Skip to content

Enhance build configuration for Maven publishing and signing; update … #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
felipestanzani merged 1 commit into from
Oct 28, 2025
Merged

Enhance build configuration for Maven publishing and signing; update … #1

felipestanzani merged 1 commit into from
Oct 28, 2025

Conversation

@felipestanzani
Copy link
Collaborator

@felipestanzani felipestanzani commented Oct 28, 2025
edited by coderabbitai bot
Loading

…version to 0.1.0. Update README for Maven Central availability and installation instructions.

Summary by CodeRabbit

  • New Features

    • Library is now published to Maven Central, enabling standard Maven/Gradle dependency management.

  • Documentation

    • Updated installation instructions to use Maven Central as the primary distribution method.
    • Added Maven Central badge to README.
    • Included manual JAR installation alternative from GitHub Releases.

  • Chores

    • Updated build configuration to support Maven publishing and GPG code signing.

@felipestanzani
Enhance build configuration for Maven publishing and signing; update …
39cc849 
…version to 0.1.0. Update README for Maven Central availability and installation instructions.
@coderabbitai
Copy link

coderabbitai bot commented Oct 28, 2025
edited
Loading

Walkthrough

The project is configured for Maven Central publication by adding Maven publishing and code signing support to the Gradle build, automating README version updates in the release workflow, and updating documentation to reflect Maven Central distribution of the jtoon library at version 0.1.0.

Changes

Cohort / File(s) Summary
Build Configuration & Publishing
build.gradle		 Adds maven-publish and signing plugins; configures Java 21 toolchain; introduces sources and javadoc JAR packaging; defines mavenJava publication with POM metadata (name, description, URL, license, developer, SCM) and Maven Central repository with credential sourcing from properties/environment; enables GPG signing configuration. Version incremented from 1.0.0 to 0.1.0.
Release Workflow Automation
.github/workflows/release.yml		 Inserts three sequential steps after version extraction: (1) publishes to Maven Central via gradle publish with Maven and GPG secrets wired in, (2) updates README.md with new version in jtoon tag and version tag, (3) commits and pushes README changes using GitHub Actions bot user, guarded by GITHUB_TOKEN.
Documentation
README.md		 Replaces JAR download installation with Maven Central-centric approach; adds Maven Central badge; updates installation instructions for Gradle (Groovy and Kotlin DSL) and Maven with artifact coordinates com.felipestanzani:jtoon:0.1.0; removes future Maven publishing note; adds reference to latest version on Maven Central; introduces alternative manual JAR installation section for GitHub Releases.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Gradle as Gradle Build
    participant Maven as Maven Central
    participant Repo as Git Repository
    participant README as README.md

    GH->>Gradle: Extract version
    GH->>Gradle: gradle publish
    Gradle->>Maven: Publish artifact (signed)
    Maven-->>Gradle: Success
    GH->>README: Update version tags
    GH->>Repo: Commit README changes
    GH->>Repo: Push with bot user
    Repo-->>GH: Acknowledged
    GH->>GH: Proceed to GitHub release step
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • build.gradle: Review credential sourcing patterns for Maven and GPG secrets; verify Maven Central repository URL and publication configuration; check toolchain Java 21 requirement compatibility
  • .github/workflows/release.yml: Verify workflow step sequencing, GitHub token scoping, and bot user configuration for committing changes
  • README.md: Version consistency across multiple sections (0.1.0 usage); validate artifact coordinates and installation examples

Poem

🐰 Hops to Maven Central we go,
With signatures signing aglow,
README updates in auto-release flow,
jtoon now published, ready to grow! 📦✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The pull request title "Enhance build configuration for Maven publishing and signing; update …" clearly and specifically describes the primary changes to the build system. The title focuses on the Maven publishing and signing enhancements in build.gradle, which is a substantial and well-defined change. The "update …" portion, while appearing truncated in display, references the accompanying updates to documentation and workflows that support Maven Central integration. The title is not vague or generic—it uses specific terminology ("Maven publishing and signing," "build configuration") that conveys meaningful information about the changeset to someone reviewing commit history.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch maven
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2696a4d and 39cc849.

📒 Files selected for processing (3)
  • .github/workflows/release.yml (1 hunks)
  • README.md (2 hunks)
  • build.gradle (2 hunks)
🔇 Additional comments (10)
build.gradle (5)

3-4: Plugins added correctly.

The maven-publish and signing plugins are required for Maven Central publishing and artifact signing.

8-8: Version bump to 0.1.0 noted.

Version changed from 1.0.0 to 0.1.0. Confirm this is intentional and aligns with your versioning strategy—0.1.0 typically indicates early release/beta status rather than a patch release.

11-17: Java toolchain and packaging configuration looks good.

Explicit JDK 21 requirement and automatic sources/Javadoc JAR generation are best practices for Maven Central publishing.

34-79: Verify Sonatype Maven Central endpoint and license file reference.

The publishing configuration includes comprehensive POM metadata. However:

  1. Sonatype endpoint URL (line 72): Verify that https://central.sonatype.com/api/v1/publisher/upload is the correct endpoint for your Maven Central account type. Sonatype has multiple publishing endpoints (e.g., s01.oss.sonatype.org for newer accounts vs. oss.sonatype.org for legacy). Confirm which one applies to your account.

  2. License file path (line 48): The POM references LICENSE.md, but ensure this file exists at the repository root with the exact name and path.

81-89: Signing configuration: verify key handling and error behavior.

The signing block conditionally signs artifacts only if both signingKey and signingPassword are provided. This is correct, but consider:

  1. Silent failure: If credentials are missing in CI/CD, the build succeeds unsigned. Add logging or make signing mandatory in production builds.

  2. Key format: Ensure that GPG_PRIVATE_KEY contains the armored PGP key in the correct format (usually base64-encoded or direct ASCII-armored key). The useInMemoryPgpKeys() method expects a specific format.

  3. Error propagation: Test locally that signing failures propagate correctly (e.g., corrupted key, wrong passphrase).

Would you like me to generate a verification script to check the GPG key format compatibility and signing behavior?

.github/workflows/release.yml (3)

35-41: Publish to Maven Central step: environment variables properly wired.

The publish step correctly passes Maven Central credentials and GPG signing keys via environment variables. Ensure these secrets are configured in the GitHub repository settings:

  • MAVEN_CENTRAL_USERNAME
  • MAVEN_CENTRAL_TOKEN
  • GPG_PRIVATE_KEY
  • GPG_PASSPHRASE

49-57: Git commit and push configuration: verify token permissions and avoid race conditions.

The README update is committed and pushed using the GITHUB_TOKEN. Key considerations:

  1. Token permissions: Verify the workflow's permissions block grants contents: write access. Line 12 shows contents: write

  2. Race condition risk: Between publishing to Maven Central (line 35) and pushing the updated README (line 55), there is a small window where:

    • A race tag is pushed by another workflow or user
    • The README update fails partway through
    • The commit message does not match the published version

    This is typically acceptable for release workflows, but be aware.

  3. Commit guard (line 54): The git diff --staged --quiet || ensures a commit only if changes exist—good practice. However, if the sed replacement fails silently (no replacements made), the step will silently skip the commit without error.

  4. GitHub Actions bot account: Using github-actions[bot] is standard. Ensure this account has appropriate access.

Verify that the workflow's permissions block at line 11-12 is sufficient for the push operation. Also test locally that the sed commands produce expected changes before the commit.

43-47: Sed regex patterns are correct and safely capture all version occurrences in README.

Verification confirms:

  • Regex safety: Patterns correctly escape \+ for sed extended regex (lines 46–47).
  • Coverage: All 3 version references are matched: 2 Gradle implementations (lines 403, 411) + 1 Maven XML tag (line 421).
  • False positives: No other numeric [N].[N].[N] patterns exist in README—no risk of unintended updates.

The sed commands are correct as written.

README.md (2)

7-7: Maven Central badge URL looks correct.

The badge URL format follows shields.io conventions and should render as a version badge. The coordinates com.felipestanzani/jtoon match the group and artifactId in build.gradle.

395-429: Installation instructions refactored correctly for Maven Central; minor consistency checks.

The new installation section appropriately prioritizes Maven Central over manual JAR downloads. The following looks good:

  1. Dependency declarations: Version 0.1.0 is consistent across Gradle Groovy, Gradle Kotlin, and Maven blocks.
  2. Maven coordinates: com.felipestanzani:jtoon:0.1.0 matches build.gradle configuration.
  3. Documentation note: Line 425 references the Maven Central latest version page with a helpful link.
  4. Fallback section: Alternative manual installation (lines 427–429) preserved for users without build tool integration.

One minor observation: ensure that once the artifact is published to Maven Central and indexed, the badge at line 7 updates automatically. Shields.io badges typically have a cache lag of a few minutes.

After the first release is published to Maven Central, verify that the badge at line 7 displays the correct version number (0.1.0) within 5–10 minutes.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@felipestanzani felipestanzani merged commit 677611c into main Oct 28, 2025
2 checks passed
@coderabbitai coderabbitai bot mentioned this pull request Oct 30, 2025
Merged
@felipestanzani felipestanzani deleted the maven branch November 6, 2025 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felipestanzani