From 7f767fdaac17a880d2ba4bbda0f540dc8c4a0f04 Mon Sep 17 00:00:00 2001
From: James McMullan <jpmcmu@gmail.com>
Date: Thu, 17 Aug 2023 09:07:56 -0400
Subject: [PATCH] Code review

---
 .github/workflows/publish-release-on-merge.yml   |  5 +++--
 .github/workflows/publish-snapshots-on-merge.yml | 12 ++++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish-release-on-merge.yml b/.github/workflows/publish-release-on-merge.yml
index 2b5337f6..da6244e0 100644
--- a/.github/workflows/publish-release-on-merge.yml
+++ b/.github/workflows/publish-release-on-merge.yml
@@ -13,7 +13,6 @@ jobs:
           echo "Action     = ${{ github.action }}"
           echo "Event      = ${{ github.event_name }}"
           echo "Actor      = ${{ github.actor }}"
-          echo "Ref Name   = ${{ github.ref_name }}"
           echo "SHA        = ${{ github.sha }}"
 
       - uses: actions/checkout@v3
@@ -25,9 +24,10 @@ jobs:
           server-id: ossrh
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
-          gpg-private-key: ${{ secrets.SIGNING_SECRET }}
+          gpg-private-key: MAVEN_GPG_KEY
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
+      # Build & Publish steps are separated to isolate secrets from retry action code
       - name: Build package
         uses: nick-fields/retry@v2
         with:
@@ -42,3 +42,4 @@ jobs:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USER_NAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_PASS }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.SIGN_MODULES_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.SIGNING_SECRET }}
diff --git a/.github/workflows/publish-snapshots-on-merge.yml b/.github/workflows/publish-snapshots-on-merge.yml
index 4af7a46c..425c1a6e 100644
--- a/.github/workflows/publish-snapshots-on-merge.yml
+++ b/.github/workflows/publish-snapshots-on-merge.yml
@@ -14,7 +14,6 @@ jobs:
           echo "Action     = ${{ github.action }}"
           echo "Event      = ${{ github.event_name }}"
           echo "Actor      = ${{ github.actor }}"
-          echo "Ref Name   = ${{ github.ref_name }}"
           echo "SHA        = ${{ github.sha }}"
 
       - uses: actions/checkout@v3
@@ -27,8 +26,13 @@ jobs:
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
 
+      - name: Conditional Debug
+        if: (!contains(github.ref_name, '-release'))
+        run: echo "Condition met"
+
+      # Build & Publish steps are separated to isolate secrets from retry action code
       - name: Build package
-        if: contains(github.ref_name, '-release') == false
+        if: (!contains(github.ref_name, '-release'))
         uses: nick-fields/retry@v2
         with:
           timeout_minutes: 15
@@ -37,8 +41,8 @@ jobs:
           command: mvn --batch-mode package -DskipTests -DskipITs --file DataAccess/pom.xml
 
       - name: Publish package
-        if: contains(github.ref_name, '-release') == false
-        run : mvn --batch-mode deploy -DskipTests -DskipITs --file DataAccess/pom.xml
+        if: (!contains(github.ref_name, '-release'))
+        run: mvn --batch-mode deploy -DskipTests -DskipITs --file DataAccess/pom.xml
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USER_NAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_PASS }}