Use ossrh-staging-api releases for Maven Central credential check (#10942)

sarahchen6 · devflow.devflow-routing-intake · web-flow · commit ef62d3a20f92 · 2026-03-23T20:29:26.000Z
Use ossrh-staging-api releases for Maven Central credential check

Temporarily comment out job rules for testing

Use bad credentials and except failure

Revert testing changes

Co-authored-by: devflow.devflow-routing-intake &lt;devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io&gt;
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -222,18 +222,24 @@ maven-central-pre-release-check:
   image: ${BUILDER_IMAGE_REPO}:${BUILDER_IMAGE_VERSION_PREFIX}base
   stage: .pre
   rules:
+    - if: '$CI_COMMIT_BRANCH == "master"'
+      when: on_success
+      allow_failure: false
     - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/'
       when: on_success
       allow_failure: false
   script:
     - |
       MAVEN_CENTRAL_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_username --with-decryption --query "Parameter.Value" --out text)
       MAVEN_CENTRAL_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-trace-java.central_password --with-decryption --query "Parameter.Value" --out text)
-      # See https://central.sonatype.org/publish/publish-portal-api/
-      # 15e0cbbb-deff-421e-9e02-296a24d0cada is deployment, any deployment id listed in central  work, the idea is to check whether the token can authenticate
-      curl --request POST --include --fail https://central.sonatype.com/api/v1/publisher/status?id=15e0cbbb-deff-421e-9e02-296a24d0cada --header "Authorization: Bearer $(printf "$MAVEN_CENTRAL_USERNAME:$MAVEN_CENTRAL_PASSWORD" | base64)"
-      if [ $? -ne 0 ]; then
-        echo "Failed to authenticate against central. Check credentials, see https://datadoghq.atlassian.net/wiki/x/Oog5OgE"
+      # See https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/
+      # Use the staging API search endpoint to validate the tokens without relying on a specific deployment
+      AUTHORIZATION_HEADER="Authorization: Bearer $(printf '%s:%s' "$MAVEN_CENTRAL_USERNAME" "$MAVEN_CENTRAL_PASSWORD" | base64)"
+      if ! curl --silent --show-error --fail \
+        "https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?ip=any" \
+        --header "$AUTHORIZATION_HEADER" \
+        > /dev/null; then
+        echo "Failed to authenticate tokens against maven central staging API. Check credentials and see https://datadoghq.atlassian.net/wiki/x/Oog5OgE"
         exit 1
       fi
 
