Migrate to JReleaser for publishing to Maven Central

emlun · emlun · commit 3813fee9af2a · 2025-11-28T13:33:33.000+01:00
OSSRH was shut down in mid-2025: https://central.sonatype.org/pages/ossrh-eol/ We tried at first to continue using `gradle-nexus/publish-plugin`, but that seemed to continue publishing to the old API, or possibly the [Portal OSSRH Staging API][1]; the effect was that the deployment did not seem to appear in the new [Maven Central publishing control panel][2]. The Sonatype [documentation for publishing using Gradle][3] lists JReleaser as the primary recommended plugin, so these changes migrate to using that. [1]: https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/ [2]: https://central.sonatype.com/publishing [3]: https://central.sonatype.org/publish/publish-portal-gradle/
diff --git a/build.gradle b/build.gradle
@@ -4,10 +4,6 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-
-    if (project.findProperty('yubicoPublish') == 'true') {
-      classpath 'io.github.gradle-nexus:publish-plugin:1.3.0'
-    }
   }
 }
 plugins {
@@ -17,14 +13,12 @@ plugins {
   // See https://docs.gradle.org/current/userguide/java_platform_plugin.html
   // See https://github.com/Yubico/java-webauthn-server/issues/93#issuecomment-822806951
   id 'project-convention-publish'
+  id 'org.jreleaser' version '1.21.0'
 }
 
 import com.yubico.gradle.GitUtils
 
-rootProject.description = "Metadata root for the com.yubico:webauthn-server-* module family"
-
 project.ext.isCiBuild = System.env.CI == 'true'
-project.ext.publishEnabled = !isCiBuild && project.findProperty('yubicoPublish') == 'true'
 
 wrapper {
   gradleVersion = '8.14.3'
@@ -67,43 +61,48 @@ allprojects {
   }
 }
 
-if (publishEnabled) {
-  apply plugin: 'io.github.gradle-nexus.publish-plugin'
-
-  nexusPublishing {
-    repositories {
-      sonatype {
-        stagingProfileId = '6c61426e6529d'
-
-        username = ossrhUsername
-        password = ossrhPassword
-      }
+task checkJavaVersionBeforeRelease {
+  doFirst {
+    if (JavaVersion.current() != JavaVersion.VERSION_17) {
+      throw new RuntimeException('Release must be built using JDK 17. Current JDK version: ' + JavaVersion.current())
     }
   }
+}
+
+allprojects {
+  tasks.withType(AbstractCompile) { shouldRunAfter checkJavaVersionBeforeRelease }
+  tasks.withType(AbstractTestTask) { shouldRunAfter checkJavaVersionBeforeRelease }
+  tasks.withType(Sign) {
+    dependsOn checkJavaVersionBeforeRelease
+  }
 
-  task checkJavaVersionBeforeRelease {
+  tasks.withType(Jar) {
     doFirst {
-      if (JavaVersion.current() != JavaVersion.VERSION_17) {
-        throw new RuntimeException('Release must be built using JDK 17. Current JDK version: ' + JavaVersion.current())
+      if (GitUtils.getGitCommit(projectDir) == null) {
+        throw new RuntimeException("Failed to get git commit ID")
       }
     }
   }
+}
 
-  allprojects {
-    tasks.withType(AbstractCompile) { shouldRunAfter checkJavaVersionBeforeRelease }
-    tasks.withType(AbstractTestTask) { shouldRunAfter checkJavaVersionBeforeRelease }
-    tasks.withType(Sign) {
-      dependsOn checkJavaVersionBeforeRelease
-    }
+task pitestMerge(type: com.yubico.gradle.pitest.tasks.PitestMergeTask)
 
-    tasks.withType(Jar) {
-      doFirst {
-        if (GitUtils.getGitCommit(projectDir) == null) {
-          throw new RuntimeException("Failed to get git commit ID")
+jreleaser {
+  signing {
+    active = 'ALWAYS'
+    mode = 'COMMAND'
+    armored = true
+    verify = false
+  }
+  deploy {
+    maven {
+      mavenCentral {
+        sonatype {
+          active = 'ALWAYS'
+          url = 'https://central.sonatype.com/api/v1/publisher'
+          stagingRepository('build/staging-deploy')
         }
       }
     }
   }
 }
-
-task pitestMerge(type: com.yubico.gradle.pitest.tasks.PitestMergeTask)
diff --git a/buildSrc/src/main/groovy/project-convention-publish.gradle b/buildSrc/src/main/groovy/project-convention-publish.gradle
@@ -1,6 +1,5 @@
 plugins {
     id "maven-publish"
-    id "signing"
 }
 
 project.group = "com.yubico"
@@ -9,50 +8,49 @@ project.tasks.withType(Sign.class) {
     it.dependsOn(check)
 }
 
-// afterEvaluate needed for project.description to be set when this evaluates
-project.afterEvaluate {
-    publishing {
-        publications {
-            jars(MavenPublication.class) {
-                project.components.forEach {
-                    from(it)
-                }
-
-                pom {
-                    name = project.name
-                    description = project.description
-                    url = "https://developers.yubico.com/java-webauthn-server/"
-
-                    developers {
-                        developer {
-                            id = "emil"
-                            name = "Emil Lundberg"
-                            email = "emil@yubico.com"
-                        }
-                    }
-
-                    licenses {
-                        license {
-                            name = "BSD-license"
-                            comments = "Revised 2-clause BSD license"
-                        }
-                    }
-
-                    scm {
-                        url = "scm:git:git://github.com/Yubico/java-webauthn-server.git"
-                        connection = "scm:git:git://github.com/Yubico/java-webauthn-server.git"
-                        developerConnection = "scm:git:ssh://git@github.com/Yubico/java-webauthn-server.git"
-                        tag = "HEAD"
-                    }
-                }
-            }
+publishing {
+  publications {
+    maven(MavenPublication) {
+      groupId = project.group
+      artifactId = project.name
+      project.components.forEach {
+        from(it)
+      }
+
+      pom {
+        name = project.name
+        description = project.description
+        url = "https://developers.yubico.com/java-webauthn-server/"
+
+        developers {
+          developer {
+            id = "emil"
+            name = "Emil Lundberg"
+            email = "emil@yubico.com"
+          }
+        }
+
+        licenses {
+          license {
+            name = "BSD-license"
+            comments = "Revised 2-clause BSD license"
+          }
         }
-    }
 
-    if (project.findProperty("yubicoPublish") == "true") {
-        signing {
-            useGpgCmd()
-            sign(publishing.publications.jars)
+        scm {
+          url = "scm:git:git://github.com/Yubico/java-webauthn-server.git"
+          connection = "scm:git:git://github.com/Yubico/java-webauthn-server.git"
+          developerConnection = "scm:git:ssh://git@github.com/Yubico/java-webauthn-server.git"
+          tag = "HEAD"
         }
+      }
     }
+  }
+
+  repositories {
+    maven {
+      url = rootProject.layout.buildDirectory.dir('staging-deploy')
+    }
+  }
+
 }
diff --git a/doc/development.md b/doc/development.md
@@ -44,17 +44,26 @@ In case of disagreement on code style, defer to the style guide.
 Setup for publishing
 ---
 
-To enable publishing to Maven Central via Sonatype Nexus,
-[generate a user token](https://central.sonatype.org/publish/generate-token/).
-Set `yubicoPublish=true` in `$HOME/.gradle/gradle.properties` and add your token
-username and password. Example:
+Generate a Sonatype user token: https://central.sonatype.com/usertoken .
+Please set an expiration date rather than unlimited validity.
 
+Set this token username and password in `$HOME/.jreleaser/config.properties`,
+along with the fingerprint of the GPG key to use for signing artifacts.
+Create the file if it does not exist.
+Example:
+
+
+<!-- These username and password values are meaningless random data, not real secrets -->
 ```properties
-yubicoPublish=true
-ossrhUsername=8pnmjKQP
-ossrhPassword=bmjuyWSIik8P3Nq/ZM2G0Xs0sHEKBg+4q4zTZ8JDDRCr
+JRELEASER_MAVENCENTRAL_USERNAME=PYgw7b
+JRELEASER_MAVENCENTRAL_PASSWORD=QxExuJ0wwfBzbXVOsaSTUTBkXH8Fa2dFo
+JRELEASER_GPG_KEYNAME=2D6753CFF0B0FB32F9EEBA485B9688125FF0B636
+JRELEASER_MAVENCENTRAL_STAGE=UPLOAD
+JRELEASER_GITHUB_TOKEN=nope
 ```
 
+JReleaser requires `JRELEASER_GITHUB_TOKEN` to be set, but the value doesn't need to be valid.
+
 
 Publishing a release
 ---
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -81,12 +81,15 @@ Release candidate versions
 
     No tag body needed.
 
- 8. Publish to Sonatype Nexus:
+ 8. Publish to Sonatype Maven Central Portal:
 
     ```
-    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
+    $ ./gradlew publish jreleaserDeploy
     ```
 
+    If this fails, check if your user token has expired and needs to be replaced.
+    See [Setup for publishing](./development.md#setup-for-publishing).
+
  9. Push the tag to GitHub:
 
     ```
@@ -208,12 +211,15 @@ Release versions
 
     No tag body needed since that's included in the commit.
 
-12. Publish to Sonatype Nexus:
+ 8. Publish to Sonatype Maven Central Portal:
 
     ```
-    $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
+    $ ./gradlew publish jreleaserDeploy
     ```
 
+    If this fails, check if your user token has expired and needs to be replaced.
+    See [Setup for publishing](./development.md#setup-for-publishing).
+
 13. Push the tag to GitHub:
 
     ```
diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1 @@
-# Required for publishing to Sonatype Nexus
-# See https://issues.sonatype.org/browse/OSSRH-54054
-# See https://docs.gradle.org/6.0.1/release-notes.html#publication-of-sha256-and-sha512-checksums
-systemProp.org.gradle.internal.publish.checksums.insecure=true
+description=Metadata root for the com.yubico:webauthn-server-* module family
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -11,6 +11,13 @@ include(":test-dependent-projects:java-dep-webauthn-server-core-and-bouncycastle
 include(":test-dependent-projects:java-dep-yubico-util")
 include(":test-platform")
 
+pluginManagement {
+  repositories {
+    mavenLocal()
+    gradlePluginPortal()
+    mavenCentral()
+  }
+}
 dependencyResolutionManagement {
     versionCatalogs {
         create("constraintLibs") {
diff --git a/webauthn-server-attestation/build.gradle.kts b/webauthn-server-attestation/build.gradle.kts
@@ -9,8 +9,6 @@ plugins {
   `project-convention-pitest`
 }
 
-description = "Yubico WebAuthn attestation subsystem"
-
 sourceSets {
   create("integrationTest") {
     compileClasspath += sourceSets.main.get().output
diff --git a/webauthn-server-attestation/gradle.properties b/webauthn-server-attestation/gradle.properties
@@ -0,0 +1 @@
+description=Yubico WebAuthn attestation subsystem
diff --git a/webauthn-server-core/build.gradle.kts b/webauthn-server-core/build.gradle.kts
@@ -10,8 +10,6 @@ plugins {
   `project-convention-pitest`
 }
 
-description = "Yubico WebAuthn server core API"
-
 dependencies {
   api(platform(rootProject))
 
diff --git a/webauthn-server-core/gradle.properties b/webauthn-server-core/gradle.properties
@@ -0,0 +1 @@
+description=Yubico WebAuthn server core API
diff --git a/yubico-util/build.gradle.kts b/yubico-util/build.gradle.kts
@@ -10,8 +10,6 @@ plugins {
   `project-convention-pitest`
 }
 
-description = "Yubico internal utilities"
-
 dependencies {
   api(platform(rootProject))
 
diff --git a/yubico-util/gradle.properties b/yubico-util/gradle.properties
@@ -0,0 +1 @@
+description=Yubico internal utilities

Original file line number	Diff line number	Diff line change
`@@ -9,8 +9,6 @@ plugins {`
`9`	`9`	`project-convention-pitest`
`10`	`10`	`}`
`11`	`11`
`12`		`-description = "Yubico WebAuthn attestation subsystem"`
`13`		`-`
`14`	`12`	`sourceSets {`
`15`	`13`	`create("integrationTest") {`
`16`	`14`	`compileClasspath += sourceSets.main.get().output`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+description=Yubico WebAuthn attestation subsystem`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,6 @@ plugins {`
`10`	`10`	`project-convention-pitest`
`11`	`11`	`}`
`12`	`12`
`13`		`-description = "Yubico WebAuthn server core API"`
`14`		`-`
`15`	`13`	`dependencies {`
`16`	`14`	`api(platform(rootProject))`
`17`	`15`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+description=Yubico WebAuthn server core API`