From 57499429dbe41ae07172dc5253bf93ee37eb790a Mon Sep 17 00:00:00 2001
From: Kewyn Akshlley <kewynakshlley@gmail.com>
Date: Thu, 2 Apr 2026 01:34:47 -0300
Subject: [PATCH 1/3] ci: automate Maven Central publishing with GitHub Actions

---
 .github/workflows/release.yml | 35 +++++++++++++++++++++++++++++++++++
 .gitignore                    |  7 +++++++
 build.gradle                  | 13 ++++++++++---
 gradle.properties             |  8 +-------
 4 files changed, 53 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..3fc8f77
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+name: Publish to Maven Central
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+
+      - name: Decode GPG key
+        run: echo "${{ secrets.GPG_PRIVATE_KEY }}" | base64 -d > /tmp/secring.gpg
+
+      - name: Run tests
+        run: ./gradlew test
+
+      - name: Publish to Maven Central
+        run: ./gradlew publish
+        env:
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+          SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
diff --git a/.gitignore b/.gitignore
index 06eef8f..8bc87d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,10 @@ out/
 # Compiled files
 /bin/
 /target/
+
+# Sensitive files - NEVER commit these
+*.gpg
+*.asc
+secring.*
+gradle.properties.local
+local.properties
diff --git a/build.gradle b/build.gradle
index 19cd5ac..ea1f65d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -87,17 +87,24 @@ publishing {
     }
     repositories {
         maven {
-            name = 'ossrh-staging-api'
+            name = 'central'
             url = uri("https://ossrh-staging-api.central.sonatype.com/service/local/staging/deploy/maven2/")
             credentials {
-                username = USERNAME
-                password = PASSWORD
+                username = System.getenv('SONATYPE_USERNAME') ?: ''
+                password = System.getenv('SONATYPE_PASSWORD') ?: ''
             }
         }
     }
 }
 
 signing {
+    def signingKeyId = System.getenv('SIGNING_KEY_ID')
+    def signingKey = System.getenv('GPG_PRIVATE_KEY')
+    def signingPassword = System.getenv('SIGNING_PASSWORD')
+
+    if (signingKey) {
+        useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword)
+    }
     sign publishing.publications.mavenJava
 }
 
diff --git a/gradle.properties b/gradle.properties
index 8d5c263..36b8e68 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -18,10 +18,4 @@ POM_ARTIFACT_ID=resend-java
 POM_PACKAGING=jar
 POM_ORGANIZATION_URL=https://resend.com
 
-VENDOR_NAME=Resend. (https://resend.com)
-USERNAME=${System.env.USERNAME}
-PASSWORD=${System.env.PASSWORD}
-
-signing.keyId=${System.env.signing.keyId}
-signing.password=${System.env.signing.password}
-signing.secretKeyRingFile=${System.env.signing.secretKeyRingFile}
\ No newline at end of file
+VENDOR_NAME=Resend. (https://resend.com)
\ No newline at end of file

From ae3d1268dc8ac9f40bff6f3750aa7765b81279bd Mon Sep 17 00:00:00 2001
From: Kewyn Akshlley <kewynakshlley@gmail.com>
Date: Thu, 2 Apr 2026 08:13:55 -0300
Subject: [PATCH 2/3] Potential fix for code scanning alert no. 2: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3fc8f77..cb8484c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,8 @@
 name: Publish to Maven Central
 
+permissions:
+  contents: read
+
 on:
   release:
     types: [created]

From 55f12a8041ebfc697ad150fece5239efc41636ce Mon Sep 17 00:00:00 2001
From: Kewyn Akshlley <kewynakshlley@gmail.com>
Date: Tue, 7 Apr 2026 14:58:29 -0300
Subject: [PATCH 3/3] feat: use useInMemoryPgpKeys instead of writing the
 secret to disk

---
 .github/workflows/release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3fc8f77..271b030 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,9 +19,6 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v3
 
-      - name: Decode GPG key
-        run: echo "${{ secrets.GPG_PRIVATE_KEY }}" | base64 -d > /tmp/secring.gpg
-
       - name: Run tests
         run: ./gradlew test