chore!: clean up pom, add dev docs

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

.github/workflows/openssf-scorecard.yml

@@ -6,10 +6,10 @@
 name: OpenSSF Scorecard Analysis
 on:
   schedule:
-    # Saturdays at 01:40 UTC
-    - cron: "40 1 * * 6"
-    # Wednesdays at 01:40 UTC
-    - cron: "40 1 * * 3"
+    # Saturdays at 01:50 UTC
+    - cron: "50 1 * * 6"
+    # Wednesdays at 01:50 UTC
+    - cron: "50 1 * * 3"
   workflow_dispatch:
 
 permissions:

docs/DEVELOPMENT.md

@@ -0,0 +1,185 @@
+# Development Guide
+
+This guide outlines core essentials for developing in this project.
+
+## Table of Contents
+- [Setup and Configuration](#setup-and-configuration)
+  - [IDE Setup](#ide-setup)
+  - [Consuming SNAPSHOTS](#consuming-snapshots-from-maven-central)
+- [Development Workflow](#development-workflow)
+  - [Testing and Verification](#testing-format-and-lint)
+  - [Documentation](#documentation)
+  - [Pull Request Process](#pull-request-workflow)
+- [Release Process](#the-release-workflow)
+  - [CI Release](#ci-release-process)
+  - [Local Release](#local-release-process)
+  - [Troubleshooting](#troubleshooting)
+
+## Setup and Configuration
+
+### IDE Setup
+
+#### VSCode
+
+1. Install [Checkstyle For Java](https://marketplace.visualstudio.com/items?itemName=shengchen.vscode-checkstyle)
+2. Open workspace settings - settings.json (for example with Ctrl+Shift+P → Preferences: Workspace Settings (JSON)) and add:
+   ```json
+   "[java]": {
+       "editor.defaultFormatter": "redhat.java",
+   },
+   "java.format.settings.url": "development/format/eclipse-java-google-style.xml",
+   "java.format.settings.profile": "GoogleStyle",
+   "editor.formatOnSave": true,
+   "java.checkstyle.configuration": "development/lint/google_checks.xml",
+   "java.checkstyle.version": "1x.xx.x"
+   ```
+
+#### IntelliJ
+
+1. **Code Style**
+   - Settings → `Editor → Code Style → Java`
+   - Click gear → `Import Scheme → Eclipse XML Profile`
+   - Select `development/format/eclipse-java-google-style.xml`
+
+2. **Checkstyle**
+   - Install "CheckStyle-IDEA" plugin
+   - Settings → `Tools → Checkstyle`
+   - Click the built-in Google Style Check
+
+### Consuming SNAPSHOTS from Maven Central
+
+Configure your pom.xml with:
+
+```xml
+<repositories>
+  <repository>
+    <name>Central Portal Snapshots</name>
+    <id>central-portal-snapshots</id>
+    <url>https://central.sonatype.com/repository/maven-snapshots/</url>
+    <releases>
+      <enabled>false</enabled>
+    </releases>
+    <snapshots>
+      <enabled>true</enabled>
+    </snapshots>
+  </repository>
+</repositories>
+```
+
+## Development Workflow
+
+### Testing, Format and Lint
+
+Run Maven verification:
+```shell
+mvn clean verify
+```
+
+### Documentation
+
+Generate Javadocs:
+```shell
+mvn javadoc:javadoc
+```
+
+View documentation in your browser:
+```shell
+<browser> target/reports/apidocs/index.html
+```
+
+### Pull Request Workflow
+
+When submitting a PR, CI will automatically run several checks. To avoid surprises, run these checks locally first.
+
+#### Prerequisites
+- [Podman](https://podman.io/)
+
+#### Running Code Quality Checks Locally
+
+1. Run the quality check script:
+   ```shell
+   ./development/code_quality.sh
+   ```
+2. Fix any identified issues
+3. Update your PR with fixes
+4. Verify CI passes in the updated PR
+
+#### Quality Check Details
+
+- **Linting with megalinter**: BASH, Markdown, YAML, GitHub Actions, security scanning
+- **License Compliance**: REUSE tool ensures proper copyright information
+- **Commit Structure**: Conform checks commit messages for changelog generation
+- **Dependency Analysis**: Scans for vulnerabilities, outdated packages, and license issues
+- **OpenSSF Scorecard**: Validates security best practices
+
+#### Handling Failed Checks
+
+If any checks fail in the CI pipeline:
+
+1. Review the CI error logs
+2. Run checks locally to reproduce the issues
+3. Make necessary fixes in your local environment
+4. Update your Pull Request
+5. Verify all checks pass in the updated PR
+
+## The Release Workflow
+
+Releases to Maven Central can be done via CI or locally.
+
+### Prerequisites
+
+1. **For CI releases**:
+   - Push access to the repository (ability to push tags)
+   - For production releases: Your GitHub username in AUTHORIZED_RELEASE_DEVELOPERS list
+   - For SNAPSHOT releases: Any contributor with tag push access
+
+2. **For local releases only**:
+   - Valid GPG key pair for signing artifacts
+   - GPG key uploaded to key servers (e.g., `keyserver.ubuntu.com`)
+   - Maven Central credentials in settings.xml
+
+### CI Release Process
+
+1. **For SNAPSHOT releases**:
+   ```shell
+   # Tag with -SNAPSHOT suffix (use -f to force if tag already exists)
+   git tag -sf v0.0.1-SNAPSHOT -m 'v0.0.1-SNAPSHOT'
+   # Push the tag to trigger the CI workflow (use -f to force update on remote)
+   git push -f origin tag v0.0.1-SNAPSHOT
+   ```
+
+   > **NOTE**: Always use the same SNAPSHOT tag version until ready for a production release.
+
+2. **For Production releases**:
+   ```shell
+   # Tag with the desired version (no SNAPSHOT suffix)
+   git tag -s v1.0.0 -m 'v1.0.0'
+   # Push the tag to trigger the CI workflow
+   git push origin tag v1.0.0
+   ```
+
+   > **NOTE**: The tag version will be used in the POM file.
+
+3. **Monitor the workflow** in GitHub Actions to ensure successful completion.
+
+   > **NOTE**: If the workflow fails due to authorization issues, contact the repository administrator to add your GitHub username to the AUTHORIZED_RELEASE_DEVELOPERS list.
+
+### Local Release Process
+
+1. **Configure settings.xml**:
+   - Ensure `.mvn/settings.xml` contains your Maven Central username and token
+   - Verify credentials are in the correct server section with the proper server ID
+   - Make sure your GPG key is available in your environment
+
+2. **Run the deploy command**:
+   ```shell
+   mvn deploy --settings .mvn/settings.xml -Pcentral-release
+   ```
+
+3. **Verify the release** in your Sonatype account or Maven Central.
+
+### Troubleshooting
+
+- For CI failures: Check GitHub Actions logs for detailed error information
+- For authorization issues: Verify your GitHub username is in AUTHORIZED_RELEASE_DEVELOPERS
+- For GPG problems: Ensure your key is correctly configured in your environment

pom.xml

@@ -12,42 +12,57 @@ SPDX-License-Identifier: EUPL-1.2
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>se.digg.crypto</groupId>
-  <artifactId>hash-to-curve</artifactId>
+  <artifactId>hash2curve</artifactId>
   <version>0.0.1-SNAPSHOT</version>
 
-  <name>DIGG Crypto :: Hash2Curve</name>
+  <name>Hash2Curve Java Library</name>
   <description>Implementation of Hash2Curve and Hash2Scalar in accordance with RFC 9380</description>
+  <url>https://github.com/diggsweden/hash2curve-lib-java</url>
 
   <organization>
     <name>Myndigheten för Digital Förvaltning</name>
     <url>https://www.digg.se</url>
   </organization>
 
-  <developers>
-    <developer>
-      <name>Stefan Santesson</name>
-      <email>stefan@aaa-sec.com</email>
-    </developer>
-  </developers>
+  <licenses>
+    <license>
+      <name>European Union Public License 1.2</name>
+      <url>https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12</url>
+      <distribution>repo</distribution>
+    </license>
+  </licenses>
+
+  <scm>
+    <connection>scm:git:https://github.com/diggsweden/hash2curve-lib-java.git</connection>
+    <developerConnection>scm:git:git@github.com:diggsweden/hash2curve-lib-java.git</developerConnection>
+    <url>https://github.com/diggsweden/hash2curve-lib-java</url>
+  </scm>
+
 
   <properties>
-    <java.version>21</java.version>
+    <!-- Project settings -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-
-    <slf4j.version>2.0.17</slf4j.version>
-    <bouncycastle.version>1.82</bouncycastle.version>
-
+    <java.version>21</java.version>
     <maven.compiler.source>${java.version}</maven.compiler.source>
     <maven.compiler.target>${java.version}</maven.compiler.target>
     <maven.compiler.release>${java.version}</maven.compiler.release>
-    <maven-deploy-plugin.version>3.1.3</maven-deploy-plugin.version>
-    <maven.source.plugin.version>3.3.1</maven.source.plugin.version>
+
+    <!-- Dependency versions -->
+    <bouncycastle.version>1.82</bouncycastle.version>
+    <jackson.version>2.20.0</jackson.version>
+    <junit.version>5.14.0</junit.version>
+    <lombok.version>1.18.42</lombok.version>
+    <slf4j.version>2.0.17</slf4j.version>
+
+    <!-- Maven plugin versions -->
+    <central-publishing.version>0.9.0</central-publishing.version>
     <maven.compiler.plugin.version>3.14.1</maven.compiler.plugin.version>
-    <!-- Plugin versions -->
-    <maven.javadoc.plugin.version>3.12.0</maven.javadoc.plugin.version>
+    <maven-deploy-plugin.version>3.1.3</maven-deploy-plugin.version>
+    <maven-enforcer-plugin.version>3.6.2</maven-enforcer-plugin.version>
     <maven.gpg.plugin.version>3.2.8</maven.gpg.plugin.version>
-    
+    <maven.javadoc.plugin.version>3.12.0</maven.javadoc.plugin.version>
+    <maven.source.plugin.version>3.3.1</maven.source.plugin.version>
   </properties>
 
   <dependencyManagement>
@@ -81,7 +96,7 @@ SPDX-License-Identifier: EUPL-1.2
     <dependency>
       <groupId>org.projectlombok</groupId>
       <artifactId>lombok</artifactId>
-      <version>1.18.42</version>
+      <version>${lombok.version}</version>
     </dependency>
 
     <dependency>
@@ -93,7 +108,7 @@ SPDX-License-Identifier: EUPL-1.2
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter</artifactId>
       <scope>test</scope>
-      <version>5.14.0</version>
+      <version>${junit.version}</version>
     </dependency>
 
     <dependency>
@@ -104,26 +119,53 @@ SPDX-License-Identifier: EUPL-1.2
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-simple</artifactId>
-      <version>2.0.17</version>
+      <version>${slf4j.version}</version>
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.20.0</version>
+      <version>${jackson.version}</version>
       <scope>test</scope>
     </dependency>
 
   </dependencies>
 
   <build>
     <plugins>
+      <!-- Enforcer -->
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-enforcer-plugin</artifactId>
+        <version>${maven-enforcer-plugin.version}</version>
+        <executions>
+          <execution>
+            <id>enforce-rules</id>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <configuration>
+              <rules>
+                <requireMavenVersion>
+                  <version>[3.8.0,)</version>
+                </requireMavenVersion>
+                <requireJavaVersion>
+                  <version>[21,)</version>
+                </requireJavaVersion>
+                <dependencyConvergence/>
+                <requireUpperBoundDeps/>
+              </rules>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
       <!-- Deployment -->
       <plugin>
         <groupId>org.sonatype.central</groupId>
         <artifactId>central-publishing-maven-plugin</artifactId>
-        <version>0.9.0</version>
+        <version>${central-publishing.version}</version>
         <extensions>true</extensions>
         <configuration>
           <checksums>all</checksums>
@@ -174,7 +216,7 @@ SPDX-License-Identifier: EUPL-1.2
             <version>${maven.javadoc.plugin.version}</version>
             <configuration>
               <source>${java.version}</source>
-              <bottom>hash-to-curve for Java documentation, generated in {currentYear}.</bottom>
+              <bottom>Hash2Curve Java Library documentation, generated in {currentYear}.</bottom>
             </configuration>
             <executions>
               <execution>