wip: isolate signing/publishing under -P release; fix workflow to use it

Author: simbo1905

.github/workflows/release-on-tag.yml

@@ -40,12 +40,15 @@ jobs:
           tag_name: ${{ github.ref_name }}
           generate_release_notes: true
 
-      - name: Build and Deploy to Central
+      - name: Build and Deploy to Central (release profile)
         env:
           CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
           CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
         run: |
-          mvn -B -ntp -Dgpg.passphrase="${{ secrets.GPG_PASSPHRASE }}" clean deploy
+          mvn -B -ntp \
+            -Dgpg.passphrase="${{ secrets.GPG_PASSPHRASE }}" \
+            -Dgpg.keyname="${{ secrets.GPG_KEYNAME }}" \
+            -P release clean deploy
 
       - name: Configure Git identity
         run: |

AGENTS.md

@@ -84,7 +84,7 @@ Automated Release (preferred)
 - Push a tag named `release/X.Y.Z` (semver, no leading `v`).
 - The workflow `.github/workflows/release-on-tag.yml` will:
   - Create a GitHub Release for that tag with autogenerated notes.
-  - Build and deploy artifacts to Maven Central (Central Publishing plugin). Uses `-Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }}` for signing.
+  - Build and deploy artifacts to Maven Central with `-P release` (Central Publishing plugin). Uses `-Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }}` and `-Dgpg.keyname=${{ secrets.GPG_KEYNAME }}` for signing.
   - Create a branch `release-bot-YYYYMMDD-HHMMSS` at the tagged commit and open a PR back to `main` (no version bumps).
 
 Manual Release (local)
@@ -107,7 +107,7 @@ Notes
 
 Secrets Helper
 - Use `./scripts/setup-release-secrets.zsh` to set GitHub Actions secrets (`CENTRAL_USERNAME`, `CENTRAL_PASSWORD`, `GPG_PRIVATE_KEY`, `GPG_PASSPHRASE`).
-- The script can auto-detect a signing key if neither `GPG_KEY_ID` nor `GPG_PRIVATE_KEY` is provided.
+- The script can auto-detect a signing key if neither `GPG_KEY_ID` nor `GPG_PRIVATE_KEY` is provided, and sets `GPG_KEYNAME` (fingerprint) for CI.
 - List keys explicitly with: `gpg --list-secret-keys --keyid-format=long`.
 
 ## Python Usage (Herodoc, 3.2-safe)

RELEASE-GIST.md

@@ -35,11 +35,15 @@ jobs:
         with:
           tag_name: ${{ github.ref_name }}
           generate_release_notes: true
-      - name: Build and Deploy to Central
+      - name: Build and Deploy to Central (release profile)
         env:
           CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
           CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
-        run: mvn -B -ntp -Dgpg.passphrase="${{ secrets.GPG_PASSPHRASE }}" clean deploy
+        run: |
+          mvn -B -ntp \
+            -Dgpg.passphrase="${{ secrets.GPG_PASSPHRASE }}" \
+            -Dgpg.keyname="${{ secrets.GPG_KEYNAME }}" \
+            -P release clean deploy
       - name: Configure Git identity
         run: |
           git config user.name "github-actions[bot]"
@@ -61,6 +65,7 @@ jobs:
 
 - CENTRAL_USERNAME, CENTRAL_PASSWORD (Central Portal token)
 - GPG_PRIVATE_KEY (ASCII-armored secret key), GPG_PASSPHRASE
+- GPG_KEYNAME (fingerprint of the signing key; set by helper script)
 
 zsh helper (uses gh, gpg) — auto-detects a signing key if not provided:
 

pom.xml

@@ -56,8 +56,6 @@
         <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
         <maven-install-plugin.version>3.1.2</maven-install-plugin.version>
         <download-maven-plugin.version>1.7.1</download-maven-plugin.version>
-        <!-- Ensure GPG is enabled by default for releases -->
-        <gpg.skip>false</gpg.skip>
     </properties>
 
 
@@ -157,38 +155,7 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-gpg-plugin</artifactId>
-                <version>3.1.0</version>
-                <executions>
-                    <execution>
-                        <id>sign-artifacts</id>
-                        <phase>verify</phase>
-                        <goals>
-                            <goal>sign</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <skip>${gpg.skip}</skip>
-                    <gpgArguments>
-                        <arg>--pinentry-mode</arg>
-                        <arg>loopback</arg>
-                    </gpgArguments>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.sonatype.central</groupId>
-                <artifactId>central-publishing-maven-plugin</artifactId>
-                <version>0.6.0</version>
-                <extensions>true</extensions>
-                <configuration>
-                    <publishingServerId>central</publishingServerId>
-                    <autoPublish>true</autoPublish>
-                    <waitUntil>published</waitUntil>
-                </configuration>
-            </plugin>
+            
         </plugins>
     </build>
 
@@ -200,4 +167,45 @@
         </snapshotRepository>
     </distributionManagement>
 
+    <profiles>
+        <profile>
+            <id>release</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>3.1.0</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                        <configuration>
+                            <gpgArguments>
+                                <arg>--pinentry-mode</arg>
+                                <arg>loopback</arg>
+                            </gpgArguments>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.sonatype.central</groupId>
+                        <artifactId>central-publishing-maven-plugin</artifactId>
+                        <version>0.6.0</version>
+                        <extensions>true</extensions>
+                        <configuration>
+                            <publishingServerId>central</publishingServerId>
+                            <autoPublish>true</autoPublish>
+                            <waitUntil>published</waitUntil>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
 </project>