ci: migrate to central-publishing-maven-plugin

bevzzz · bevzzz · commit 7174790493f4 · 2025-07-22T15:59:26.000+02:00
OSSRH platform was sunset on June 30, 2025 and the recommended way to publish Maven artifacts is now via 'central-publishing-maven-plugin'. https://central.sonatype.org/pages/ossrh-eol/ The new Publishing Platform doubles as a staging server and will verify the artifact's checksums and GPG-signatures. 1. We replace nexus-staging-maven-plugin with central-publishing-maven-plugin and drop the explicit <distributionManagement> configuration (we use the plugin's default configuration). 2. Default settings for 'mvn deploy' is to NOT auto-publish and out wait until the artifact is 'verified'. We override these in our GitHub CI to autoPublish=true and waitUntil=published. This allows testing deployment changes and running mvn-deploy locally without running a risk of accidentally publishing an artifact. 3. Move ./decrypt_secret.sh to tools/ and add an encrypt_secret.sh script for convenience 4. Update create-release.yaml GH workflow
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -16,7 +16,7 @@ jobs:
         env:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
-          ./decrypt_secret.sh
+          ./tools/decrypt_secret.sh
       - name: Deploy
         env:
           OKTA_DUMMY_CI_PW: ${{ secrets.OKTA_DUMMY_CI_PW }}
@@ -25,8 +25,12 @@ jobs:
           AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
         run: |
           export GPG_TTY=$(tty)
+          source ./passphrase.env # load $MAVEN_GPG_PASSHRASE for maven-gpg-plugin
           mvn -DskipTests clean package
-          mvn -s settings.xml deploy
+          mvn -s settings.xml \
+          -Dcentral-publishing.autoPublish=true \
+          -Dcentral-publishing.waitUntil=published \
+          deploy
       - name: Archive artifacts
         uses: actions/upload-artifact@v4
         with:
diff --git a/pom.xml b/pom.xml
@@ -39,17 +39,6 @@
     <tag>5.3.0</tag>
   </scm>
 
-  <distributionManagement>
-    <snapshotRepository>
-      <id>ossrh</id>
-      <url>https://s01.oss.sonatype.org/content/repositories/snapshots/</url>
-    </snapshotRepository>
-    <repository>
-      <id>ossrh</id>
-      <url>https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-    </repository>
-  </distributionManagement>
-
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.sourceEncoding>UTF-8</project.reporting.sourceEncoding>
@@ -366,7 +355,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-gpg-plugin</artifactId>
-          <version>1.6</version>
+          <version>3.2.8</version>
           <executions>
             <execution>
               <id>sign-artifacts</id>
@@ -375,9 +364,9 @@
                 <goal>sign</goal>
               </goals>
               <configuration>
+                <!-- ${gpg.keyname} is set in settings.xml from settings.tar.gpg archive -->
                 <useAgent>true</useAgent>
-                <keyname>${gpg.keyname}</keyname>
-                <passphraseServerId>${gpg.keyname}</passphraseServerId>
+                <bestPractices>true</bestPractices>
                 <gpgArguments>
                   <arg>--batch</arg>
                   <arg>--pinentry-mode</arg>
@@ -395,33 +384,33 @@
           <artifactId>maven-install-plugin</artifactId>
           <version>3.0.0-M1</version>
         </plugin>
+
+        <!-- Maven includes maven-deploy-plugin by default, but we want to delegate -->
+        <!-- deployement to a third-party plugin. We add this entry to override <skip> -->
+        <!-- and ensure we dont' accidentaily publish twice. -->
         <plugin>
           <artifactId>maven-deploy-plugin</artifactId>
           <version>3.0.0-M1</version>
           <configuration>
             <skip>true</skip>
           </configuration>
         </plugin>
+
         <plugin>
-          <groupId>org.sonatype.plugins</groupId>
-          <artifactId>nexus-staging-maven-plugin</artifactId>
-          <version>1.6.13</version>
+          <groupId>org.sonatype.central</groupId>
+          <artifactId>central-publishing-maven-plugin</artifactId>
+          <version>0.8.0</version>
           <extensions>true</extensions>
-          <executions>
-            <execution>
-              <id>default-deploy</id>
-              <phase>deploy</phase>
-              <goals>
-                <goal>deploy</goal>
-              </goals>
-            </execution>
-          </executions>
           <configuration>
-            <serverId>ossrh</serverId>
-            <nexusUrl>https://s01.oss.sonatype.org</nexusUrl>
-            <autoReleaseAfterClose>true</autoReleaseAfterClose>
+            <!-- Auto-publishing is disabled by default to prevent accidental deployments. -->
+            <!-- When testing, it is therefore safe to run `mvn deploy` from your local machine, -->
+            <!-- as publishing will require manual action. -->
+            <!-- In CI we override this option to true and waitUtil=published. -->
+            <autoPublish>${central-publishing.autoPublish}</autoPublish>
+            <waitUntil>${central-publishing.waitUntil}</waitUntil>
           </configuration>
         </plugin>
+
         <plugin>
           <artifactId>maven-site-plugin</artifactId>
           <version>3.9.1</version>
@@ -458,8 +447,8 @@
         <artifactId>maven-gpg-plugin</artifactId>
       </plugin>
       <plugin>
-        <groupId>org.sonatype.plugins</groupId>
-        <artifactId>nexus-staging-maven-plugin</artifactId>
+        <groupId>org.sonatype.central</groupId>
+        <artifactId>central-publishing-maven-plugin</artifactId>
       </plugin>
     </plugins>
   </build>
diff --git a/tools/decrypt_secret.sh b/tools/decrypt_secret.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+# Options:
 # --batch to prevent interactive command
 # --yes to assume "yes" for questions
 gpg --quiet --batch --yes --decrypt --passphrase="$GPG_PASSPHRASE" --output secrets.tar secrets.tar.gpg
diff --git a/tools/encrypt_secret.sh b/tools/encrypt_secret.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script generates a GPG-ecrypted tarball with our signing GPG key
+# and Maven Central Repository credentials.
+#
+# Make sure that key.gpg, settings.xml, and passphrase.env exist in the current directory.
+# Delete these files after the script has run. Only commit secrets.tar.gpg!
+
+rm -f secrets.tar &&
+  tar --no-xattrs -czf secrets.tar key.gpg settings.xml passphrase.env
+
+rm -f secrets.tar.gpg &&
+  gpg --batch --symmetric \
+  --passphrase "$GPG_PASSPHRASE" \
+  --output secrets.tar.gpg \
+  secrets.tar
+
+rm -f secrets.tar
+
+echo "Tarball secrets.tar.gpg generated successfully."
+echo "Remember to delete the plaintext files. Only commit secrets.tar.gpg to source control!"
+echo
+echo "  \$ git add secrets.tar.gpg && git commit -m 'ci: update secrets.tar.gpg'"
+echo "  \$ rm key.gpg settings.xml passphrase.env"
+echo
+
