release.yml

name: Release

on:
  workflow_dispatch:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  publish:
    name: Publish to Maven Central
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Set up JDK 11
        uses: actions/setup-java@v5
        with:
          java-version: "11"
          distribution: temurin
          cache: maven
          server-id: central
          server-username: CENTRAL_TOKEN_USERNAME
          server-password: CENTRAL_TOKEN_PASSWORD

      - name: Import GPG private key
        shell: bash
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
        run: |
          set -euo pipefail

          if [[ -z "${GPG_PRIVATE_KEY}" ]]; then
            echo "::error::GPG_PRIVATE_KEY secret is empty"
            exit 1
          fi

          key_file="$(mktemp)"
          trap 'rm -f "${key_file}"' EXIT

          if [[ "${GPG_PRIVATE_KEY}" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
            printf '%s' "${GPG_PRIVATE_KEY}" | sed 's/\\n/\n/g' > "${key_file}"
          else
            printf '%s' "${GPG_PRIVATE_KEY}" | base64 --decode > "${key_file}"
          fi

          gpg --batch --import "${key_file}"
          gpg --batch --list-secret-keys --keyid-format LONG

      - name: Build release artifacts
        run: mvn --batch-mode clean verify -Dgpg.skip=true

      - name: Upload release artifacts
        uses: actions/upload-artifact@v7
        with:
          name: maven-artifacts
          path: |
            target/*.jar
            target/*.pom

      - name: Publish to Maven Central
        run: mvn --batch-mode deploy -DskipTests
        env:
          CENTRAL_TOKEN_USERNAME: ${{ secrets.CENTRAL_TOKEN_USERNAME }}
          CENTRAL_TOKEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN_PASSWORD }}
          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}