build(release): add GPG signing plugin to release profile (D2)#96
Merged
Conversation
Wires up Track D2 from the readiness taskboard - the second step of the Maven Central pipeline. Maven Central rejects unsigned uploads; this PR adds maven-gpg-plugin 3.2.7 to the existing release profile so the main / sources / javadoc / pom artefacts get signed during the verify phase. Off by default: new <gpg.skip>true</gpg.skip> property keeps local mvn -P release package runs working without a configured GPG key. The publish workflow (Track D4) flips it explicitly with -Dgpg.skip=false once MAVEN_GPG_PRIVATE_KEY and MAVEN_GPG_PASSPHRASE secrets are wired. gpgArguments declares --pinentry-mode loopback so non-interactive CI runs accept the passphrase from env / system property without needing a TTY for gpg-agent. Verification: mvnw -P release -DskipTests verify -pl . (default skip=true) -> BUILD SUCCESS, sign step silently skipped mvnw -P release -Dgpg.skip=false -DskipTests verify -pl . -> BUILD FAILURE with gpg exit code 2 (expected - no key configured locally; proves plugin would attempt signing) Pipeline state after this PR: artefacts (D1) + signing (D2) ready; central-publishing (D3) and workflow (D4) pending. Maintainer GPG key generation and GitHub secret wiring is the human prerequisite before D4's workflow will actually publish anything.
5 tasks
DemchaAV
added a commit
that referenced
this pull request
May 31, 2026
…e (D3) Wires up Track D3 from the readiness taskboard — third step of the Maven Central pipeline. Adds Sonatype's central-publishing-maven-plugin 0.7.0 to the existing release profile as a packaging extension, replacing the legacy nexus-staging-maven-plugin + manual staging-repository flow with a single deploy call. Configuration: publishingServerId=central — matches the <server id='central'> entry the publish workflow (Track D4) writes into ~/.m2/settings.xml from CENTRAL_USERNAME / CENTRAL_TOKEN secrets. autoPublish=false — validation gate before the artefact goes live. The maintainer sanity-checks the first publish on central.sonatype.com and flips this to true after we're confident. waitUntil=validated — block the Maven build until Sonatype's validator confirms the upload meets Central requirements (signed artefacts, sources/javadoc jars, valid POM metadata). Surfaces errors in the workflow run rather than silently leaving a stuck upload. <extensions>true</extensions> — required so the plugin participates in the build lifecycle as a packaging extension. Stacked on top of D2 (#96 build/gpg-signing-profile). Includes the D2 GPG signing block — will fast-forward after D2 merges. Verification: ./mvnw -P release -DskipTests package -pl . -> BUILD SUCCESS. Deploy step not exercised locally (no credentials configured; that's Track D4's job). Pipeline state: D1 ✅ + D2 (this PR's parent) + D3 (this PR). D4 publish workflow next. Maintainer's human prerequisite for actual publishing: GPG key generation, GitHub secrets wiring (MAVEN_GPG_*, CENTRAL_*), and namespace verification on central.sonatype.com.
DemchaAV
added a commit
that referenced
this pull request
May 31, 2026
…e (D3) (#97) Wires up Track D3 from the readiness taskboard — third step of the Maven Central pipeline. Adds Sonatype's central-publishing-maven-plugin 0.7.0 to the existing release profile as a packaging extension, replacing the legacy nexus-staging-maven-plugin + manual staging-repository flow with a single deploy call. Configuration: publishingServerId=central — matches the <server id='central'> entry the publish workflow (Track D4) writes into ~/.m2/settings.xml from CENTRAL_USERNAME / CENTRAL_TOKEN secrets. autoPublish=false — validation gate before the artefact goes live. The maintainer sanity-checks the first publish on central.sonatype.com and flips this to true after we're confident. waitUntil=validated — block the Maven build until Sonatype's validator confirms the upload meets Central requirements (signed artefacts, sources/javadoc jars, valid POM metadata). Surfaces errors in the workflow run rather than silently leaving a stuck upload. <extensions>true</extensions> — required so the plugin participates in the build lifecycle as a packaging extension. Stacked on top of D2 (#96 build/gpg-signing-profile). Includes the D2 GPG signing block — will fast-forward after D2 merges. Verification: ./mvnw -P release -DskipTests package -pl . -> BUILD SUCCESS. Deploy step not exercised locally (no credentials configured; that's Track D4's job). Pipeline state: D1 ✅ + D2 (this PR's parent) + D3 (this PR). D4 publish workflow next. Maintainer's human prerequisite for actual publishing: GPG key generation, GitHub secrets wiring (MAVEN_GPG_*, CENTRAL_*), and namespace verification on central.sonatype.com.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires up Track D2 — Maven Central rejects unsigned uploads; this PR adds
maven-gpg-plugin3.2.7 to the existingreleaseprofile so the main / sources / javadoc / pom artefacts are signed during theverifyphase.Off by default
mvn -P release package(local)<gpg.skip>true</gpg.skip>property in<properties>keeps every local invocation working.mvn -P release -Dgpg.skip=false verify(manual)-Dgpg.skip=falseexplicitly and providesMAVEN_GPG_PRIVATE_KEY+MAVEN_GPG_PASSPHRASEfrom repo secrets.gpgArgumentsdeclares--pinentry-mode loopbackso non-interactive CI runs accept the passphrase from-Dgpg.passphrase/MAVEN_GPG_PASSPHRASEwithout needing a TTY forgpg-agent.Verification
Default (skip=true):
Sign step engaged but silently skipped via
<skip>${gpg.skip}</skip>.Forced (skip=false), no key:
Expected — confirms the plugin would actually attempt signing when the workflow flips the switch.
CHANGELOG entry added to
v1.6.6 — Plannedunder### Build.What this doesn't do
MAVEN_GPG_PRIVATE_KEYandMAVEN_GPG_PASSPHRASEare GitHub repo secrets the maintainer must create after generating the GPG key and uploading the public key to the keyserver pool. Until then, this PR is dormant — no publish workflow yet (Track D4), and the local default keeps everything green.gpg --homedirresolves; that policy lives outside the pom.Pipeline state after this PR
Maintainer GPG key generation and GitHub secret wiring is the human prerequisite before D4's workflow will actually publish anything; the plugin / workflow side will be ready and waiting.
Test plan
mvn -P release verifygreen locallymvn -P release -Dgpg.skip=false verifycorrectly attempts signing (expected failure without key)mvnw verify(no profile activation)<gpg.skip>true</gpg.skip>property are the load-bearing pieces