ci: Add Maven Central release workflow; DRY and harden snapshot deploy#8
Conversation
* Add release.yml: on a v* tag (created by maven-release-plugin), set up the JDK with Central credentials and the GPG signing key, then run deploy -Prelease to sign and publish to Maven Central. Skip surefire and the archetype integration tests since release:prepare already ran them (-DskipTests does not cover archetype.test.skip). * Extend the jdk-setup composite action with optional server-id, credential, and GPG inputs so the release job can authenticate and sign artifacts; existing callers that pass no inputs are unaffected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DGSbyBPTxsj73xhYpnxcse
The jdk-setup composite action now accepts Maven Central credentials, so deploy-snapshot no longer needs a separate setup-java step after it. Pass the server inputs to jdk-setup and drop the redundant second JDK setup. Behavior is unchanged — snapshots are unsigned, so no GPG inputs are needed, and the action still configures JDK 21 with Maven caching. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DGSbyBPTxsj73xhYpnxcse
…nd pinned checkout Bring deploy-snapshot in line with core's workflow hygiene: * permissions: contents: read — the job only reads the repo and deploys externally, so it needs no write scope. * concurrency group snapshot-deploy (cancel-in-progress: false) — serialize snapshot deploys so two runs cannot race to publish to Central. * checkout the exact commit that passed CI (workflow_run head_sha) and stop persisting the GITHUB_TOKEN in the local git config. source:jar-no-fork is intentionally not adopted: the archetype has no Java sources, so a sources jar would be empty and Central does not require one for maven-archetype artifacts. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DGSbyBPTxsj73xhYpnxcse
📝 WalkthroughWalkthroughAdds a new ChangesMaven Central Release CI Pipeline
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/site/asciidoc/releasing.adoc (1)
146-152: 🎯 Functional Correctness | 🟠 Major | ⚖️ Poor tradeoffRewrite the reproducible-builds explanation to match the fixed-
outputTimestampmodel.The current text claims
release:prepareupdates the timestamp automatically, which contradicts the PR's "fixedoutputTimestampmodel" and the literal value inpom.xml. The property should be described as holding a fixed value that is only changed manually when needed.Suggested rewrite:
-`release:prepare` updates `project.build.outputTimestamp` to the current UTC instant -automatically before committing the release POM, so released artifacts carry the exact -timestamp of the release commit. -Between releases the property holds a fixed timestamp — the last release's instant, or the -initial project creation date before the first release — ensuring that `./mvnw verify` is -reproducible regardless of when the build runs. +`project.build.outputTimestamp` is set to a fixed timestamp in `pom.xml` +(the initial project creation date or the last manually updated value). +This ensures that `./mvnw verify` produces byte-for-byte reproducible artifacts +regardless of when the build runs. +The timestamp is only changed manually when a new reproducibility baseline is desired.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/site/asciidoc/releasing.adoc` around lines 146 - 152, Rewrite the reproducible-builds section in releasing.adoc to describe the fixed outputTimestamp model instead of saying release:prepare updates it automatically. Update the explanation around project.build.outputTimestamp to say it stays at a fixed value between releases, is only changed manually when needed, and that release:prepare uses the existing timestamp value rather than mutating it. Use the surrounding release preparation and verify/reproducible-builds text to keep the wording consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/site/asciidoc/releasing.adoc`:
- Around line 67-69: Remove the claim in the release documentation that
`release:prepare` updates `project.build.outputTimestamp`; in the
`releasing.adoc` description of `release:prepare`, delete the parenthetical
about updating the timestamp and keep the rest of the workflow description
unchanged. Reference the `release:prepare` paragraph in `releasing.adoc` so the
fixed `outputTimestamp` model remains accurately documented.
---
Outside diff comments:
In `@src/site/asciidoc/releasing.adoc`:
- Around line 146-152: Rewrite the reproducible-builds section in releasing.adoc
to describe the fixed outputTimestamp model instead of saying release:prepare
updates it automatically. Update the explanation around
project.build.outputTimestamp to say it stays at a fixed value between releases,
is only changed manually when needed, and that release:prepare uses the existing
timestamp value rather than mutating it. Use the surrounding release preparation
and verify/reproducible-builds text to keep the wording consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 7634b0f0-be8f-40cd-904c-0f13ded102fa
📒 Files selected for processing (5)
.github/actions/jdk-setup/action.yml.github/workflows/deploy-snapshot.yml.github/workflows/release.ymlREADME.adocsrc/site/asciidoc/releasing.adoc
What
release.yml) — triggers onv*tags (maven-release-plugin), runs in areleaseenvironment, and deploys-Prelease(GPG-signed) to Maven Central. Adds GPG + Central-credential inputs to thejdk-setupcomposite action so the release job can authenticate and sign. Includes README + Releasing-guide doc updates.deploy-snapshot.yml— collapse the redundantjdk-setup+setup-javapair into a singlejdk-setupcall.deploy-snapshot.yml—permissions: contents: read, asnapshot-deployconcurrency group, pinnedref: head_shacheckout, andpersist-credentials: false.source:jar-no-forkis intentionally omitted —packaging: maven-archetypehas no Java sources and Central doesn't require a sources jar for archetypes.Before the first release
Add repo secrets
GPG_PRIVATE_KEYandGPG_PASSPHRASE(theCENTRAL_*pair already exists for snapshot deploys) and create areleaseenvironment. Full setup is in the Releasing guide updated in this PR.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Documentation