{"id":22427830,"url":"https://github.com/cometbid-sfi/test-gitaction-workflow","last_synced_at":"2026-04-29T08:01:47.153Z","repository":{"id":219952674,"uuid":"750386057","full_name":"cometbid-sfi/test-gitaction-workflow","owner":"cometbid-sfi","description":"Test github action workflow and publishing to maven central","archived":false,"fork":false,"pushed_at":"2024-05-24T18:01:05.000Z","size":87,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-27T06:45:04.336Z","etag":null,"topics":["artifacts","community","github-actions","gpg-encryption","java","learning","maven-central","open-source","pom","workflow"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cometbid-sfi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-30T14:49:52.000Z","updated_at":"2024-05-24T18:01:11.000Z","dependencies_parsed_at":"2024-01-30T15:40:17.256Z","dependency_job_id":"eca15908-a22d-4844-b647-46b42b58eb1f","html_url":"https://github.com/cometbid-sfi/test-gitaction-workflow","commit_stats":null,"previous_names":["cometbid-project/test-gitaction-workflow"],"tags_count":28,"template":false,"template_full_name":null,"purl":"pkg:github/cometbid-sfi/test-gitaction-workflow","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbid-sfi%2Ftest-gitaction-workflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbid-sfi%2Ftest-gitaction-workflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbid-sfi%2Ftest-gitaction-workflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbid-sfi%2Ftest-gitaction-workflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cometbid-sfi","download_url":"https://codeload.github.com/cometbid-sfi/test-gitaction-workflow/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbid-sfi%2Ftest-gitaction-workflow/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32416146,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T06:29:02.080Z","status":"ssl_error","status_checked_at":"2026-04-29T06:29:00.631Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifacts","community","github-actions","gpg-encryption","java","learning","maven-central","open-source","pom","workflow"],"created_at":"2024-12-05T20:12:58.961Z","updated_at":"2026-04-29T08:01:47.137Z","avatar_url":"https://github.com/cometbid-sfi.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"This project is a template project, the first published **Cometbid.org** artifacts to Maven Central as an OSS project to kick-off our Contributions to the Java Open-Source Community.\n\nThe steps to accomplish this task are documented below.\n\n# How to publish Project's release artifacts to Maven Central\n\n## Informative POM\nThe first step is to choose a **groupId** that matches a domain that you own or, alternatively, the domain that is used for sharing your open source project.\n\nWe own `cometbid.org` domain name, so that was easy, and our projects will be mostly hosted over at GitHub, the following would all be valid groupIds:\n\n- `org.cometbid`\n- `org.cometbid.integration`\n- `org.cometbid.ut` (We choose this because this project belongs to our utility package - `ut`)\n- `com.github.cometbid-sfi`\n- `io.github.cometbid-sfi`\n  \nThe next thing to do is to make sure that your pom.xml file includes all of the required information:\n\n- licenses\n- developers\n- organization(optional)\n- SCM\n\n```\n\u003clicenses\u003e\n  \u003clicense\u003e\n    \u003cname\u003eMIT License\u003c/name\u003e\n      \u003curl\u003ehttp://www.opensource.org/licenses/mit-license.php\u003c/url\u003e\n      \u003cdistribution\u003erepo\u003c/distribution\u003e\n   \u003c/license\u003e\n\u003c/licenses\u003e\n\u003cdevelopers\u003e\n   \u003cdeveloper\u003e\n     \u003cname\u003eAdebowale Samuel\u003c/name\u003e\n     \u003cemail\u003esamuel.adebowale@cometbid.org\u003c/email\u003e\n     \u003curl\u003ehttps://www.cometbid.org/\u003c/url\u003e\n     \u003corganization\u003eThe Cometbid Software Foundation Inc.\u003c/organization\u003e\n     \u003corganizationUrl\u003ehttps://github.com/cometbid-project\u003c/organizationUrl\u003e\n   \u003c/developer\u003e\n\u003c/developers\u003e\n\u003corganization\u003e\n   \u003cname\u003eCometbid.Org\u003c/name\u003e\n   \u003curl\u003ehttps://www.cometbid.org/\u003c/url\u003e\n\u003c/organization\u003e\n\u003cscm\u003e\n  \u003cconnection\u003escm:git:git://github.com/cometbid-project/test-gitaction-workflow.git\u003c/connection\u003e\n  \u003cdeveloperConnection\u003escm:git:ssh://github.com/cometbid-project/test-gitaction-workflow.git\u003c/developerConnection\u003e\n  \u003curl\u003ehttps://github.com/cometbid-project/test-gitaction-workflow/tree/main\u003c/url\u003e\n\u003c/scm\u003e\n```\n\nOptional information section: github repo links\n\n```\n\u003cdistributionManagement\u003e\n  \u003crepository\u003e\n    \u003cid\u003egithub\u003c/id\u003e\n    \u003cname\u003eGitHub Apache Maven Packages\u003c/name\u003e\n    \u003curl\u003ehttps://maven.pkg.github.com/cometbid-project/test-gitaction-workflow\u003c/url\u003e\n  \u003c/repository\u003e\n\u003c/distributionManagement\u003e\n\n\u003cissueManagement\u003e\n  \u003csystem\u003egithub\u003c/system\u003e\n  \u003curl\u003ehttps://github.com/cometbid-project/test-gitaction-workflow/issues\u003c/url\u003e\n\u003c/issueManagement\u003e\n```\n\n## Include the plugins\n\nWhen publishing artifacts to Maven Central, you have to make sure your **source code** and **javadoc** are uploaded as well. You can achieve this by adding the following section to your `pom.xml`:\n\n```\n \u003cplugin\u003e\n   \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n   \u003cartifactId\u003emaven-source-plugin\u003c/artifactId\u003e\n   \u003cversion\u003e3.3.0\u003c/version\u003e\n   \u003cexecutions\u003e\n     \u003cexecution\u003e\n       \u003cid\u003eattach-sources\u003c/id\u003e\n       \u003cgoals\u003e\n         \u003cgoal\u003ejar\u003c/goal\u003e\n       \u003c/goals\u003e\n     \u003c/execution\u003e\n   \u003c/executions\u003e\n\u003c/plugin\u003e\n\u003cplugin\u003e\n    \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n    \u003cartifactId\u003emaven-javadoc-plugin\u003c/artifactId\u003e\n    \u003cversion\u003e3.6.3\u003c/version\u003e\n    \u003cexecutions\u003e\n      \u003cexecution\u003e\n         \u003cid\u003eattach-javadocs\u003c/id\u003e\n         \u003cgoals\u003e\n           \u003cgoal\u003ejar\u003c/goal\u003e\n         \u003c/goals\u003e\n      \u003c/execution\u003e\n  \u003c/executions\u003e\n  \u003cconfiguration\u003e\n     \u003cadditionalOptions\u003e\n       \u003cadditionalOption\u003e-Xdoclint:none\u003c/additionalOption\u003e\n     \u003c/additionalOptions\u003e\n  \u003c/configuration\u003e\n\u003c/plugin\u003e\n```\n\nYou need to sign your artifacts before releasing them to Maven central. \n\nFor example:\n```\n\u003cplugin\u003e\n   \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n   \u003cartifactId\u003emaven-gpg-plugin\u003c/artifactId\u003e\n   \u003cversion\u003e3.1.0\u003c/version\u003e\n   \u003cexecutions\u003e\n      \u003cexecution\u003e\n        \u003cid\u003esign-artifacts\u003c/id\u003e\n        \u003cphase\u003everify\u003c/phase\u003e\n        \u003cgoals\u003e\n           \u003cgoal\u003esign\u003c/goal\u003e\n        \u003c/goals\u003e\n        \u003cconfiguration\u003e\n           \u003cgpgArguments\u003e\n               \u003carg\u003e--pinentry-mode\u003c/arg\u003e\n               \u003carg\u003eloopback\u003c/arg\u003e\n           \u003c/gpgArguments\u003e\n        \u003c/configuration\u003e\n      \u003c/execution\u003e\n  \u003c/executions\u003e\n\u003c/plugin\u003e\n```\n\n**NOTE**: the `pinentry-mode=loopback` is necessary to avoid GPG prompting manual entry of the GPG passphrase especially when running build on a remote agent like Github Actions!\n\n## Create a Sonatype JIRA account\nIn order to publish your artifact, you must have Sonatype JIRA account. To do so visit this link: https://central.sonatype.com  \n\nAfter successful registration, the following will be generated:\n```\n\u003cserver\u003e\n  \u003cid\u003ecentral\u003c/id\u003e\n  \u003cusername\u003esonatypeUser\u003c/username\u003e\n  \u003cpassword\u003everySecretPassword\u003c/password\u003e\n\u003c/server\u003e\n```\nCopy and keep in a safe place for later use, as those are login credentials needed to programmatically and remotely login \u0026 publish to Maven Central.\n\n**NOTE:** If you need to deploy your artifact through local builds, you should those your credentials to your ~/.m2/settings.xml file as well.\n\nIn our case, we will be using Github Actions to automate the build and publishing process, hence the credentials were added as environment variables on Github.\nThe [CI/CD With GitHub Actions](#CI/CD) section details how to do this and more.\n\n_Please notice that we kept the `ossrh` profile in the `pom.xml` as it was an old approach to publishing which has now been deprecated in favor of using all that is packaged under `central` profile_\n\n**There is a somewhat annoying part of the entire process, understandably so but nevertheless tiresome:**   \n\n_After registration with Sonatype, you will be required to supply your `groupId` especially if it's a registered domain name to verify that you actually own it_. \n\nFor further details, please visit the links below:  \nhttps://central.sonatype.org/faq/verify-ownership/#question  \nhttps://central.sonatype.org/faq/publisher-early-access/#answer  \nhttps://central.sonatype.org/faq/how-to-set-txt-record/  \nhttps://central.sonatype.org/faq/a-human/   \n\n\u003cdiv id=\"The-Challenge\"\u003e\u003c/div\u003e\n\n## The Challenging Part  \n\n- **After Registering the Namespace and setting TXT Record with Domain registrar as specified in the Docs.**    \n\n![Verification_pending](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/17edbab7-f4cb-4e3f-b7ce-fc3a972d1bad)  \n\n- **Verifying that TXT Record was set correctly as specified in the Docs.**    \n\n![txt-setting-verified](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/e73babe0-a81c-42dc-8166-0301bab1bec3)  \n\n- **I had to wait for another 24hours, while waiting sent a mail notification to _Sonatype Cental Support team_:**\ncentral-support@sonatype.com, with screenshots. And eventually, we got verified.  \n\n![Verified_domain](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/65cda021-58f8-47a9-9171-82df3d29650b)  \n\n\n## Repository Setup\nFinally, you need to include the Sonatype snapshots/staging repositories in your pom.xml as follows:\n\n```\n\u003cplugin\u003e\n  \u003cgroupId\u003eorg.sonatype.central\u003c/groupId\u003e\n  \u003cartifactId\u003ecentral-publishing-maven-plugin\u003c/artifactId\u003e\n  \u003cversion\u003e0.3.0\u003c/version\u003e\n  \u003cextensions\u003etrue\u003c/extensions\u003e\n  \u003cconfiguration\u003e\n     \u003cpublishingServerId\u003ecentral\u003c/publishingServerId\u003e\n     \u003ctokenAuth\u003etrue\u003c/tokenAuth\u003e\n     \u003cautoPublish\u003etrue\u003c/autoPublish\u003e\n     \u003cwaitUntil\u003epublished\u003c/waitUntil\u003e\n     \u003coutputfilename\u003e${project.artifactId}-${project.version}.zip\u003c/outputfilename\u003e\n  \u003c/configuration\u003e\n\u003c/plugin\u003e\n\u003cplugin\u003e\n  \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n  \u003cartifactId\u003emaven-release-plugin\u003c/artifactId\u003e\n  \u003cversion\u003e3.0.1\u003c/version\u003e\n  \u003cconfiguration\u003e\n       \u003cautoVersionSubmodules\u003etrue\u003c/autoVersionSubmodules\u003e\n       \u003cuseReleaseProfile\u003efalse\u003c/useReleaseProfile\u003e\n       \u003creleaseProfiles\u003erelease\u003c/releaseProfiles\u003e\n       \u003cgoals\u003edeploy\u003c/goals\u003e\n  \u003c/configuration\u003e                    \n  \u003cexecutions\u003e\n       \u003cexecution\u003e\n         \u003cid\u003edefault\u003c/id\u003e\n         \u003cgoals\u003e\n           \u003cgoal\u003eperform\u003c/goal\u003e\n         \u003c/goals\u003e  \n      \u003c/execution\u003e\n  \u003c/executions\u003e\n\u003c/plugin\u003e\n```\n\n### We highly recommend having a different Maven profile for this, especially as that came in handy when we had to switch from `ossrh` to `central` during our setup process.\nSo put all the above stated plugins between `\u003cplugins\u003e...\u003c/plugins\u003e` as shown below:\n\n```\n\u003cprofile\u003e\n    \u003cid\u003ecentral\u003c/id\u003e\n    \u003cbuild\u003e\n       \u003cplugins\u003e\n             .\n             .\n             .\n       \u003cplugins\u003e\n    \u003cbuild\u003e \n\u003cprofile\u003e\n```\n\nYou can then activate the profile and invariably the plugins during **maven build** using the below command:\n\n`mvn --batch-mode clean deploy -P central -DskipTests=true`\n\ntake note of the flag `-P central`, that's the jackpot😄!\n\n## GPG Setup\nYou’ll have to create and distribute a new GPG key, so start by downloading and installing GnuPG.\nFor a detailed tutoral on the setup process for generating and managing GPG Key pair(public/private key) visit this link\n[GnuPG Tutorial](https://www.devdungeon.com/content/gpg-tutorial).\n\nPreferably, you can follow [Sonatype Documentation](https://central.sonatype.org/publish/requirements/gpg/#generating-a-key-pair) to generate your keys, manage its expiration, and ultimately distribute the [public key to required keyservers](https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key)!\n\nThe documentation detailed how to generate a keypair, extract the **public key** and distribute it, and how to extract the **private key** which you will need as Github secret.\n\nSome of the keyservers to which you should send your public keys include the following:\n\n- https://pgp.key-server.io/\n- https://keyserver.ubuntu.com/\n- https://pgp.mit.edu/\n- http://keys.gnupg.net/  \n\nIMPORTANT: make sure to remember your GPG passphrase/keep it somewhere safe!\n\nPlease skip the following section if you don’t intend on using GitHub Actions. To build and deploy your artifact to Maven Central repositories and perform the release process, just run:  \n\n`mvn --batch-mode clean deploy -Dgpg.passphrase=\"myPassphrase\" -P central -DskipTests=true`  \n\n`-DskipTests=true` flag will ensure you avoid running **Unit/Integration test** during the publishing phase.\n\n\u003cdiv id=\"CI/CD\"\u003e\u003c/div\u003e\n\n## CI/CD With GitHub Actions\nTo automate the build, deploy and publishing process, we highly recommend using **Github Actions** has it has some workflow actions that makes the process pretty easy.\n\nFirst of all, you need to extract your **GPG private key** from the **GPG Keypair** generated earlier. \nTo identify your GPG key and fetch its ID use this command `gpg --list-keys`; you can then export the ASCII-armored version of your private key by running.\n\n`gpg --output private.pgp --armor --export-secret-key MY_KEY_ID`\n\n**MY_KEY_ID** in our case, it was an _email address_, quite a good idea. You will be prompted for your passphrase, supply it and phiam, you'll have your **GPG private key** in a file named `private.pgp`.\n\nGo to `Settings` on your Github account home page, scroll down to the `Security` section, under `Secrets and variables` click on _Actions_ tab, and add the following key/value pairs:\n\n![GPG_KEYs](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/ee3aa936-ca3c-4367-b0bb-6fa61c7b6dbe)\n\nFor GPG_PRIVATE_KEY, make sure to copy the entire content of `private.pgp` file generated.\n\n**Do remember this?**\n```\n\u003cserver\u003e\n  \u003cid\u003ecentral\u003c/id\u003e\n  \u003cusername\u003esonatypeUser\u003c/username\u003e\n  \u003cpassword\u003everySecretPassword\u003c/password\u003e\n\u003c/server\u003e\n```\n**Now is the time to use those credentials. Supply the secrets as shown below:**\n\n![Maven-central](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/c13050ff-2346-42e9-94c1-8f531af5a3e9)\n\n**The final Github secrets variables should end up looking like this:**\n\n![Final output](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/b6ec7349-a0f5-4dbc-811f-e7f4c021fb64)\n\n\nYou’re now ready to automate the entire build and deploy process with Github actions. Add the following `.github/workflows/release-to-maven-central.yml` file to your project. \nIt will take care of **building, signing, and deploying your artifact** to the Sonatype maven central repository every time you initiate a `new release` as against anytime you push to `main` branch.\n\n```\n# This workflow will build and Publish a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time\n# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven\n\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\n\nname: release-to-maven-central\non:\n  release:\n    types: [created]\n\njobs:\n  publish:\n    name: Build and Publish\n    runs-on: ubuntu-latest\n\n    steps:\n      - name: Checkout source code\n        uses: actions/checkout@v4\n\n      - name: Get the release version\n        id: get_version\n        run: echo \"VERSION=${GITHUB_REF/refs\\/tags\\/v/}\" \u003e\u003e $GITHUB_OUTPUT\n\n      - name: Set up Maven Central Repository\n        uses: actions/setup-java@v4\n        with:\n          distribution: \"adopt\"\n          java-version: \"17\"\n          server-id: central\n          server-username: MAVEN_USERNAME\n          server-password: MAVEN_CENTRAL_TOKEN\n          gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}\n          gpg-passphrase: MAVEN_GPG_PASSPHRASE\n\n      - name: Update package version\n        run: mvn versions:set -DnewVersion=${{ steps.get_version.outputs.VERSION }}\n\n      - name: Publish to Apache Maven Central\n        run: mvn --batch-mode clean deploy -P central -DskipTests=true\n        env:\n          MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }}\n          MAVEN_CENTRAL_TOKEN: ${{ secrets.OSS_SONATYPE_PASSWORD }}\n          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}\n```\n\n## Release Process\nTo verify that the publishing process went well, simply login to the Sonatype account with your credentials and click the **deployments** tab:\n\n![Deployment-tab](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/db82d453-6769-4bcd-b2b7-92ed5ec58c58)   \n\n\nOr \n#### Click the Browse link and search by `Component Namespace(org.cometbid.ut)`:  \n\n![search-and-found](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/b99e0228-9320-4298-94c6-105a018975b3)  \n\n![overview-page](https://github.com/cometbid-sfi/test-gitaction-workflow/assets/20684020/d5cced9a-e63b-439c-82b0-1abdb31c6b6a)  \n\n\n## Final Thoughts\nThe process to deploy and release artifacts to Maven Central looks quite daunting, but worth the chase as many of these steps are one-time only and others are quick and easy to repeat every time you want to release a new library for the world to use!\n\nI wish and hope the process is more easy and simple in the future, atleast for now we can be rest assured we achieve the feat of publishing our projects for the World to use, and I look to the rewarding experience that comes with it.\n\nAny comments, contributions or suggestions can be addressed directly on issues you can open on this Repository as we hope to improve this process from time to time as required.\n\nThanks! 👍 ㊗️\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcometbid-sfi%2Ftest-gitaction-workflow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcometbid-sfi%2Ftest-gitaction-workflow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcometbid-sfi%2Ftest-gitaction-workflow/lists"}