15ae602f1 Mon Sep 17 00:00:00 2001
From: Heiko Kiesel <heiko.kiesel@iteratec.com>
Date: Tue, 25 Jul 2023 15:50:28 +0200
Subject: [PATCH 3/3] Add explanation on how to add signing key and password to
 github actions

Signed-off-by: Heiko Kiesel <heiko.kiesel@iteratec.com>
---
 release.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/release.md b/release.md
index f0f72074..c6eb3cb7 100644
--- a/release.md
+++ b/release.md
@@ -64,6 +64,22 @@ gpg --import private.key
 gpg --armor --export-secret-keys 40AA7D29EB6DE0667D7E723ADE4725604A739BAF
 ```
 
+In the GitHub Secrets [1], add the output of this command to the `SIGNING_KEY` secret.
+Additionally, you must add the corresponding password in as `SIGNING_PASSWORD`.
+Both can be accessed in a yaml file with `${{ secrets.SIGNING_KEY }}` and `${{ secrets.SIGNING_PASSWORD }}`.
+We pass both these secrets in the `env` block-
+
+For example:
+
+```yaml
+- name: Publish to Maven Central
+  run: ./gradlew publish
+  env:
+    SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+    SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    ...
+```
+
 #### For Password Manager
 
 ```shell