This parent POM centralises build configuration, dependency management, and security policy for Artagon JVM projects. It also enforces reproducible builds: every compile-scope dependency is checked for hash and PGP signature drift in the security and release profiles.
Add the parent to your module’s pom.xml:
<parent>
<groupId>org.artagon</groupId>
<artifactId>artagon-parent</artifactId>
<version>2.0.0-SNAPSHOT</version>
</parent>Then declare only your module-specific dependencies; the parent provides version management for the testing, logging, and benchmarking stacks documented below.
This project provides a reproducible development environment using Nix. Nix ensures all developers have identical versions of Java, Maven, and security tools regardless of their operating system.
Quick start:
# Enter development environment
nix develop
# Or run commands directly
nix develop -c mvn verifyFeatures:
- ✅ Java 25 (default), Java 17 (LTS), and Java 21 (LTS) environments
- ✅ Maven, GPG, OpenSSL automatically configured
- ✅ Cross-platform (Linux, macOS)
- ✅ No Docker needed
See NIX-SETUP.md for complete setup guide and advanced usage.
Alternatively, install manually:
- Java 17+ (JDK)
- Maven 3.6+
- GPG (for PGP signature verification)
- OpenSSL (for checksum generation)
- Developer build (default):
mvn verify– uses the active-by-defaultartagon-oss-devprofile. - Secure verification:
mvn -P artagon-oss-security verify– runs checksum and PGP verification plus OSS Index. - Full release prep:
mvn -P artagon-oss-release,artagon-oss-security clean verify– enforces integrity checks before signing and staging. Remove-Dgpg.skip=trueto sign artifacts. - Continuous integration:
mvn -P artagon-oss-ci verify– enables integration tests and keeps the enforcer strict. - Benchmarks:
mvn -Dartagon.benchmarks=true verify– activates the JMH profile to build and run benchmarks.
Combine profiles as needed, e.g. mvn -P artagon-oss-ci,artagon-oss-security verify.
Two Maven plugins enforce dependency integrity using baseline data stored under security/.
- Baseline file:
security/com.artagon-artagon-parent-dependency-checksums.csv - Plugin:
net.nicoulaj.maven.plugins:checksum-maven-plugin - Profiles:
artagon-oss-release,artagon-oss-security - Behaviour: the plugin's
checkgoal runs in theverifyphase and compares every compile-scope dependency (transitive included) against the CSV. Any mismatch or missing entry fails the build. - Deployment: This file is automatically attached and deployed to Maven Central with classifier
dependency-checksums
The filename includes Maven coordinates (com.artagon-artagon-parent from org.artagon:artagon-parent) for identification.
Refresh the baseline after intentional dependency updates using the helper script (see below).
- Baseline file:
security/com.artagon-artagon-parent-pgp-trusted-keys.list - Plugin:
org.simplify4u.plugins:pgpverify-maven-plugin - Profiles:
artagon-oss-release,artagon-oss-security - Behaviour: validates each compile-scope dependency's signature against the trusted fingerprints.
noKeyentries denote dependencies whose signing key is intentionally unavailable on public key servers. - Deployment: This file is automatically attached and deployed to Maven Central with classifier
pgp-trusted-keys
The filename includes Maven coordinates (com.artagon-artagon-parent from org.artagon:artagon-parent) for identification.
scripts/update-dependency-security.sh is a wrapper around the shared security script from artagon-common. It can regenerate both the checksum CSV and the keys list by downloading artifacts and signatures from Maven Central. It is not invoked by the build; use it manually when refreshing the baselines:
# Update baselines (long form)
scripts/update-dependency-security.sh --update
# Update baselines (short form)
scripts/update-dependency-security.sh -uVerification without mutation:
# Verify baselines (long form)
scripts/update-dependency-security.sh --verify
# Verify baselines (short form)
scripts/update-dependency-security.sh -vFor advanced usage and all available options:
scripts/update-dependency-security.sh --helpRun releases with the security profile enabled so integrity checks run before signing or staging:
mvn -P artagon-oss-release,artagon-oss-security clean verifyA release build fails automatically if:
- any dependency hash differs from
security/dependency-checksums.csv, or - any dependency signature is missing, signed with an untrusted key, or the key cannot be located (unless marked
noKey).
| Profile | Activation | Purpose | Typical command |
|---|---|---|---|
artagon-oss-dev |
Active by default | Developer defaults: unit tests on, integration tests skipped. | mvn verify |
artagon-oss-release |
Manual | Pre-release packaging: attaches sources/javadocs, signs artifacts, stages to Nexus, enforces checksum & PGP locks. | mvn -P artagon-oss-release,artagon-oss-security clean verify |
artagon-oss-security |
Manual | Security auditing: runs OSS Index audit plus checksum/PGP verification. Combine with other profiles as needed. | mvn -P artagon-oss-security verify |
artagon-oss-ci |
Manual | Continuous integration defaults: enables integration tests (skipITs=false) and enforcer checks. |
mvn -P artagon-oss-ci verify |
artagon-oss-benchmark |
-Dartagon.benchmarks=true |
Adds JMH dependencies/plugins and build steps. Useful for local benchmarking. | mvn -Dartagon.benchmarks=true verify |
security/com.artagon-artagon-parent-dependency-checksums.csv: authoritative SHA-256 hashes generated by the checksum plugin (compile scope, transitive). Update only when dependencies change intentionally.security/com.artagon-artagon-parent-pgp-trusted-keys.list: mapping of Maven coordinates to trusted PGP fingerprints. IncludenoKeyfor dependencies whose public key is intentionally unavailable.
These files use Maven coordinate-based naming (com.artagon-artagon-parent derived from org.artagon:artagon-parent) for clear identification. Keep these files under version control; do not regenerate them during normal builds.
Both files are automatically attached and deployed to Maven Central during releases, allowing consumers to verify the integrity of published artifacts.
General-purpose documentation is maintained in artagon-common:
- Security Scripts Guide - Using security verification scripts
- Release Guide - How to create releases
- Deployment Guide - Deploying to Maven Central
- GitHub Packages Guide - Using GitHub Packages
- Licensing Implementation - Dual licensing setup
- Complete Documentation Index - All available documentation
- CHANGELOG.md - Version history and changes
- RELEASE-GUIDE.md - artagon-parent specific release notes
- security/README.md - Security baseline file documentation
This project uses a dual licensing model:
- GNU Affero General Public License v3.0 (AGPL-3.0) for open source
use. See
licenses/LICENSE-AGPL.txtfor the full text. - Commercial License for proprietary use, available from Artagon LLC
with expanded rights, warranties, and support. Review
licenses/LICENSE-COMMERCIAL.txtor contactsales@artagon.com.
Need help choosing? Read licenses/LICENSING.md for
a decision guide. Commercial pricing is available at
https://www.artagon.com/pricing.