ci(build): automate Maven Central release with AWS OIDC#23
Merged
Conversation
Revert "[maven-release-plugin] prepare for next development iteration" and "[maven-release-plugin] prepare release 1.2.2", which were created by a local mvn release:prepare dry-run while validating the new workflow. The 1.2.2 tag was never pushed and no 1.2.2 artifact was published, so keeping the version-bump commits on the branch would leave main claiming a 1.2.2 release that did not happen.
- Add -N to mvn help:evaluate so it runs only against the parent POM. Without it, Maven recurses into core and examples and forceStdout prints the version once per module, producing multi-line output that fails both the SNAPSHOT check and the tag-equality check. - Rewrite the "Publish to Maven Central" section in the release README. The workflow no longer uses workflow_dispatch with inputs; it triggers on a *.*.* tag push and does not push commits or tags.
ideoma
previously approved these changes
May 18, 2026
ideoma
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automates publication of
org.questdb:questdb-clientto Maven Central. A tag matchingX.Y.Ztriggers a GitHub Actions workflow that assumes an AWS IAM role via OIDC, fetches GPG and Sonatype credentials from AWS Secrets Manager, verifies the tag matches the POM version, then signs and publishes through the Sonatype Central Portal.The release runbook lives in
artifacts/release/README.md.Required configuration
Before the first release, the following must exist on the repository.
Repository variables:
MAVEN_RELEASE_AWS_REGION— AWS region of the release secret.Repository secrets:
MAVEN_RELEASE_AWS_ROLE_ARN— IAM role assumed via OIDC; must trust the GitHub OIDC provider for this repo and grantsecretsmanager:GetSecretValueon the secret below.MAVEN_RELEASE_AWS_SECRET_ARN— ARN of the AWS Secrets Manager entry holding the release credentials.GitHub environment
maven-release:AWS Secrets Manager entry (JSON at
MAVEN_RELEASE_AWS_SECRET_ARN) with keys:MAVEN_GPG_PRIVATE_KEY— ASCII-armored GPG signing key.MAVEN_GPG_PASSPHRASE— passphrase for the signing key.MAVEN_CENTRAL_USERNAME— Sonatype Central Portal user token name.MAVEN_CENTRAL_PASSWORD— Sonatype Central Portal user token value.