From 80c973fb679aa95f2a597ab79c09a6a5ce65a2a5 Mon Sep 17 00:00:00 2001
From: Alex Archambault <alexandre.archambault@gmail.com>
Date: Tue, 15 Jul 2025 17:46:42 +0200
Subject: [PATCH 1/4] Don't accept CI secrets on CLI in
 SonatypeCentralPublishModule

These secrets might leak with Mill's prompt, that tries to print back
the command arguments. These might be truncated in particular, which
can make parts of these secrets slip through output secret detection.
---
 .../SonatypeCentralPublishModule.scala        | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
index b08ab9c2d1b5..9f8aaf92f6eb 100644
--- a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
+++ b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
@@ -53,10 +53,11 @@ trait SonatypeCentralPublishModule extends PublishModule with MavenWorkerSupport
 
   def publishSonatypeCentral(
       username: String = defaultCredentials,
-      password: String = defaultCredentials
+      password: String = defaultCredentials,
+      force: Boolean = false
   ): Task.Command[Unit] = Task.Command {
     val artifact = artifactMetadata()
-    val finalCredentials = getSonatypeCredentials(username, password)()
+    val finalCredentials = getSonatypeCredentials(username, password, force)()
 
     def publishSnapshot(): Unit = {
       val uri = sonatypeCentralSnapshotUri
@@ -141,14 +142,15 @@ object SonatypeCentralPublishModule extends ExternalModule with DefaultTaskModul
       readTimeout: Int = defaultReadTimeout,
       connectTimeout: Int = defaultConnectTimeout,
       awaitTimeout: Int = defaultAwaitTimeout,
-      bundleName: String = ""
+      bundleName: String = "",
+      force: Boolean = false
   ): Command[Unit] = Task.Command {
 
     val artifacts =
       Task.sequence(publishArtifacts.value)().map(_.withConcretePath)
 
     val finalBundleName = if (bundleName.isEmpty) None else Some(bundleName)
-    val finalCredentials = getSonatypeCredentials(username, password)()
+    val finalCredentials = getSonatypeCredentials(username, password, force)()
     val gpgArgs0 = internal.PublishModule.pgpImportSecretIfProvidedAndMakeGpgArgs(
       Task.env,
       GpgArgs.fromUserProvided(gpgArgs)
@@ -201,8 +203,17 @@ object SonatypeCentralPublishModule extends ExternalModule with DefaultTaskModul
 
   private def getSonatypeCredentials(
       usernameParameterValue: String,
-      passwordParameterValue: String
+      passwordParameterValue: String,
+      force: Boolean
   ): Task[SonatypeCredentials] = Task.Anon {
+    val isCI = Task.env.get("CI").nonEmpty
+    if (!force && isCI && (usernameParameterValue.nonEmpty || passwordParameterValue.nonEmpty))
+      sys.error(
+        "--username and --password options forbidden on CI. " +
+          "Their use might leak secrets. " +
+          s"Pass those values via environment variables instead ($USERNAME_ENV_VARIABLE_NAME and $PASSWORD_ENV_VARIABLE_NAME), or pass --force alongside them. " +
+          "You might want to check the output of this job for a leak of those secrets or parts of them."
+      )
     val username =
       getSonatypeCredential(usernameParameterValue, "username", USERNAME_ENV_VARIABLE_NAME)()
     val password =

From ab56040a0fff05c348d4b0158e43bae5041c6e64 Mon Sep 17 00:00:00 2001
From: Alex Archambault <alexandre.archambault@gmail.com>
Date: Tue, 15 Jul 2025 18:10:23 +0200
Subject: [PATCH 2/4] Fix MiMA

---
 .../SonatypeCentralPublishModule.scala        | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
index 9f8aaf92f6eb..f753f2719ed0 100644
--- a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
+++ b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
@@ -114,6 +114,17 @@ trait SonatypeCentralPublishModule extends PublishModule with MavenWorkerSupport
     if (artifact.version.endsWith("SNAPSHOT")) publishSnapshot()
     else publishRelease()
   }
+
+  // bin-compat shim
+  def publishSonatypeCentral(
+    username: String,
+    password: String
+  ): Task.Command[Unit] =
+    publishSonatypeCentral(
+      username,
+      password,
+      force = false
+    )
 }
 
 /**
@@ -173,6 +184,31 @@ object SonatypeCentralPublishModule extends ExternalModule with DefaultTaskModul
     )
   }
 
+  // bin-compat shim
+  def publishAll(
+      publishArtifacts: mill.util.Tasks[PublishModule.PublishData],
+      username: String,
+      password: String,
+      shouldRelease: Boolean,
+      gpgArgs: String,
+      readTimeout: Int,
+      connectTimeout: Int,
+      awaitTimeout: Int,
+      bundleName: String
+  ): Command[Unit] =
+    publishAll(
+      publishArtifacts,
+      username,
+      password,
+      shouldRelease,
+      gpgArgs,
+      readTimeout,
+      connectTimeout,
+      awaitTimeout,
+      bundleName,
+      force = false
+    )
+
   private def getPublishingTypeFromReleaseFlag(shouldRelease: Boolean): PublishingType = {
     if (shouldRelease) {
       PublishingType.AUTOMATIC

From 9693ca0468ec5d1d10a6c1babe5fe19d64a15361 Mon Sep 17 00:00:00 2001
From: Alex Archambault <alexandre.archambault@gmail.com>
Date: Tue, 15 Jul 2025 18:31:31 +0200
Subject: [PATCH 3/4] fmt

---
 .../src/mill/javalib/SonatypeCentralPublishModule.scala       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
index 557de7d7d857..5bd110b813d0 100644
--- a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
+++ b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
@@ -142,8 +142,8 @@ trait SonatypeCentralPublishModule extends PublishModule with MavenWorkerSupport
 
   // bin-compat shim
   def publishSonatypeCentral(
-    username: String,
-    password: String
+      username: String,
+      password: String
   ): Task.Command[Unit] =
     publishSonatypeCentral(
       username,

From b3ec05569a541f416c663e0a8fc6d3cdcfb391cc Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Tue, 15 Jul 2025 16:46:09 +0000
Subject: [PATCH 4/4] [autofix.ci] apply automated fixes

---
 libs/javalib/src/mill/javalib/MavenWorkerSupport.scala           | 1 -
 libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala | 1 -
 2 files changed, 2 deletions(-)

diff --git a/libs/javalib/src/mill/javalib/MavenWorkerSupport.scala b/libs/javalib/src/mill/javalib/MavenWorkerSupport.scala
index 871c713c1934..6529b178f4a7 100644
--- a/libs/javalib/src/mill/javalib/MavenWorkerSupport.scala
+++ b/libs/javalib/src/mill/javalib/MavenWorkerSupport.scala
@@ -1,7 +1,6 @@
 package mill.javalib
 
 import mill.*
-import mill.api.daemon.internal.internal
 import mill.javalib.publish.{Artifact, PublishInfo}
 import mill.util.Jvm
 import os.Path
diff --git a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
index 5bd110b813d0..83b09ed7be05 100644
--- a/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
+++ b/libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
@@ -3,7 +3,6 @@ package mill.javalib
 import com.lumidion.sonatype.central.client.core.{PublishingType, SonatypeCredentials}
 import mill.*
 import javalib.*
-import mainargs.Flag
 import mill.api.{ExternalModule, Task}
 import mill.util.Tasks
 import mill.api.DefaultTaskModule