Add Android Maven Central publishing channel (com.contentful.java:optimization-android)

[Alex Freas (akfreas)]

What

Adds a Maven Central publishing channel for the Android library, mirroring the Swift/SPM setup (#292). Consumers add one line — implementation("com.contentful.java:optimization-android:<version>") — instead of a local Gradle composite-include.

Coordinate: com.contentful.java:optimization-android — reuses Contentful's existing, already-verified Maven Central namespace (com.contentful.java, which holds java-sdk/cma-sdk), so no new namespace registration or DNS verification is needed. Host is the Sonatype Central Portal via the com.vanniktech.maven.publish plugin. The release runs in parallel with the Swift package off the same release: published event.

Changes

• Standalone build — settings.gradle.kts now pins plugin versions (AGP 8.7.3 / Kotlin 2.3.20 / vanniktech 0.30.0) and fixes the invalid dependencyResolution {} block → dependencyResolutionManagement {}, so the module builds on its own (not only inside the demo's composite build). Adds a pinned Gradle wrapper (8.10.2) + gradlew.bat.
• Publishing config — build.gradle.kts gets group/version (from -Pcontentful.optimization.version / RELEASE_VERSION), the vanniktech mavenPublishing {} block (single release variant + sources + javadoc), Central Portal target, and a full POM. Signing is applied only when a key is present, so local smoke tests need no GPG.
• Release workflow — .github/workflows/publish-android.yaml: on a v* release (or workflow_dispatch), builds the JS bridge, then publishAndReleaseToMavenCentral. Credentials come from GitHub Actions secrets (see below).
• CI guard — a new android_library path filter + android-library-build job runs publishToMavenLocal on PRs touching the module, catching packaging breaks (no Central access needed).
• Credential script — scripts/setup-maven-central-credential.sh provisions and self-verifies everything (details for the runner below).
• Demo migration (separate repo, optimization-android-demo) — switched from the composite-include to consuming the Maven artifact, reflecting how a real developer integrates the SDK.

Verification (done locally)

• ./gradlew publishToMavenLocal produces the full artifact set (.aar + -sources.jar + -javadoc.jar + .pom + .module); the AAR bundles the JS bridge and the POM declares deps (incl. the new recyclerview from Android XML Views reference implementation + shared E2E matrix #286).
• The demo app builds against the packaged artifact (com.contentful.java:optimization-android:0.0.0-local from mavenLocal()), with the bridge ending up in the APK — proving the package works in a real app.
• vanniktech 0.30.0 is pinned deliberately: 0.36.0 requires AGP 8.13+, which this repo isn't on yet.

⚠️ Action required before the first release — run the credential setup script

Maven Central publishing needs five GitHub Actions secrets on contentful/optimization. They're not set yet (pending IT granting Central Portal access). A maintainer must run the provisioning script once:

scripts/setup-maven-central-credential.sh

Who can run it: someone who (a) has been granted access to the Contentful Central Portal account that owns the com.contentful.java namespace, and (b) can set Actions secrets on contentful/optimization (admin, or a role that includes secrets).

Prerequisites on your machine: gh (logged in via gh auth login), gpg, curl, base64.

What it does (and prompts you for):

1. Checks prerequisites and that you can manage Actions secrets on the repo.
2. Generates an rsa4096 GPG signing key (or reuses an existing one for Contentful Optimization <mobile@contentful.com>) and publishes its public half to keyserver.ubuntu.com and keys.openpgp.org (Maven Central validates signatures against these).
3. Prompts you for a Central Portal user token — generate it first at https://central.sonatype.com → Account → Generate User Token (it's shown once; the script reads the password without echoing).
4. Stores five secrets via gh secret set:
   • MAVEN_CENTRAL_USERNAME, MAVEN_CENTRAL_PASSWORD (the user token)
   • MAVEN_SIGNING_KEY (armored private key), MAVEN_SIGNING_KEY_ID, MAVEN_SIGNING_PASSWORD
5. Self-verifies: every secret exists, the token actually authenticates against the Central Portal API (a read-only probe — fails loudly on 401/403), and the public key is retrievable from a keyserver. It prints PASS/FAIL per check and is safe to re-run (idempotent).

Keep the GPG key + its passphrase somewhere durable (e.g. the team password manager). The key expires in 2 years — note a rotation reminder, or CI publishing will silently start failing then.

After the secrets are set — first release

1. Trigger a dry run: Actions → Publish Android Library → Run workflow against an existing tag (workflow_dispatch), or cut a v* GitHub Release (which fires both the Swift and Android publish workflows).
2. Confirm com.contentful.java:optimization-android:<version> appears on the Central Portal and resolves from mavenCentral().
3. In optimization-android-demo, drop mavenLocal() from settings.gradle.kts and bump the dependency from 0.0.0-local to the released version.

🤖 Generated with Claude Code

[wiz-inc-38d59fb8d7]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1
SAST Findings	-
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.