Update deployment from OSSRH

[jodastephen]

OSSRH is dead, use replacement
Match setup in other projects

Summary by CodeRabbit

• Chores
  • Migrated releases to Maven Central’s modern publishing flow and removed legacy staging configuration.
  • Standardized publishing and GitHub credentials to use central secrets.
  • Tightened CI permissions and removed unnecessary local git setup and personal-token usage.
  • Ensured website builds check out the exact triggering branch or tag.
  • Adjusted CI signing behavior for more reliable automated releases.
• Documentation
  • Updated local release instructions to ensure gpg-agent is running.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Credentials and publishing targets moved from OSSRH/Nexus staging to Maven Central/central-publishing; GitHub Actions workflows adjusted (permissions, checkout, removed custom token/git setup); POM removed distributionManagement, replaced nexus-staging plugin with central-publishing plugin and added related properties/profiles; README GPG instruction updated.

Changes

Cohort / File(s)	Summary
Publishing & Maven config pom.xml, .github/maven-settings.xml	Remove distributionManagement; replace nexus-staging plugin with central-publishing plugin and properties; add joda.publish.* properties; add github-action profile(s) setting gpg.signer=bc (duplicated); update server ids and switch settings credentials to MAVEN_CENTRAL_*; replace GitHub privateKey entry with password token.
Release workflow .github/workflows/release.yml	Switch Maven release env vars from OSSRH_USERNAME/OSSRH_TOKEN to MAVEN_CENTRAL_USERNAME/MAVEN_CENTRAL_PASSWORD (use corresponding secrets).
Build & website workflows .github/workflows/build.yml, .github/workflows/website.yml	Reduce top-level permissions (contents: write → read); remove checkout with custom token/fetch-tags and remove "Setup git" step; add checkout ref: ${{ github.ref }} in website workflow.
Docs README.md	Change local release instruction from turning off gpg 'bc' signer to ensuring gpg-agent is running.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub Actions (release.yml)
  participant MVN as Maven
  participant CPP as Central Publishing Plugin
  participant MC as Maven Central

  Dev->>GH: Push tag / trigger release
  GH->>MVN: Run mvn release with MAVEN_CENTRAL_* creds
  MVN->>CPP: central-publishing:publish (autoPublish/waitUntil)
  CPP->>MC: Upload and request publish
  MC-->>CPP: Publish status (validated/published)
  CPP-->>GH: Return result
  GH-->>Dev: Workflow outcome

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I’m a rabbit by the CI stream, hopping tokens in my paws,
From staging dens to Central beams, we swapped the credential laws.
POMs pruned, workflows trimmed, gpg-agent hums a tune,
I thump a joyful release beat — jars soaring to the moon. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64d7060 and f3cb07d.

📒 Files selected for processing (6)

• .github/maven-settings.xml (1 hunks)
• .github/workflows/build.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/website.yml (1 hunks)
• README.md (1 hunks)
• pom.xml (4 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ossrh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR migrates deployment configuration from the deprecated OSSRH (OSS Repository Hosting) to the new Maven Central publishing system. The changes align the project's publishing setup with Sonatype's new central publishing infrastructure.

Key changes:

• Replace Nexus staging plugin with Central publishing plugin
• Update Maven repository configuration and authentication
• Simplify GitHub Actions workflow configurations

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pom.xml	Removes OSSRH distribution management, adds Central publishing plugin, updates properties and profiles
README.md	Updates release instructions to reflect new GPG setup requirements
.github/workflows/website.yml	Adds explicit ref checkout for better workflow control
.github/workflows/release.yml	Updates environment variables from OSSRH to Maven Central credentials
.github/workflows/build.yml	Simplifies build workflow by removing unnecessary git setup and permissions
.github/maven-settings.xml	Updates server configurations for Central publishing and GitHub authentication

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/website.yml (1)

15-21: Prefer GitHub-provided GITHUB_TOKEN for the first checkout (reduce PAT scope).

For the initial checkout of this repo, PERSONAL_GITHUB_TOKEN is unnecessary; the default GITHUB_TOKEN with contents: write suffices and reduces secret exposure. Keep the PAT for the cross-repo website checkout/push step.

Apply this diff to use the default token for the first checkout:

     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
+      with:
         ref: ${{ github.ref }}
         fetch-tags: true

.github/workflows/release.yml (1)

15-21: Consider using GITHUB_TOKEN for the repo checkout to avoid a PAT (if branch protections allow).

actions/checkout can use the default GITHUB_TOKEN (permissions: contents: write already set). The Maven Release Plugin will reuse the checkout’s credentials for pushing. This removes the need for PERSONAL_GITHUB_TOKEN in this step.

     - name: Checkout
       uses: actions/checkout@v4
       with:
-        token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
         ref: "main"
         fetch-tags: true

If you rely on PAT to bypass branch protections, keep as-is.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8f0527 and 64d7060.

📒 Files selected for processing (6)

• .github/maven-settings.xml (1 hunks)
• .github/workflows/build.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/website.yml (1 hunks)
• README.md (1 hunks)
• pom.xml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build (11)

🔇 Additional comments (9)

README.md (1)

78-80: LGTM: release note clarified for local signing.

The instruction to ensure gpg-agent is running aligns with central publishing and avoids bc signer confusion. No further changes needed here.

.github/workflows/website.yml (1)

19-19: Good call adding an explicit ref for checkout.

Using ref: ${{ github.ref }} ensures the workflow builds from the triggering tag/branch consistently.

.github/workflows/build.yml (1)

12-12: Least-privilege improvement on workflow permissions looks good.

contents: read at the workflow level is appropriate; job-level security-events: write is scoped correctly for CodeQL.

.github/maven-settings.xml (2)

7-9: All Good: Server ID Matches Plugin Configuration

The <id>central-publish</id> in .github/maven-settings.xml aligns with <publishingServerId>central-publish</publishingServerId> in pom.xml (lines 729–733). No changes are needed.

---

12-14: No Maven references to server “github” detected—no username needed

We searched all pom.xml files for <distributionManagement>, <pluginRepository>, and any <id>github</id> references and found none. The <server id="github"> entry in your settings.xml isn’t used by any repository or plugin, so adding a username isn’t necessary unless you introduce such a configuration later.

.github/workflows/release.yml (2)

53-54: Approve code changes: Maven Central publishing verified
The central-publishing-maven-plugin is present in pom.xml (lines 729–733) with <publishingServerId>central-publish</publishingServerId>, matching the MAVEN_CENTRAL_USERNAME/PASSWORD secrets. No further changes needed.

---

1-71: No duplicate github-action profile found in POM
A recursive search of all pom.xml files returned only one <id>github-action</id> (line 645), so there’s no duplicate to remove.

Likely an incorrect or invalid review comment.

pom.xml (2)

726-739: Central publishing config verified—and SNAPSHOTs supported

• Your <server><id>central-publish</id> in .github/maven-settings.xml matches the plugin’s publishingServerId.
• You’ve bumped central-publishing-maven-plugin.version to 0.8.0 (≥ 0.7.0), so the plugin can publish -SNAPSHOT artifacts directly—no <snapshotRepository> block needed in your POM.
• Just ensure you’ve enabled SNAPSHOT publishing for your namespace in the Sonatype Central Publisher Portal.

---

846-846: central-publishing-maven-plugin version is up-to-date

I’ve confirmed that 0.8.0 (released June 17, 2025) is the latest stable version and no newer releases exist as of today. No changes to your POM are required for version bumps.

• File – pom.xml, line 846: current <central-publishing-maven-plugin.version>0.8.0</central-publishing-maven-plugin.version> is correct.
• Authentication reminder: this plugin now requires Sonatype user-tokens (no legacy username/password). Ensure your settings.xml or CI secrets use the token-based credentials described in the Sonatype docs.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Avoid redundant GPG signer configuration; keep a single source of truth

You already set bc for maven-gpg-plugin in the release profile. The extra gpg.signer property here duplicates that intent and can drift. Recommend removing the property to avoid confusion.

Apply this diff to drop the redundant property:

       <properties>
-        <gpg.signer>bc</gpg.signer>
       </properties>

Also, the AI summary mentioned there are two identical github-action profiles, but this file shows only one. Flagging the inconsistency for awareness.

Run this to ensure there is only one github-action profile in this POM:

---

🏁 Script executed:

#!/bin/bash
rg -n '<id>github-action</id>' pom.xml -A2 -B2

Length of output: 209

---

#!/bin/bash
# Locate the maven-gpg-plugin configuration in the release profile
rg -n '<artifactId>maven-gpg-plugin</artifactId>' -A5 -B5 pom.xml

# Check if the plugin’s <signer> is hardcoded
rg -n '<signer>bc</signer>' -A2 -B2 pom.xml

# See whether the property ${gpg.signer} is referenced anywhere
rg -n '\${gpg.signer\}' pom.xml -A2 -B2 pom.xml

---

#!/bin/bash
# Find the maven-gpg-plugin configuration in the POM
rg -n '<artifactId>maven-gpg-plugin' -A5 -B5 pom.xml

# Check for any <signer> elements specifying 'bc'
rg -n '<signer>bc</signer>' -n pom.xml

# See if the property gpg.signer is referenced in plugin configuration
rg -n '\${gpg.signer}' -n pom.xml

---

#!/bin/bash
# 1. Locate the maven-gpg-plugin configuration (should include <signer>bc</signer>)
rg -n '<artifactId>maven-gpg-plugin' -A5 -B5 pom.xml

# 2. Verify where <signer> is hardcoded
rg -n '<signer>bc</signer>' -A2 -B2 pom.xml

# 3. Check for uses of the gpg.signer property elsewhere
rg -n '\${gpg.signer}' -n pom.xml

---

🏁 Script executed:

#!/bin/bash
# 1. Locate the maven-gpg-plugin configuration in the release profile
rg -n '<artifactId>maven-gpg-plugin' -A5 -B5 pom.xml

# 2. Check for any <signer> elements (hardcoded or property-based)
rg -n '<signer>' -A2 -B2 pom.xml

# 3. Verify usage of the gpg.signer property
rg -n '\${gpg.signer}' -n pom.xml

Length of output: 1315

---

Remove redundant GPG signer property from the GitHub Actions profile

The <gpg.signer> property in the github-action profile isn’t referenced by any <signer>${gpg.signer}</signer> configuration (the maven-gpg-plugin uses a hard-coded <signer>bc</signer>). You can safely drop the property to avoid duplication and drift.

Files to update:

• pom.xml (lines ~643–655)

Apply this diff:

     <profile>
       <id>github-action</id>
       <activation>
         <property>
           <name>env.GITHUB_ACTIONS</name>
           <value>true</value>
         </property>
       </activation>
       <properties>
-        <gpg.signer>bc</gpg.signer>
       </properties>
     </profile>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<!-- Set environment when running on GitHub Actions -->
	<profile>
	<id>github-action</id>
	<activation>
	<property>
	<name>env.GITHUB_ACTIONS</name>
	<value>true</value>
	</property>
	</activation>
	<properties>
	<gpg.signer>bc</gpg.signer>
	</properties>
	</profile>
	<!-- Set environment when running on GitHub Actions -->
	<profile>
	<id>github-action</id>
	<activation>
	<property>
	<name>env.GITHUB_ACTIONS</name>
	<value>true</value>
	</property>
	</activation>
	<properties>
	</properties>
	</profile>

🤖 Prompt for AI Agents

In pom.xml around lines 643 to 655, remove the redundant <gpg.signer> property
from the github-action profile because the maven-gpg-plugin uses a hard-coded
signer and the property is unused; edit the profile to delete the <properties>
block (or at minimum remove the <gpg.signer> entry) so the profile no longer
contains that duplicate property and save the file.