build(release): add central-publishing-maven-plugin to release profile (D3)#97
Merged
Merged
Conversation
…e (D3) Wires up Track D3 from the readiness taskboard — third step of the Maven Central pipeline. Adds Sonatype's central-publishing-maven-plugin 0.7.0 to the existing release profile as a packaging extension, replacing the legacy nexus-staging-maven-plugin + manual staging-repository flow with a single deploy call. Configuration: publishingServerId=central — matches the <server id='central'> entry the publish workflow (Track D4) writes into ~/.m2/settings.xml from CENTRAL_USERNAME / CENTRAL_TOKEN secrets. autoPublish=false — validation gate before the artefact goes live. The maintainer sanity-checks the first publish on central.sonatype.com and flips this to true after we're confident. waitUntil=validated — block the Maven build until Sonatype's validator confirms the upload meets Central requirements (signed artefacts, sources/javadoc jars, valid POM metadata). Surfaces errors in the workflow run rather than silently leaving a stuck upload. <extensions>true</extensions> — required so the plugin participates in the build lifecycle as a packaging extension. Stacked on top of D2 (#96 build/gpg-signing-profile). Includes the D2 GPG signing block — will fast-forward after D2 merges. Verification: ./mvnw -P release -DskipTests package -pl . -> BUILD SUCCESS. Deploy step not exercised locally (no credentials configured; that's Track D4's job). Pipeline state: D1 ✅ + D2 (this PR's parent) + D3 (this PR). D4 publish workflow next. Maintainer's human prerequisite for actual publishing: GPG key generation, GitHub secrets wiring (MAVEN_GPG_*, CENTRAL_*), and namespace verification on central.sonatype.com.
DemchaAV
force-pushed
the
build/central-publishing-plugin
branch
from
20af290 to
7f77439
Compare
7 tasks
DemchaAV
added a commit
that referenced
this pull request
May 31, 2026
Wires up Track D4 - the fourth and final step of the Maven Central pipeline. Fires on the same v* tag push that triggers the existing release.yml workflow. What the workflow does: 1. Re-runs mvnw verify against the tagged commit (defence-in-depth against a tag pushed from a broken branch). 2. actions/setup-java@v5 imports MAVEN_GPG_PRIVATE_KEY into the runner keyring and writes <server id='central'> credentials block from CENTRAL_USERNAME + CENTRAL_TOKEN secrets into ~/.m2/settings.xml. 3. Runs ./mvnw -P release -Dgpg.skip=false deploy. Release profile (D1) attaches sources + javadoc jars; maven-gpg-plugin (D2) signs them; central-publishing-maven-plugin (D3) uploads to Central and blocks until validation completes. Hyphenated tags (-rc, -alpha, -beta, -snapshot) are explicitly skipped via the job's if: guard. Those ship only to JitPack + the GitHub Release pre-release surface; Central rejects them anyway. workflow_dispatch input lets the maintainer re-publish an existing tag without re-cutting it if Central had a transient validator hiccup. Workflow is dormant until four GitHub repo secrets are wired by the maintainer: MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE, CENTRAL_USERNAME, CENTRAL_TOKEN. docs/contributing/release-process.md section 2.C walks through the one-time setup end-to-end. Stacked on D3 (#97). After D3 merges, this rebases fast-forward.
3 tasks
DemchaAV
added a commit
that referenced
this pull request
May 31, 2026
Wires up Track D4 - the fourth and final step of the Maven Central pipeline. Fires on the same v* tag push that triggers the existing release.yml workflow. What the workflow does: 1. Re-runs mvnw verify against the tagged commit (defence-in-depth against a tag pushed from a broken branch). 2. actions/setup-java@v5 imports MAVEN_GPG_PRIVATE_KEY into the runner keyring and writes <server id='central'> credentials block from CENTRAL_USERNAME + CENTRAL_TOKEN secrets into ~/.m2/settings.xml. 3. Runs ./mvnw -P release -Dgpg.skip=false deploy. Release profile (D1) attaches sources + javadoc jars; maven-gpg-plugin (D2) signs them; central-publishing-maven-plugin (D3) uploads to Central and blocks until validation completes. Hyphenated tags (-rc, -alpha, -beta, -snapshot) are explicitly skipped via the job's if: guard. Those ship only to JitPack + the GitHub Release pre-release surface; Central rejects them anyway. workflow_dispatch input lets the maintainer re-publish an existing tag without re-cutting it if Central had a transient validator hiccup. Workflow is dormant until four GitHub repo secrets are wired by the maintainer: MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE, CENTRAL_USERNAME, CENTRAL_TOKEN. docs/contributing/release-process.md section 2.C walks through the one-time setup end-to-end. Stacked on D3 (#97). After D3 merges, this rebases fast-forward.
This was referenced May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires up Track D3 — third step of the Maven Central pipeline. Adds Sonatype's
central-publishing-maven-plugin0.7.0 to the existingreleaseprofile as a packaging extension, replacing the legacynexus-staging-maven-plugin+ manual staging-repository flow with a singledeploycall.Plugin configuration
publishingServerIdcentral<server id="central">entry the publish workflow (Track D4) writes into~/.m2/settings.xmlfromCENTRAL_USERNAME/CENTRAL_TOKENsecrets.autoPublishfalsecentral.sonatype.comand flips this totrueonce we're confident.waitUntilvalidated<extensions>true</extensions>Verification
Deploy step not exercised locally — no credentials configured, no namespace verified yet. That's Track D4's setup phase.
CHANGELOG entry added to
v1.6.6 — Plannedunder### Build.What this doesn't do
deployruns with credentials in~/.m2/settings.xml.io.github.demchaavoncentral.sonatype.com(one-time, via GitHub auth or DNS TXT record).CENTRAL_USERNAME+CENTRAL_TOKENGitHub repo secrets are the human prerequisite. The publish workflow (D4) will read them.Pipeline state after this PR
Human prerequisites for actual publishing
central.sonatype.com → Account → Generate User Token.io.github.demchaavnamespace.MAVEN_GPG_PRIVATE_KEY,MAVEN_GPG_PASSPHRASE,CENTRAL_USERNAME,CENTRAL_TOKEN.All of which I'll capture in the release-process doc alongside the D4 PR.
Test plan
mvn -P release -DskipTests package -pl .greenmvnw verify(no profile) unchangedcentral-publishing-maven-pluginblock (~55 LOC including the explanatory comment) is the load-bearing piece