Add PGP signing to publications (#403)

* Add PGP signing to publications

Introduce Pretty Good Privacy (PGP) signing to the publication workflows of the project. The signing setup is included in the gradle wiring along with the retrieval of the key details from environment variables. This change is applied in both the publish and hotfix workflows.

* Update key retrieval in build script and workflow file

---------

Co-authored-by: Sebastiano Poggi <rock3r@users.noreply.github.com>
GitOrigin-RevId: df2e29049dfc5d5be47c5a78866afddf293f0da1

platform/jewel/.github/workflows/publish-hotfix.yml

@@ -31,3 +31,5 @@ jobs:
         env:
           MAVEN_SPACE_USERNAME: ${{secrets.MAVEN_SPACE_USERNAME}}
           MAVEN_SPACE_PASSWORD: ${{secrets.MAVEN_SPACE_PASSWORD}}
+          PGP_PASSWORD: ${{secrets.PGP_PASSWORD}}
+          PGP_PRIVATE_KEY: ${{secrets.PGP_PRIVATE_KEY}}

platform/jewel/.github/workflows/publish.yml

@@ -60,3 +60,5 @@ jobs:
         env:
           MAVEN_SPACE_USERNAME: ${{secrets.MAVEN_SPACE_USERNAME}}
           MAVEN_SPACE_PASSWORD: ${{secrets.MAVEN_SPACE_PASSWORD}}
+          PGP_PASSWORD: ${{secrets.PGP_PASSWORD}}
+          PGP_PRIVATE_KEY: ${{secrets.PGP_PRIVATE_KEY}}

platform/jewel/buildSrc/src/main/kotlin/jewel-publish.gradle.kts

@@ -4,6 +4,7 @@ plugins {
     kotlin("jvm")
     `maven-publish`
     id("org.jetbrains.dokka")
+    signing
 }
 
 val sourcesJar by tasks.registering(Jar::class) {
@@ -18,6 +19,16 @@ val javadocJar by tasks.registering(Jar::class) {
     destinationDirectory = layout.buildDirectory.dir("artifacts")
 }
 
+val publishingExtension = extensions.getByType<PublishingExtension>()
+
+signing {
+    useInMemoryPgpKeys(
+        System.getenv("PGP_PRIVATE_KEY") ?: properties["signing.privateKey"] as String?,
+        System.getenv("PGP_PASSWORD")?: properties["signing.password"] as String?
+    )
+    sign(publishingExtension.publications)
+}
+
 publishing {
     configureJewelRepositories(project)