Add maven publish workflow

Alex Wang · Alex Wang · commit 2b7f909d6bbb · 2026-03-05T11:24:29.000-08:00
diff --git a/.github/scripts/maven_publish.sh b/.github/scripts/maven_publish.sh
@@ -0,0 +1,51 @@
+
+#!/bin/bash
+# publish-maven.sh
+# Builds, signs, and publishes to Maven Central using central-publishing-maven-plugin
+set -euo pipefail
+
+SETTINGS_FILE="./settings.xml"
+
+# Auto-cleanup settings.xml on exit (success or failure)
+trap 'echo "Cleaning up settings.xml..."; rm -f "${SETTINGS_FILE}"' EXIT
+
+echo "=== Step 1: Format GPG private key ==="
+
+BEGIN_MARKER="-----BEGIN PGP PRIVATE KEY BLOCK-----"
+END_MARKER="-----END PGP PRIVATE KEY BLOCK-----"
+MIDDLE="${MVN_GPG_KEYS_GPGPRIVATEKEY#*$BEGIN_MARKER}"
+MIDDLE="${MIDDLE%$END_MARKER*}"
+
+MIDDLE=$(echo "$MIDDLE" | tr ' ' $'
+')
+
+export MAVEN_GPG_KEY="${BEGIN_MARKER}
+${MIDDLE}
+${END_MARKER}"
+
+export MAVEN_GPG_PASSPHRASE="${MVN_GPG_KEYS_GPGPASSPHRASE}"
+
+echo "=== Step 2: Write minimal settings.xml ==="
+cat > "${SETTINGS_FILE}" <<EOF
+<settings>
+  <servers>
+    <server>
+      <id>central</id>
+      <username>${MVN_ACCOUNT_KEYS_USERNAME}</username>
+      <password>${MVN_ACCOUNT_KEYS_PASSWORD}</password>
+    </server>
+  </servers>
+</settings>
+EOF
+
+echo "settings.xml written."
+
+echo "=== Step 3: Build artifacts ==="
+mvn clean install -q -Dlog4j2.level=WARN -Dlog4j.configurationFile=log4j2-quiet.xml --no-transfer-progress
+
+echo "=== Step 4: Deploy to Maven Central ==="
+
+mvn clean deploy -s "${SETTINGS_FILE}" -pl sdk -P publishing -DskipTests --no-transfer-progress
+mvn clean deploy -s "${SETTINGS_FILE}" -pl sdk-testing -P publishing -DskipTests --no-transfer-progress
+
+echo "=== Release ${RELEASE_VERSION} published successfully! ==="
diff --git a/.github/workflows/release_maven.yml b/.github/workflows/release_maven.yml
@@ -0,0 +1,93 @@
+
+name: Maven Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Release version (e.g. 1.2.0)'
+        required: true
+        type: string
+      next_version:
+        description: 'Next development version (e.g. 1.3.0-SNAPSHOT)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+
+env:
+  AWS_REGION: us-west-2
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+  
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'corretto'
+          cache: maven
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: "${{ secrets.ACTIONS_MVN_ROLE_NAME }}"
+          role-session-name: mavenreleasesession
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Set release version
+        run: mvn -q versions:set -DnewVersion=${{ github.event.inputs.release_version }} -DgenerateBackupPoms=false
+
+      - name: Commit release version
+        run: |
+          git config user.email "${{ github.actor }}+github-actions[bot]@users.noreply.github.com"
+          git config user.name "${{ github.actor }}+github-actions[bot]"
+          git add .
+          git commit -m "chore: release version ${{ github.event.inputs.release_version }}"
+      
+      - name: Push changes
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ github.event.inputs.release_version }}
+          name: Release v${{ github.event.inputs.release_version }}
+          generate_release_notes: true
+      
+      - name: Get Env variables
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+            secret-ids: |
+                mvn_gpg_keys
+                mvn_account_keys
+            parse-json-secrets: true
+          
+      - name: Sign and publish
+        run: bash .github/scripts/maven_publish.sh
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.release_version }}
+
+      - name: Set next development version
+        run: mvn -q versions:set -DnewVersion=${{ github.event.inputs.next_version }} -DgenerateBackupPoms=false
+
+      - name: Commit release version
+        run: |
+          git add .
+          git commit -m "chore: bump version to ${{ github.event.inputs.next_version }}"
+      
+      - name: Push changes
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -26,6 +26,7 @@ buildNumber.properties
 # Local testing
 
 .durable-executions-local
+.env
 
 # OS
 .DS_Store
diff --git a/pom.xml b/pom.xml
@@ -238,6 +238,9 @@
                                 <goals>
                                     <goal>sign</goal>
                                 </goals>
+                                <configuration>
+                                    <signer>bc</signer>
+                                </configuration>
                             </execution>
                         </executions>
                     </plugin>
