feat: add publish maven central repo workflow

luizfiliperm · luizfiliperm · commit 7d5786dc449a · 2025-06-10T15:32:38.000-03:00
diff --git a/.github/workflows/publish_maven_central_repo.yml b/.github/workflows/publish_maven_central_repo.yml
@@ -0,0 +1,76 @@
+name: publish_maven_central_repo.yml
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - id: install-secret-key
+        name: Install gpg secret key
+        run: |
+          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
+
+      - name: Set up Maven Central Repository
+        uses: actions/setup-java@v4
+        with:
+          java-version: '8'
+          distribution: 'temurin'
+          server-id: central
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Extract Maven Artifacts
+        id: maven_artifact
+        run: |
+          echo "version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
+          echo "artifactId=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout)" >> $GITHUB_OUTPUT
+
+      - name: Build Java Project
+        run: mvn clean package -ntp
+
+      - name: Publish package
+        run: |
+          mvn \
+          --no-transfer-progress \
+          --batch-mode \
+          -Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }} \
+          clean deploy -P release-sign-artifacts -e
+        env:
+          MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Publish Java Artifacts to GitHub Release
+        run: |
+          cp pom.xml ${{ steps.maven_artifact.outputs.artifactId }}-${{ steps.maven_artifact.outputs.version }}.pom
+          gh release upload ${{github.event.release.tag_name}} "${{ steps.maven_artifact.outputs.artifactId }}-${{ steps.maven_artifact.outputs.version }}.pom"
+          for jar in target/*.jar; do
+            [ -e "$jar" ] || continue
+            gh release upload ${{github.event.release.tag_name}} "$jar"
+          done
+        env:
+          GITHUB_TOKEN: ${{ github.TOKEN }}
+
+      - name: GitHub Attestation for JAR files
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "target/*.jar"
+
+      - name: GitHub Attestation for POM file
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "pom.xml"
+          subject-name: "${{ steps.maven_artifact.outputs.artifactId }}-${{ steps.maven_artifact.outputs.version }}.pom"
