chore(internal): support uploading Maven repo artifacts to stainless package server

stainless-app[bot] · stainless-app[bot] · commit da510920d18b · 2026-01-12T23:03:57.000Z
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -40,6 +40,9 @@ jobs:
   build:
     timeout-minutes: 15
     name: build
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ${{ github.repository == 'stainless-sdks/lithic-java' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
 
@@ -61,6 +64,21 @@ jobs:
       - name: Build SDK
         run: ./scripts/build
 
+      - name: Get GitHub OIDC Token
+        if: github.repository == 'stainless-sdks/lithic-java'
+        id: github-oidc
+        uses: actions/github-script@v6
+        with:
+          script: core.setOutput('github_token', await core.getIDToken());
+
+      - name: Build and upload Maven artifacts
+        if: github.repository == 'stainless-sdks/lithic-java'
+        env:
+          URL: https://pkg.stainless.com/s
+          AUTH: ${{ steps.github-oidc.outputs.github_token }}
+          SHA: ${{ github.sha }}
+          PROJECT: lithic-java
+        run: ./scripts/upload-artifacts
   test:
     timeout-minutes: 15
     name: test
diff --git a/buildSrc/src/main/kotlin/lithic.publish.gradle.kts b/buildSrc/src/main/kotlin/lithic.publish.gradle.kts
@@ -7,6 +7,17 @@ plugins {
     id("com.vanniktech.maven.publish")
 }
 
+publishing {
+  repositories {
+      if (project.hasProperty("publishLocal")) {
+          maven {
+              name = "LocalFileSystem"
+              url = uri("${rootProject.layout.buildDirectory.get()}/local-maven-repo")
+          }
+      }
+  }
+}
+
 repositories {
     gradlePluginPortal()
     mavenCentral()
@@ -17,8 +28,10 @@ extra["signingInMemoryKeyId"] = System.getenv("GPG_SIGNING_KEY_ID")
 extra["signingInMemoryKeyPassword"] = System.getenv("GPG_SIGNING_PASSWORD")
 
 configure<MavenPublishBaseExtension> {
-    signAllPublications()
-    publishToMavenCentral(SonatypeHost.CENTRAL_PORTAL)
+    if (!project.hasProperty("publishLocal")) {
+        signAllPublications()
+        publishToMavenCentral(SonatypeHost.CENTRAL_PORTAL)
+    }
 
     coordinates(project.group.toString(), project.name, project.version.toString())
     configure(
diff --git a/scripts/upload-artifacts b/scripts/upload-artifacts
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# ANSI Color Codes
+GREEN='\033[32m'
+RED='\033[31m'
+NC='\033[0m' # No Color
+
+log_error() {
+    local msg="$1"
+    local headers="$2"
+    local body="$3"
+    echo -e "${RED}${msg}${NC}"
+    [[ -f "$headers" ]] && echo -e "${RED}Headers:$(cat "$headers")${NC}"
+    echo -e "${RED}Body: ${body}${NC}"
+    exit 1
+}
+
+upload_file() {
+    local file_name="$1"
+    local tmp_headers
+    tmp_headers=$(mktemp)
+
+    if [ -f "$file_name" ]; then
+        echo -e "${GREEN}Processing file: $file_name${NC}"
+        pkg_file_name="mvn${file_name#./build/local-maven-repo}"
+
+        # Get signed URL for uploading artifact file
+        signed_url_response=$(curl -X POST -G "$URL" \
+            -sS --retry 5 \
+            -D "$tmp_headers" \
+            --data-urlencode "filename=$pkg_file_name" \
+            -H "Authorization: Bearer $AUTH" \
+            -H "Content-Type: application/json")
+
+        # Validate JSON and extract URL
+        if ! signed_url=$(echo "$signed_url_response" | jq -e -r '.url' 2>/dev/null) || [[ "$signed_url" == "null" ]]; then
+            log_error "Failed to get valid signed URL" "$tmp_headers" "$signed_url_response"
+        fi
+
+        # Set content-type based on file extension
+        local extension="${file_name##*.}"
+        local content_type
+        case "$extension" in
+            jar)                    content_type="application/java-archive" ;;
+            md5|sha1|sha256|sha512) content_type="text/plain" ;;
+            module)                 content_type="application/json" ;;
+            pom|xml)                content_type="application/xml" ;;
+            *)                      content_type="application/octet-stream" ;;
+        esac
+
+        # Upload file
+        upload_response=$(curl -v -X PUT \
+            --retry 5 \
+            -D "$tmp_headers" \
+            -H "Content-Type: $content_type" \
+            --data-binary "@${file_name}" "$signed_url" 2>&1)
+
+        if ! echo "$upload_response" | grep -q "HTTP/[0-9.]* 200"; then
+            log_error "Failed upload artifact file" "$tmp_headers" "$upload_response"
+        fi
+
+        # Insert small throttle to reduce rate limiting risk
+        sleep 0.1
+    fi
+}
+
+walk_tree() {
+    local current_dir="$1"
+
+    for entry in "$current_dir"/*; do
+        # Check that entry is valid
+        [ -e "$entry" ] || [ -h "$entry" ] || continue
+
+        if [ -d "$entry" ]; then
+            walk_tree "$entry"
+        else
+            upload_file "$entry"
+        fi
+    done
+}
+
+cd "$(dirname "$0")/.."
+
+echo "::group::Creating local Maven content"
+./gradlew publishMavenPublicationToLocalFileSystemRepository -PpublishLocal
+echo "::endgroup::"
+
+echo "::group::Uploading to pkg.stainless.com"
+walk_tree "./build/local-maven-repo"
+echo "::endgroup::"
+
+echo "::group::Generating instructions"
+echo "Configure maven or gradle to use the repo located at 'https://pkg.stainless.com/s/${PROJECT}/${SHA}/mvn'"
+echo "::endgroup::"
