Deploy SNAPSHOT artifact to the sonatype snapshot repository

[KengoTODA]

To help the community to develop their features, it's nice to deploy artifacts to the sonatype snapshot repository. This is the first deployment, so we need cooperation from a few roles.

Let me summarize our TODOs and PICs in this issue.

TODOs

0. Make sure the version is suitable to deploy
   • In my understanding based on the doc, the first release should be 0.1, so current version 0.1.0-SNAPSHOT should be OK.
1. Decide final package name (Decide final package name #1)
2. Rename package in code and build script (Rename package and module, to prepare for install and deploy #107)
3. Decide groupId and artifactId
   • org.jspecify:annotations or org.jspecify:jspecify?
4. Create a new issue at Sonatype JIRA, to get permission to deploy
   • TBU: Which Sonatype account we use? It's possible to grant multiple accounts.
5. Add a TXT record to the jspecify.org DNS record
   • We'll be requested to add a TXT record referencing the JIRA ticket like this.
   • TBU: Who can handle this task?
6. Create a deployment task in our CD pipeline (working in deploy branch)
   • Need to be admin of this repository to add several secrets

[cpovirk]

RE: artifactId

It sounds like you may already have an idea for the groupId, then?

I went digging for guidelines on artifact and group IDs, and I found a lot:

• http://maven.apache.org/guides/mini/guide-naming-conventions.html
• https://maven.apache.org/maven-conventions.html
• https://central.sonatype.org/pages/choosing-your-coordinates.html
• https://blog.sonatype.com/2011/01/maven-tip-project-directories-and-artifact-ids/
• https://github.com/coldserenity/maven-naming-conventions#projectgroupid
• https://stackoverflow.com/q/3724415/28465
• https://stackoverflow.com/q/23172586/28465

Let's assume for the moment that our package ends up being org.jspecify.annotations.

My guess would be that artifactId:groupId would be something like:

• org.jspecify.annotations:annotations
• org.jspecify:annotations

We might look ahead to the possibility that we end up publishing an artifact of "stubs" / "external annotations" for the JDK classes. Possible Maven coordinates for that might be:

• org.jspecify.stubs:jdk-stubs
• org.jspecify:jdk-stubs
• org.jspecify.jdkstubs:jdkstubs

Do these match the kinds of names you have in mind? Do you (or others) have guidelines that you recommend?

[cpovirk]

RE: jspecify.org: We can figure out if we need some kind of approval for that internally, since it's a change from what we'd discussed during the original domain registration.

[JakeWharton]

Multiple artifacts of the same project (with the same version) generally have the same groupId. Multiple projects of the same organization generally share a groupId prefix.

[cpovirk]

Thanks, some of the guidelines seemed to be hinting at that without saying it directly.

We've talked before about releasing the JDK stubs in sync with the annotations. I think that could lead us to either release the annotations a lot (as we make tweaks to the stub) or else delay releasing the annotations for a while (to avoid releasing the annotations a lot :)) Really, though, our overall plans around the JDK stubs are not settled, so I wouldn't put too much weight on that.

[KengoTODA]

Thanks for your comments! I also think that org.jspecify is enough suitable to use as groupId.
Then groupId:artifactId will be org.jspecify:annotations.

[cpovirk]

We talked in the meeting about publishing snapshots. Some of us are worried that, if we publish them, people will use them, even if they're clearly labeled as pre-1.0 snapshots. Others are worried that, even if people don't use them, they'll still think that we're much further along in the development process than we are. (For example, they might think that we're still planning to add annotations but that the ones that already exist are finalized.)

We were interested in hearing more about your SpotBugs-jspecify work. Maybe we can find a way for you to make progress without publishing a snapshot, or maybe you can help us better appreciate how you (and likely others) are blocked without it.

[KengoTODA]

It's OK to keep the current situation, then I'll git clone & ./gradlew publishToMavenLocal in the CI build. I just don't like complexity like this.

Then I'll close this PR. Thanks! 👍