Update Sonatype publishing to use OSSRH Staging Repository

ethan-wrasman-pkware · ethan-wrasman-pkware · commit 3353279d1e1d · 2025-08-28T12:39:09.000-05:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,48 @@
+name: Publish to Maven Central
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          java-version: 11
+          distribution: 'temurin'
+
+      - name: Publish to Maven Central
+        run: ./gradlew publish
+        env:
+          ORG_GRADLE_PROJECT_NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
+          ORG_GRADLE_PROJECT_NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+          ORG_GRADLE_PROJECT_SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+          ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+
+      - name: Check version
+        id: version
+        run: |
+          version=$(grep "detektExtensionVersion" gradle.properties | cut -d'=' -f2 | tr -d ' ')
+          if [[ "$version" != *"SNAPSHOT"* ]]; then
+            echo "is_release=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Notify Central Publisher Portal
+        if: steps.version.outputs.is_release == 'true'
+        run: |
+          token=$(echo -n "${{ secrets.NEXUS_USERNAME }}:${{ secrets.NEXUS_PASSWORD }}" | base64)
+          curl -X POST \
+            --max-time 30 \
+            --fail-with-body \
+            -H "Authorization: Bearer $token" \
+            "https://ossrh-staging-api.central.sonatype.com/manual/upload/defaultRepository/com.pkware.detekt?publishing_type=automatic"
diff --git a/README.md b/README.md
@@ -63,11 +63,8 @@ line.
 6. Merge the release PR after approval, tag the commit on the main branch with
 `git tag -a X.Y.Z -m "X.Y.Z"`(X.Y.Z is the new version).
 7. Run `git push --tags`.
-8. Run `./gradlew publish` in the terminal or command line.
-9. Visit [Sonatype Nexus](https://oss.sonatype.org/) and promote the artifact.
-10. Update `gradle.properties` to the next SNAPSHOT version.
-11. Run `git commit -am "Prepare next development version."`
-12. Make a PR with your changes.
-13. Merge the next version PR after approval.
-
-If step 8 or 9 fails, drop the Sonatype repo, fix the problem, commit, and start again at step 8.
+8. Visit [Sonatype Nexus](https://central.sonatype.com/) and promote the artifact.
+9. Update `gradle.properties` to the next SNAPSHOT version.
+10. Run `git commit -am "Prepare next development version."`
+11. Make a PR with your changes.
+12. Merge the next version PR after approval.
diff --git a/import-extension/build.gradle.kts b/import-extension/build.gradle.kts
@@ -75,6 +75,7 @@ publishing {
     }
     repositories {
         maven {
+            name = "MavenCentral"
             url = uri(if (version.toString().isReleaseBuild) releaseRepositoryUrl else snapshotRepositoryUrl)
             credentials {
                 username = repositoryUsername
@@ -85,8 +86,15 @@ publishing {
 }
 
 signing {
-    // Signing credentials are stored locally in the user's global gradle.properties file.
+    // Signing credentials are stored as secrets in GitHub.
     // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:signatory_credentials for more information.
+
+    useInMemoryPgpKeys(
+        signingKeyId, // ID of the GPG key
+        signingKey, // GPG key
+        signingPassword, // Password for the GPG key
+    )
+
     sign(publishing.publications["mavenJava"])
 }
 
@@ -97,14 +105,14 @@ val Project.releaseRepositoryUrl: String
     get() =
         properties.getOrDefault(
             "RELEASE_REPOSITORY_URL",
-            "https://oss.sonatype.org/service/local/staging/deploy/maven2",
+            "https://ossrh-staging-api.central.sonatype.com/service/local/staging/deploy/maven2",
         ).toString()
 
 val Project.snapshotRepositoryUrl: String
     get() =
         properties.getOrDefault(
             "SNAPSHOT_REPOSITORY_URL",
-            "https://oss.sonatype.org/content/repositories/snapshots",
+            "https://central.sonatype.com/repository/maven-snapshots/",
         ).toString()
 
 val Project.repositoryUsername: String
@@ -113,6 +121,15 @@ val Project.repositoryUsername: String
 val Project.repositoryPassword: String
     get() = properties.getOrDefault("NEXUS_PASSWORD", "").toString()
 
+val Project.signingKeyId: String
+    get() = properties.getOrDefault("SIGNING_KEY_ID", "").toString()
+
+val Project.signingKey: String
+    get() = properties.getOrDefault("SIGNING_KEY", "").toString()
+
+val Project.signingPassword: String
+    get() = properties.getOrDefault("SIGNING_PASSWORD", "").toString()
+
 val Project.pomPackaging: String
     get() = properties.getOrDefault("POM_PACKAGING", "jar").toString()
 
