Update deployment from OSSRH

[jodastephen]

OSSRH is dead, use replacement

Summary by CodeRabbit

• Chores
  • Updated Maven and GitHub Actions configurations to use new environment variable names for publishing to Maven Central.
  • Replaced the Maven plugin for artifact publishing with a new plugin and updated related settings.
  • Improved release workflow reliability by ensuring tag deletion always runs and explicit branch/tag checkout.
  • Updated README instructions for local releases to clarify GPG agent requirements.

[coderabbitai]

📝 Walkthrough

Walkthrough

This update transitions the Maven project from Sonatype OSSRH to Maven Central for artifact publishing, updating related credentials, plugins, and configuration. It also adjusts GitHub Actions workflows for release and website publishing, and revises the README to clarify GPG setup for releases.

Changes

Cohort / File(s)	Change Summary
Maven Central Migration Configuration .github/maven-settings.xml, pom.xml	Updated Maven settings and project configuration to use Maven Central instead of Sonatype OSSRH. Changed server IDs, environment variable names, and replaced the Nexus staging plugin with the Central Publishing plugin. Added and removed relevant properties and profiles.
GitHub Actions Workflow Updates .github/workflows/release.yml, .github/workflows/website.yml	Renamed environment variables for Maven Central credentials in the release workflow. In the website workflow, adjusted the checkout step to use the current GitHub ref and ensured the tag deletion step always runs.
Documentation Update README.md	Changed the release instructions to require the GPG agent to be running instead of disabling a specific GPG signer.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ossrh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR migrates the Maven deployment configuration from the deprecated OSSRH (OSS Repository Hosting) to the new Maven Central publishing system. The change addresses the fact that OSSRH is no longer available and replaces it with the modern central-publishing-maven-plugin.

• Removes the old OSSRH distribution management configuration and replaces the nexus-staging plugin with central-publishing plugin
• Updates GitHub Actions workflows to use new Maven Central credentials instead of OSSRH credentials
• Adds a GitHub Actions profile for GPG signing configuration and updates documentation for local releases

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pom.xml	Removes OSSRH distribution management, replaces nexus-staging plugin with central-publishing plugin, adds GitHub Actions profile
README.md	Updates local release instructions to use gpg-agent instead of disabling bc signer
.github/workflows/website.yml	Adds ref specification and always condition for tag deletion
.github/workflows/release.yml	Updates environment variables from OSSRH to Maven Central credentials
.github/maven-settings.xml	Updates server configuration from OSSRH to Maven Central

Comments suppressed due to low confidence (1)

pom.xml:744

• The version 0.8.0 for central-publishing-maven-plugin may not exist. As of my knowledge cutoff in January 2025, this plugin was relatively new. Please verify this version exists in Maven Central before deploying.

    <central-publishing-maven-plugin.version>0.8.0</central-publishing-maven-plugin.version>

[Copilot]

[nitpick] The inline comment format is inconsistent with the project's comment style. Consider using a separate line comment or removing the comment since the property name is self-explanatory.

Suggested change

	<joda.publish.auto>true</joda.publish.auto><!-- false/true -->
	<joda.publish.auto>true</joda.publish.auto>

[Copilot]

[nitpick] The inline comment format is inconsistent with the project's comment style. Consider using a separate line comment or removing the comment since the property name is self-explanatory.

Suggested change

	<joda.publish.wait>published</joda.publish.wait><!-- validated/published -->
	<joda.publish.wait>published</joda.publish.wait>

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

README.md (1)

104-105: Clarify signer expectations for local releases

The line now only asks the user to ensure gpg-agent is running, yet the github-action Maven profile introduced in pom.xml explicitly sets -Dgpg.signer=bc.
Readers performing a local release might be confused as to whether they still need Bouncy Castle, or if the default GnuPG setup is sufficient.

Consider adding a short note explaining that the bc signer is automatically activated only on CI and that the default GPG installation is expected locally.
This keeps the README self-contained and avoids surprises during manual releases.

.github/workflows/website.yml (1)

19-21: Checkout with ${{ github.ref }} is redundant but harmless

actions/checkout already checks out the commit that triggered the workflow. Passing ref: ${{ github.ref }} has no functional impact and can quietly break forks that do not have permission to read the same ref name (e.g. PRs from forks with deleted tags).

If you do not have a specific reason to pin the ref, consider dropping the ref: attribute to keep the workflow minimal and fork-friendly.

pom.xml (1)

744-746: Plugin version 0.8.0 is new – track for breaking changes

central-publishing-maven-plugin is still moving quickly. Keep an eye on release notes in case 0.8.x introduces breaking changes that affect your workflow (especially around autoPublish semantics).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4cc39fd and 6d13988.

📒 Files selected for processing (5)

• .github/maven-settings.xml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/website.yml (2 hunks)
• README.md (1 hunks)
• pom.xml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (5)

.github/workflows/website.yml (1)

74-78: Good call making tag clean-up unconditional

Wrapping the “Delete website tag” step in if: always() guarantees that temporary tags are removed even when earlier steps fail.
This prevents stale tags from accumulating.

.github/workflows/release.yml (1)

53-56: Verify new secret names before merging

The workflow now expects MAVEN_CENTRAL_USERNAME and MAVEN_CENTRAL_PASSWORD.
Ensure these secrets are already defined in the repository (or organisation) settings; otherwise the release job will fail at deploy time with unauthorised errors.

.github/maven-settings.xml (1)

7-10: Server id change looks correct – double-check matching plugin config

<id>central</id> matches the publishingServerId used by the new central-publishing-maven-plugin in pom.xml, so Maven will pick up the credentials correctly.

Nothing further to do here.

pom.xml (2)

655-666: Validate central-publishing plugin coordinates and parameters

1. The published coordinates are org.sonatype.central:central-publishing-maven-plugin.
   At the time of writing the canonical groupId is com.sonatype.maven.plugins. Please verify the artifact exists for version ${central-publishing-maven-plugin.version}.

2. Parameters deploymentName, autoPublish and waitUntil look correct, but make sure they match the plugin’s schema for version 0.8.0 (some earlier versions used stagingProfileId/timeoutMinutes instead).

A quick manual mvn help:effective-pom on a local checkout will confirm the plugin is resolved.

---

715-717: Expose publish toggles as documented properties

Nice touch introducing joda.publish.auto and joda.publish.wait – this makes it trivial to override behaviour from the command line, e.g.:

mvn deploy -Djoda.publish.auto=false

[coderabbitai]

🛠️ Refactor suggestion

Consider omitting bc signer unless strictly required

The github-action profile forces -Dgpg.signer=bc.
If the runner uses the default GnuPG (which is already installed on ubuntu-latest), adding the Bouncy Castle dependency is unnecessary and may even fail if the bcprov JAR is not present.

Unless Bouncy Castle is a hard requirement (e.g. for legacy RSA-1024 keys), you could drop this property and rely on stock GPG:

-      <properties>
-        <gpg.signer>bc</gpg.signer>
-      </properties>
+      <!-- No extra signer needed; default GPG works on GH-Actions -->

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<!-- Set environment when running on GitHub Actions -->
	<profile>
	<id>github-action</id>
	<activation>
	<property>
	<name>env.GITHUB_ACTIONS</name>
	<value>true</value>
	</property>
	</activation>
	<properties>
	<gpg.signer>bc</gpg.signer>
	</properties>
	</profile>
	<!-- Set environment when running on GitHub Actions -->
	<profile>
	<id>github-action</id>
	<activation>
	<property>
	<name>env.GITHUB_ACTIONS</name>
	<value>true</value>
	</property>
	</activation>
	<!-- No extra signer needed; default GPG works on GH-Actions -->
	</profile>

🤖 Prompt for AI Agents

In pom.xml around lines 596 to 608, the github-action profile sets the
gpg.signer property to "bc", which forces use of the Bouncy Castle signer. This
may cause failures if the bcprov JAR is not present and is unnecessary if the
default GnuPG is sufficient. To fix this, remove the <gpg.signer>bc</gpg.signer>
property from the github-action profile unless Bouncy Castle is strictly
required for your signing keys.