Environment variables for Maven settings

In working on the latest update to the setup-java action for GitHub Actions I learned quite a bit more about configuring Apache Maven and Gradle. And I want to share one trick I found that was hard to find and yet I think everyone should know about.

Use environment variables for your passwords!

The settings.xml file, typically located in the ~/.m2/ directory, is used for server authentication but does not need to contain your password or tokens in plain text. Instead you can use this format to reference environment variables where the secrets are kept. This is a big win for CI based environments.

Take the following example:

<servers>
    <server>
      <id>github</id>
      <username>${env.GITHUB_ACTOR}</username>
      <password>${env.GITHUB_TOKEN}</password>
    </server>
</servers>

In the above settings.xml file you’ll see, instead of a password in plaintext which can be leaked, the ${env.VARIABLE} notation. So the environment variables GITHUB_ACTOR and GITHUB_TOKEN will be used for the username and password fields respectively. This environment variable notation allows you to reference secrets in the shell environment instead of saving them into a file.

That’s all, hope this helps anyone else looking for this answer! Check out the docs for other questions related to the Apache Maven settings.