Automatic publishing of Maven artifacts.

[headius]

Maven artifacts should be automatically published in the same way as the other release packages (gem, npm, crate). However there are some open questions about how to do this:

• Whose auth information should be used to push to the org.ruby-lang namespace on Central? I have been using mine for manual builds. I believe only @hsbt and I have access currently.
• What GPG key should be used to sign the artifacts and how should that be managed? Maven Central requires all artifacts to be digitally signed. Again, I have just been using my own key for releases thusfar.

[kddnewton]

Does maven have trusted publishing? If they do, then this isn't a problem (my auth information isn't used for rubygems/npm/cargo), it's trusted through github.

[headius]

@kddnewton Not that I have seen. I'll do some research.

[headius]

@kddnewton There does not appear to be any support for trusted publishing to Maven Central.

[eregon]

Isn't https://central.sonatype.org/publish/publish-portal-maven/ or https://central.sonatype.org/publish/publish-portal-api/ trusted publishing for Maven Central?
I have never used those but it sounds like it's made for publishing automatically from CI.
It might not quite be trusted publishing but probably close enough?

[headius]

Those both still require a user's credentials and gpg key for signing, so it's not really much different than running the deploy from a command line.