wip: release automation: tag workflow, secrets helper, docs

Author: simbo1905

.github/workflows/release-on-branch.yml

@@ -0,0 +1,72 @@
+name: Release on Tag
+
+on:
+  push:
+    tags:
+      - 'releases/*'
+
+permissions:
+  contents: write    # push tags, push commits
+  pull-requests: write
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Java, Central creds and GPG
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '21'
+          cache: maven
+          server-id: central
+          server-username: CENTRAL_USERNAME
+          server-password: CENTRAL_PASSWORD
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Create GitHub Release with notes
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          generate_release_notes: true
+
+      - name: Build and Deploy to Central
+        env:
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+        run: |
+          mvn -B -ntp clean deploy
+
+      - name: Configure Git identity
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Create branch from tag for PR
+        id: prbranch
+        run: |
+          BRANCH_NAME="release-bot-$(date +%Y%m%d-%H%M%S)"
+          git checkout -B "$BRANCH_NAME" $GITHUB_SHA
+          git push origin "$BRANCH_NAME"
+          echo "branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
+      - name: Open PR back to main
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr create \
+            --title "chore: merge release ${{ github.ref_name }} to main" \
+            --body "Automated PR created from tag ${{ github.ref_name }}." \
+            --base main \
+            --head "${{ steps.prbranch.outputs.branch }}" \
+          || echo "PR already exists or nothing to compare"

AGENTS.md

@@ -64,6 +64,47 @@ mvn exec:java -pl json-compatibility-suite -Dexec.args="--json"
 ./mvn-test-no-boilerplate.sh -Dtest=JsonParserTests -Djava.util.logging.ConsoleHandler.level=FINER
 ```
 
+## Releasing to Maven Central
+
+Prerequisites
+- Central credentials in `~/.m2/settings.xml` with `<id>central</id>` (used by the workflow)
+  ```xml
+  <servers>
+    <server>
+      <id>central</id>
+      <username>YOUR_PORTAL_TOKEN_USERNAME</username>
+      <password>YOUR_PORTAL_TOKEN_PASSWORD</password>
+    </server>
+  </servers>
+  ```
+- GPG key set up for signing (the parent POM runs `maven-gpg-plugin` in `verify`). If prompted for passphrase locally, export `GPG_TTY=$(tty)` or configure passphrase in settings. In CI, secrets `GPG_PRIVATE_KEY` and `GPG_PASSPHRASE` are used.
+- Optional: alias `mvn` to `mvnd` for faster builds (see note at top).
+
+Automated Release (preferred)
+- Push a tag named `releases/X.Y.Z` (semver, no leading `v`).
+- The workflow `.github/workflows/release-on-branch.yml` will:
+  - Create a GitHub Release for that tag with autogenerated notes.
+  - Build and deploy artifacts to Maven Central (Central Publishing plugin).
+  - Create a branch `release-bot-YYYYMMDD-HHMMSS` at the tagged commit and open a PR back to `main` (no version bumps).
+
+Manual Release (local)
+- Ensure POM version is your intended release version.
+- Verify: `mvn verify`
+- Publish: `mvn clean deploy` (uses Central Publishing plugin + GPG)
+- Tag with `releases/X.Y.Z` and create a GitHub Release if desired.
+
+Snapshot Publishing
+- Set version to `X.Y.(Z+1)-SNAPSHOT`:
+  - `mvn -q versions:set -DnewVersion=0.1.1-SNAPSHOT`
+- Deploy snapshots:
+  - `mvn clean deploy`
+  - Goes to `https://oss.sonatype.org/content/repositories/snapshots` (configured in `distributionManagement`).
+
+Notes
+- Javadoc is built with `doclint` disabled to avoid strict failures on Java 21.
+- To skip signing locally for quick checks, add `-Dgpg.skip=true`.
+- The Central Publishing plugin configuration lives in the parent `pom.xml` and applies to all modules.
+
 ## Python Usage (Herodoc, 3.2-safe)
 - Prefer `python3` with a heredoc over Perl/sed for non-trivial transforms.
 - Target ancient Python 3.2 syntax: no f-strings, no fancy deps.
@@ -186,7 +227,7 @@ PY
 
 ### json-java21
 - **Main library** containing the core JSON API
-- **Maven coordinates**: `io.github.simbo1905.json:json-java21:0.1-SNAPSHOT`
+- **Maven coordinates**: `io.github.simbo1905.json:json-java21:0.X.Y`
 - **JDK requirement**: Java 21+
 
 ### json-compatibility-suite

RELEASE-GIST.md

@@ -0,0 +1,88 @@
+# Tag-Triggered Maven Central Release (GitHub Actions)
+
+- Trigger: push tag `releases/X.Y.Z` (no leading `v`).
+- CI creates a GitHub Release from the tag, then deploys to Maven Central.
+- CI opens a PR back to `main` from `release-bot-YYYYMMDD-HHMMSS` (no version bumps).
+
+## Workflow (drop-in)
+
+```yaml
+name: Release on Tag
+on:
+  push:
+    tags:
+      - 'releases/*'
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '21'
+          cache: maven
+          server-id: central
+          server-username: CENTRAL_USERNAME
+          server-password: CENTRAL_PASSWORD
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      - uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          generate_release_notes: true
+      - name: Build and Deploy to Central
+        env:
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+        run: mvn -B -ntp clean deploy
+      - name: Configure Git identity
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Create branch from tag and PR to main
+        env: { GH_TOKEN: ${{ github.token }} }
+        run: |
+          BRANCH_NAME="release-bot-$(date +%Y%m%d-%H%M%S)"
+          git checkout -B "$BRANCH_NAME" $GITHUB_SHA
+          git push origin "$BRANCH_NAME"
+          gh pr create \
+            --title "chore: merge release ${{ github.ref_name }} to main" \
+            --body "Automated PR created from tag ${{ github.ref_name }}." \
+            --base main \
+            --head "$BRANCH_NAME" || true
+```
+
+## Secrets (one-time)
+
+- CENTRAL_USERNAME, CENTRAL_PASSWORD (Central Portal token)
+- GPG_PRIVATE_KEY (ASCII-armored secret key), GPG_PASSPHRASE
+
+zsh helper (uses gh, gpg):
+
+```zsh
+#!/usr/bin/env zsh
+set -euo pipefail
+export CENTRAL_USERNAME=your_user
+export CENTRAL_PASSWORD=your_pass
+export GPG_PASSPHRASE=your_passphrase
+export GPG_KEY_ID=YOUR_KEY_ID   # or export GPG_PRIVATE_KEY="$(gpg --armor --export-secret-keys YOUR_KEY_ID)"
+./scripts/setup-release-secrets.zsh
+```
+
+## Trigger a Release
+
+```bash
+git tag 'releases/0.1.0'
+git push origin 'releases/0.1.0'
+```
+
+## Publish this doc as a Gist
+
+```bash
+gh gist create -p -d "Tag-triggered Maven Central release via GitHub Actions" RELEASE-GIST.md
+```

json-compatibility-suite/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>io.github.simbo1905.json</groupId>
         <artifactId>json-java21-parent</artifactId>
-        <version>0.1-SNAPSHOT</version>
+        <version>0.1.0</version>
     </parent>
 
     <artifactId>json-compatibility-suite</artifactId>

json-java21-api-tracker/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>io.github.simbo1905.json</groupId>
         <artifactId>json-java21-parent</artifactId>
-        <version>0.1-SNAPSHOT</version>
+        <version>0.1.0</version>
     </parent>
 
     <artifactId>json-java21-api-tracker</artifactId>

json-java21-schema/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>io.github.simbo1905.json</groupId>
         <artifactId>json-java21-parent</artifactId>
-        <version>0.1-SNAPSHOT</version>
+        <version>0.1.0</version>
     </parent>
 
     <artifactId>json-java21-schema</artifactId>

json-java21/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>io.github.simbo1905.json</groupId>
         <artifactId>json-java21-parent</artifactId>
-        <version>0.1-SNAPSHOT</version>
+        <version>0.1.0</version>
     </parent>
 
     <artifactId>json-java21</artifactId>

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>io.github.simbo1905.json</groupId>
     <artifactId>json-java21-parent</artifactId>
-    <version>0.1-SNAPSHOT</version>
+    <version>0.1.0</version>
     <packaging>pom</packaging>
 
     <name>java.util.json Backport Parent</name>
@@ -56,6 +56,8 @@
         <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
         <maven-install-plugin.version>3.1.2</maven-install-plugin.version>
         <download-maven-plugin.version>1.7.1</download-maven-plugin.version>
+        <!-- Ensure GPG is enabled by default for releases -->
+        <gpg.skip>false</gpg.skip>
     </properties>
 
 
@@ -123,5 +125,79 @@
                 </plugin>
             </plugins>
         </pluginManagement>
+        <!-- Inherited by all modules: attach sources/javadoc, sign, and publish via Central Portal -->
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-source-plugin</artifactId>
+                <version>3.3.0</version>
+                <executions>
+                    <execution>
+                        <id>attach-sources</id>
+                        <goals>
+                            <goal>jar-no-fork</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>3.5.0</version>
+                <configuration>
+                    <release>21</release>
+                    <doclint>none</doclint>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>attach-javadocs</id>
+                        <goals>
+                            <goal>jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-gpg-plugin</artifactId>
+                <version>3.1.0</version>
+                <executions>
+                    <execution>
+                        <id>sign-artifacts</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>sign</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <skip>${gpg.skip}</skip>
+                    <gpgArguments>
+                        <arg>--pinentry-mode</arg>
+                        <arg>loopback</arg>
+                    </gpgArguments>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.sonatype.central</groupId>
+                <artifactId>central-publishing-maven-plugin</artifactId>
+                <version>0.6.0</version>
+                <extensions>true</extensions>
+                <configuration>
+                    <publishingServerId>central</publishingServerId>
+                    <autoPublish>true</autoPublish>
+                    <waitUntil>published</waitUntil>
+                </configuration>
+            </plugin>
+        </plugins>
     </build>
+
+    <!-- Snapshots go to OSSRH; releases go via Central Publishing Portal -->
+    <distributionManagement>
+        <snapshotRepository>
+            <id>ossrh</id>
+            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+        </snapshotRepository>
+    </distributionManagement>
+
 </project>