Skip to content

build: publish to Maven Central on version tags#3

Open
jlengelbrecht wants to merge 1 commit into
OpenMinimed:mainfrom
jlengelbrecht:feat/maven-central-publishing
Open

build: publish to Maven Central on version tags#3
jlengelbrecht wants to merge 1 commit into
OpenMinimed:mainfrom
jlengelbrecht:feat/maven-central-publishing

Conversation

@jlengelbrecht

Copy link
Copy Markdown
Member

Summary

Makes JavaSake consumable as a normal Gradle/Maven dependency (org.openminimed:javasake) instead of requiring downstream projects to vendor the sources. This is the enabler for downstream consumers (e.g. GlycemicGPT) to pull JavaSake as a versioned dependency and let Renovate bump it, rather than copying the source in.

No production code changes — build and release plumbing only.

What's here

  • Applies com.vanniktech.maven.publish and configures publishing to the Sonatype Central Portal: POM metadata (name, description, GPL-3.0, developers, SCM), sources + javadoc jars, and GPG signing.
  • The release version is derived from the git tag (-PreleaseVersion); local builds and PRs stay on 0.1.0-SNAPSHOT and never publish.
  • .github/workflows/release.yml: on a vX.Y.Z tag push, builds, signs, publishes to Central, and opens a GitHub Release. Credentials and the signing key are read from repo secrets at publish time only — nothing is needed to build or test.
  • RELEASING.md: the one-time admin setup (namespace verification, Central user token, GPG signing key as secrets) and the tag-to-release flow.

What you'll need to flip it on (admin, one-time)

Publishing won't run until four repo secrets exist (MAVEN_CENTRAL_USERNAME, MAVEN_CENTRAL_PASSWORD, SIGNING_KEY, SIGNING_KEY_PASSWORD) and the Central namespace is verified. Full checklist in RELEASING.md. The coordinate is org.openminimed (needs domain verification); if you'd rather skip that, io.github.openminimed verifies automatically against the GitHub org — one-line change to group.

Verification

./gradlew build (compile/test/jar/sources/javadoc), the generated POM, and the wired publishing tasks were all verified locally; only the publish upload itself needs the secrets.

Note on CI

The build check will be red on this PR until #2 merges. That's a pre-existing Spotless formatting violation in SeqCrypt.java on main (from d78ff25) — unrelated to this PR, which changes no .java files. #2 fixes it; once it merges and this rebases on main, CI goes green. Please review/merge #2 first.

Make JavaSake consumable as a normal Gradle/Maven dependency
(org.openminimed:javasake) instead of requiring downstream projects to
vendor the sources.

- Apply com.vanniktech.maven.publish; configure POM (name, description,
  GPL-3.0, developers, SCM), sources + javadoc jars, and GPG signing for
  the Sonatype Central Portal.
- Derive the release version from the git tag (-PreleaseVersion); local
  builds and PRs stay on 0.1.0-SNAPSHOT and never publish.
- Add a release workflow that publishes + signs on a vX.Y.Z tag and opens
  a GitHub Release. Credentials and the signing key come from repo secrets
  at publish time only.
- Document the one-time admin setup (namespace, token, signing key) and the
  tag-to-release flow in RELEASING.md.

No production code changes. Build/test, the generated POM, and the wired
publishing tasks were verified locally (publish itself needs the secrets).
@jlengelbrecht jlengelbrecht requested a review from palmarci July 3, 2026 06:09
@jlengelbrecht

Copy link
Copy Markdown
Member Author

@palmarci some context on what this PR is for and what (if anything) you'd need to do — no rush on any of it.

The problem it solves. Today the only way to use JavaSake in another project is to copy the source in ("vendoring"). That's how GlycemicGPT consumes it right now — we keep a verbatim copy of org.openminimed.sake.* in our tree and re-sync it by hand every time you push a change here (that's exactly what #855 and the fix in #2 were). It works, but it's fragile: every upstream change means a manual re-vendor, it's easy to drift out of sync, and anyone else who wants to use JavaSake has to do the same copy-paste.

What this changes. It makes JavaSake a normal published library. Once it's on Maven Central, any project — GlycemicGPT included — just declares:

implementation("org.openminimed:javasake:<version>")

and pulls it like any other dependency. Tools like Renovate then open automatic version-bump PRs whenever you cut a new release, so consumers stay current with zero hand-copying. It also means your work ships as a proper versioned artifact rather than a source dump.

How releasing works. You push a tag (e.g. v0.2.0); a GitHub Action builds, signs, and publishes it, then opens a GitHub Release. Nothing publishes on normal pushes or PRs — only tags. Full details and the one-time setup are in RELEASING.md.

What's needed from you (one-time, admin):

  • Pick the coordinate: org.openminimed (requires verifying you own the openminimed.org domain) or io.github.openminimed (auto-verified against the GitHub org, no domain needed — a one-line change if you prefer it).
  • Add four repo secrets: a Central Portal token (2 values) and a GPG signing key (2 values). Steps are in RELEASING.md — happy to walk through it or help generate the key.

On cost — this is all free. Maven Central / the Sonatype Central Portal is free for open-source publishing (no account or per-artifact fees), GitHub Actions is free for public repos, and the io.github.openminimed namespace needs no domain. The only thing that could ever cost anything is registering openminimed.org if you specifically wanted the org.openminimed coordinate and didn't already own it — and the io.github option sidesteps even that. You won't be charged for any of this.

Totally your call on whether and when to do this. Suggest merging #2 first — it fixes a real desync bug and also clears the pre-existing Spotless formatting issue that's currently making this PR's build check red. I can help with any of the setup whenever you're ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant