diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
index 5313ac7c2..6c8824031 100644
--- a/.github/workflows/create-release.yaml
+++ b/.github/workflows/create-release.yaml
@@ -16,7 +16,7 @@ jobs:
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
- ./decrypt_secret.sh
+ ./tools/decrypt_secret.sh
- name: Deploy
env:
OKTA_DUMMY_CI_PW: ${{ secrets.OKTA_DUMMY_CI_PW }}
@@ -25,8 +25,12 @@ jobs:
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
run: |
export GPG_TTY=$(tty)
+ source ./passphrase.env # load $MAVEN_GPG_PASSHRASE for maven-gpg-plugin
mvn -DskipTests clean package
- mvn -s settings.xml deploy
+ mvn -s settings.xml \
+ -Dcentral-publishing.autoPublish=true \
+ -Dcentral-publishing.waitUntil=published \
+ deploy
- name: Archive artifacts
uses: actions/upload-artifact@v4
with:
diff --git a/pom.xml b/pom.xml
index 4a795f20b..15c3682f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -39,17 +39,6 @@
5.3.0
-
-
- ossrh
- https://s01.oss.sonatype.org/content/repositories/snapshots/
-
-
- ossrh
- https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/
-
-
-
UTF-8
UTF-8
@@ -366,7 +355,7 @@
org.apache.maven.plugins
maven-gpg-plugin
- 1.6
+ 3.2.8
sign-artifacts
@@ -375,9 +364,9 @@
sign
+
true
- ${gpg.keyname}
- ${gpg.keyname}
+ true
--batch
--pinentry-mode
@@ -395,6 +384,10 @@
maven-install-plugin
3.0.0-M1
+
+
+
+
maven-deploy-plugin
3.0.0-M1
@@ -402,26 +395,22 @@
true
+
- org.sonatype.plugins
- nexus-staging-maven-plugin
- 1.6.13
+ org.sonatype.central
+ central-publishing-maven-plugin
+ 0.8.0
true
-
-
- default-deploy
- deploy
-
- deploy
-
-
-
- ossrh
- https://s01.oss.sonatype.org
- true
+
+
+
+
+ ${central-publishing.autoPublish}
+ ${central-publishing.waitUntil}
+
maven-site-plugin
3.9.1
@@ -458,8 +447,8 @@
maven-gpg-plugin
- org.sonatype.plugins
- nexus-staging-maven-plugin
+ org.sonatype.central
+ central-publishing-maven-plugin
diff --git a/secrets.tar.gpg b/secrets.tar.gpg
index 78ea9a529..26523a2f7 100644
Binary files a/secrets.tar.gpg and b/secrets.tar.gpg differ
diff --git a/decrypt_secret.sh b/tools/decrypt_secret.sh
similarity index 96%
rename from decrypt_secret.sh
rename to tools/decrypt_secret.sh
index c43ade4b5..672b524e0 100755
--- a/decrypt_secret.sh
+++ b/tools/decrypt_secret.sh
@@ -1,6 +1,7 @@
#!/usr/bin/env bash
set -euo pipefail
+# Options:
# --batch to prevent interactive command
# --yes to assume "yes" for questions
gpg --quiet --batch --yes --decrypt --passphrase="$GPG_PASSPHRASE" --output secrets.tar secrets.tar.gpg
diff --git a/tools/encrypt_secret.sh b/tools/encrypt_secret.sh
new file mode 100755
index 000000000..5451af882
--- /dev/null
+++ b/tools/encrypt_secret.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script generates a GPG-ecrypted tarball with our signing GPG key
+# and Maven Central Repository credentials.
+#
+# Make sure that key.gpg, settings.xml, and passphrase.env exist in the current directory.
+# Delete these files after the script has run. Only commit secrets.tar.gpg!
+
+rm -f secrets.tar &&
+ tar --no-xattrs -czf secrets.tar key.gpg settings.xml passphrase.env
+
+rm -f secrets.tar.gpg &&
+ gpg --batch --symmetric \
+ --passphrase "$GPG_PASSPHRASE" \
+ --output secrets.tar.gpg \
+ secrets.tar
+
+rm -f secrets.tar
+
+echo "Tarball secrets.tar.gpg generated successfully."
+echo "Remember to delete the plaintext files. Only commit secrets.tar.gpg to source control!"
+echo
+echo " \$ git add secrets.tar.gpg && git commit -m 'ci: update secrets.tar.gpg'"
+echo " \$ rm key.gpg settings.xml passphrase.env"
+echo
+