From 7f7743996f089f22446f1b57aeca82dc256877a0 Mon Sep 17 00:00:00 2001
From: DemchaAV <demchaav@gmail.com>
Date: Sun, 31 May 2026 17:36:00 +0100
Subject: [PATCH] build(release): add central-publishing-maven-plugin to
 release profile (D3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wires up Track D3 from the readiness taskboard — third step of the Maven Central pipeline. Adds Sonatype's central-publishing-maven-plugin 0.7.0 to the existing release profile as a packaging extension, replacing the legacy nexus-staging-maven-plugin + manual staging-repository flow with a single deploy call.

Configuration:

  publishingServerId=central — matches the <server id='central'> entry the publish workflow (Track D4) writes into ~/.m2/settings.xml from CENTRAL_USERNAME / CENTRAL_TOKEN secrets.

  autoPublish=false — validation gate before the artefact goes live. The maintainer sanity-checks the first publish on central.sonatype.com and flips this to true after we're confident.

  waitUntil=validated — block the Maven build until Sonatype's validator confirms the upload meets Central requirements (signed artefacts, sources/javadoc jars, valid POM metadata). Surfaces errors in the workflow run rather than silently leaving a stuck upload.

  <extensions>true</extensions> — required so the plugin participates in the build lifecycle as a packaging extension.

Stacked on top of D2 (#96 build/gpg-signing-profile). Includes the D2 GPG signing block — will fast-forward after D2 merges.

Verification: ./mvnw -P release -DskipTests package -pl . -> BUILD SUCCESS. Deploy step not exercised locally (no credentials configured; that's Track D4's job).

Pipeline state: D1 ✅ + D2 (this PR's parent) + D3 (this PR). D4 publish workflow next. Maintainer's human prerequisite for actual publishing: GPG key generation, GitHub secrets wiring (MAVEN_GPG_*, CENTRAL_*), and namespace verification on central.sonatype.com.
---
 CHANGELOG.md | 15 +++++++++++++++
 pom.xml      | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index be294a19..31f23d81 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,21 @@ JitPack continue to resolve through the existing coordinates.
   `./mvnw -DskipTests -P japicmp verify -pl .`; HTML/MD/XML reports
   land in `target/japicmp/`. JitPack repository is scoped to the
   `japicmp` profile, so downstream consumers do not inherit it.
+- **`central-publishing-maven-plugin` in the `release` profile**
+  (Track D3). Adds Sonatype's `central-publishing-maven-plugin` 0.7.0
+  to the existing `release` profile as a packaging extension. Replaces
+  the legacy `nexus-staging-maven-plugin` + manual staging-repository
+  workflow with a single `deploy` call. Configuration:
+  `publishingServerId=central` (matches the `<server id="central">`
+  entry the publish workflow writes from `CENTRAL_USERNAME` /
+  `CENTRAL_TOKEN` secrets), `autoPublish=false` (validation gate before
+  the artefact goes live — flips to `true` once we're confident
+  post-D4), `waitUntil=validated` (the build waits for Sonatype's
+  validator so any rejection surfaces in the workflow run, not a
+  silent stuck upload). Requires the `io.github.demchaav` namespace to
+  be verified on `central.sonatype.com` (one-time human step via
+  GitHub auth or DNS TXT record). The plugin loads inert until D4's
+  workflow provides the credentials.
 - **GPG signing in the `release` profile** (Track D2). Adds
   `maven-gpg-plugin` 3.2.7 to the existing `release` profile, binding
   to the `verify` phase to sign main / sources / javadoc / pom
diff --git a/pom.xml b/pom.xml
index 3a2da5b2..68844cfc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -65,6 +65,7 @@
         <byteBuddy.version>1.18.8</byteBuddy.version>
 
         <!-- Build plugins -->
+        <central.publishing.plugin.version>0.7.0</central.publishing.plugin.version>
         <maven.compiler.plugin.version>3.15.0</maven.compiler.plugin.version>
         <maven.enforcer.plugin.version>3.5.0</maven.enforcer.plugin.version>
         <maven.gpg.plugin.version>3.2.7</maven.gpg.plugin.version>
@@ -555,6 +556,54 @@
                             </execution>
                         </executions>
                     </plugin>
+                    <!--
+                        Sonatype central-publishing-maven-plugin: the
+                        modern replacement for the old `nexus-staging-maven-plugin`
+                        + manual staging-repository flow. Uploads the
+                        signed artefacts (main + sources + javadoc + pom)
+                        to the namespace verified at central.sonatype.com.
+
+                        Configuration:
+                          publishingServerId=central — matches the
+                            <server id="central"> entry the publish
+                            workflow (Track D4) writes into
+                            ~/.m2/settings.xml from the CENTRAL_USERNAME
+                            / CENTRAL_TOKEN repo secrets.
+                          autoPublish=false — uploads to the validation
+                            queue but does NOT auto-release. The
+                            maintainer flips the switch on
+                            central.sonatype.com after a sanity check
+                            on the first publish; subsequent releases
+                            can flip this to true in the workflow when
+                            we are confident.
+                          waitUntil=validated — block the Maven build
+                            until Sonatype's validator confirms the
+                            upload meets the Central requirements
+                            (signed artefacts, sources/javadoc jars,
+                            valid POM metadata, etc.). Surfaces errors
+                            inside the workflow run rather than
+                            silently leaving a stuck upload.
+                          <extensions>true</extensions> — required so
+                            the plugin participates in the build
+                            lifecycle as a packaging extension.
+
+                        Requires (configured by Track D4 workflow):
+                          - CENTRAL_USERNAME / CENTRAL_TOKEN secrets
+                          - namespace `io.github.demchaav` verified on
+                            central.sonatype.com (one-time, via GitHub
+                            auth or DNS TXT record).
+                    -->
+                    <plugin>
+                        <groupId>org.sonatype.central</groupId>
+                        <artifactId>central-publishing-maven-plugin</artifactId>
+                        <version>${central.publishing.plugin.version}</version>
+                        <extensions>true</extensions>
+                        <configuration>
+                            <publishingServerId>central</publishingServerId>
+                            <autoPublish>false</autoPublish>
+                            <waitUntil>validated</waitUntil>
+                        </configuration>
+                    </plugin>
                 </plugins>
             </build>
         </profile>