added workflow to publish to maven central

[xgp]

Maven Central Publishing Setup

Fixes #21

Adds a GitHub Actions workflow and Gradle config to publish the jar to Maven Central via the new Central Portal (OSSRH was retired on 2025-06-30).

Files changed

• build.gradle.kts — added the com.vanniktech.maven.publish plugin (v0.30.0), full POM metadata, conditional in-memory PGP signing, and Central Portal config.
• .github/workflows/publish-maven-central.yaml — new workflow that triggers on release: published (and workflow_dispatch), runs ./gradlew publishAndReleaseToMavenCentral to bundle the staging dir and upload it through the Central Portal API with auto-release.

Key design choices

• Used com.vanniktech.maven.publish — Sonatype still has no official Gradle plugin for the Central Portal, and this is the most widely used community plugin.
• SonatypeHost.CENTRAL_PORTAL + automaticRelease = true so deployments don't sit pending manual approval at central.sonatype.com.
• Signing is conditional on env vars being present — this prevents the existing master-publish-docker-image.yaml workflow (which runs the broader ./gradlew publish) from failing when GPG keys aren't available. Verified via --dry-run that the existing workflow still works (Maven Central tasks just write to a local staging dir without creds).
• --no-configuration-cache on the publish step since the project has config cache enabled globally and signing tasks don't always play well with it.

Required GitHub Actions secrets

Secret	What it is	How to get it
MAVEN_CENTRAL_USERNAME	User token username (not portal login)	central.sonatype.com → avatar → View Account → Generate User Token
MAVEN_CENTRAL_PASSWORD	User token password	Same screen as above (shown only once)
MAVEN_GPG_PRIVATE_KEY	ASCII-armored GPG private key	gpg --export-secret-keys --armor <KEY_ID> — paste the entire -----BEGIN PGP PRIVATE KEY BLOCK----- block
MAVEN_GPG_KEY_ID	Last 8 hex chars of the GPG key ID	gpg --list-secret-keys --keyid-format=short
MAVEN_GPG_PASSPHRASE	Passphrase protecting the GPG key	The one set when generating the key

GITHUB_TOKEN is auto-provided.

One-time prerequisites outside the repo

1. Register & verify the namespace at central.sonatype.com. The current group fi.metatavu.keycloak.scim.server requires control of fi.metatavu.
2. Publish the GPG public key so Central can verify signatures:

     gpg --keyserver keyserver.ubuntu.com --send-keys <KEY_ID>
     gpg --keyserver keys.openpgp.org --send-keys <KEY_ID>

3. Release flow: when a GitHub Release is published (already produced by master-publish-docker-image.yaml), this workflow fires automatically and uses the tag (with leading v stripped) as the version. Manual runs are also supported via workflow_dispatch.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nicolamacoir]

@xgp great, thanks for this contribution! 🚀

@anttileppa could you please help us set this up as the steps explained above? 🙏

[nicolamacoir]

HI @anttileppa
Can you pleas help us here? Would be great to merge this and to include this in the next 1.6.0 release

[xgp]

In case the Maven Central stuff is too heavy of a lift, I already started publishing it under our groupId (io.phasetwo.keycloak) so we could release it in our image.

https://central.sonatype.com/artifact/io.phasetwo.keycloak/keycloak-scim-server

It uses this action to publish a dot release for every push to develop in this repo.

If you'd prefer, you can just direct people to use it from maven like this:

<dependency>
    <groupId>io.phasetwo.keycloak</groupId>
    <artifactId>keycloak-scim-server</artifactId>
    <version>1.5.0.4</version>
</dependency>