Release to maven central

[aalmiray]

This PR address #8. Please feel free to squash all commits.

Configures the pom with minimum required elements and behavior as per the Maven Central publication guidelines.
Release may be pushed by running the "Release" workflow from the GitHub Actions UI; you must supply the given release version as an input.

The following secrets must be configured in this repository:

• GPG_PRIVATE_KEY
• GPG_PASSPHRASE
• SONATYPE_USERNAME
• SONATYPE_PASSWORD

The chosen Sonatype user must have publication access rights to groupId = dev.cdevents.
The public GPG key must be available at any of the following public key servers:

• http://keyserver.ubuntu.com
• http://keys.openpgp.org
• http://keys.gnupg.net

[aalmiray]

More details on the setup can be found at

https://andresalmiray.com/publishing-to-maven-central-using-apache-maven/
https://andresalmiray.com/revisiting-publication-to-maven-central-with-apache-maven/

[aalmiray]

Moreover, should you'd like to also post a Git release then JReleaser may be used to accomplish this task, just like it's been done for many of the Kordamp and JReleaser projects, such as https://github.com/kordamp/kordamp-maven-parent/releases/tag/v1.3.0

[zaza]

@aalmiray are you able to add reviewers to this PR? If so, I would add @afrittoli and/or @rjalander to get their attention :)

[aalmiray]

@zaza good idea! unfortunately I can't request a review (?). Strange.

[m-linner-ericsson]

Thanks for the PR @aalmiray, I have added people as reviewers.

@afrittoli @e-backmark-ericsson: Do you know why they were not able to add reviewers?

[afrittoli]

Thanks for the PR @aalmiray, I have added people as reviewers.

@afrittoli @e-backmark-ericsson: Do you know why they were not able to add reviewers?

That's the normal behaviour according to GitHub docs https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review

Even if someone is not allowed to add a reviewer, mentioning them in a comment is enough to send a notification

[afrittoli]

@aalmiray Thank you for your contribution!!

We don't have a first release of the spec yet, but hopefully we'll have it soon, so it's great to prepare in advance.

I'm not very familiar with maven and its artefact publication process, so forgive the silly questions.

• If we generate a GPG key, could you recommend a best practice to store and share the private key across the project maintainers? Would it be an option to use a keyless approach like sigstore instead? https://github.com/sigstore/sigstore-maven
• Where do we provision / get the sonatype account from?
• Do we need the maven-wrapper.jar store in the git repo? Is it common practice to store jar files in git? What version does that file have and how can we verify its origin?

Apart from this, there seem to be some linter issues to be fixed before this can pass CI.

@rjalander wdyt?

[aalmiray]

We don't have a first release of the spec yet, but hopefully we'll have it soon, so it's great to prepare in advance.

I'm not very familiar with maven and its artefact publication process, so forgive the silly questions.

* If we generate a GPG key, could you recommend a best practice to store and share the private key across the project maintainers? Would it be an option to use a keyless approach like sigstore instead? https://github.com/sigstore/sigstore-maven

The recommended way would be to store private information using GitHub secrets. Keyless signing is not yet supported by Maven nor Maven Central (the canonical repository).

* Where do we provision / get the sonatype account from?

Please follow the instructions at https://central.sonatype.org/publish/publish-guide/#introduction
You'll have to prove you own the domain that's associated with the chosen groupid, in this case cdevents.dev. If that were not to be the case then you'd have to select another groupId for wich you do have control of the associated domain.
Be aware that provisioning this account may take some days as it's not automated and requires human intervention.

* Do we need the maven-wrapper.jar store in the git repo? Is it common practice to store jar files in git? What version does that file have and how can we verify its origin?

Not really as the Maven wrapper can be bootstrapped in other ways. The wrapper JAR is the most convenient. If this is a problem I can switch it to a different option. The wrapper version is defined at .mvn/wrappper/maven-wrapper.properties

Apart from this, there seem to be some linter issues to be fixed before this can pass CI.

I'll take care of the lint issue and submit an update.

[aalmiray]

@rjalander @afrittoli I've pushed an update that I hope makes the linter happy. However, the workflow requires approval once more.

[aalmiray]

@rjalander @afrittoli Updated PR with latest changes from main.

[afrittoli]

Thanks you @aalmiray for this. For the little understanding I have of Maven this looks good to me. I'll start working on getting the required credentials provisioned.