Skip to content

Update Maven configuration for Central Repository publishing#116

Merged
bernardladenthin merged 4 commits into
mainfrom
claude/sonatype-nexus-release-arU2q
May 10, 2026
Merged

Update Maven configuration for Central Repository publishing#116
bernardladenthin merged 4 commits into
mainfrom
claude/sonatype-nexus-release-arU2q

Conversation

@bernardladenthin

Copy link
Copy Markdown
Owner

Summary

This PR updates the Maven build configuration to use the new Sonatype Central Repository publishing workflow, replacing the legacy OSSRH (OSS Repository Hosting) setup with the modern Central Publishing Maven Plugin.

Key Changes

  • SCM Configuration: Updated Git URLs from mixed protocols (git://, ssh://) to consistent HTTPS URLs pointing to the bernardladenthin fork
  • Distribution Management: Removed legacy OSSRH snapshot and release repository configurations
  • Publishing Plugin: Replaced nexus-staging-maven-plugin (v1.6.13) with central-publishing-maven-plugin (v0.9.0) for modern Central Repository publishing
  • Build Plugins:
    • Added maven-source-plugin (v3.3.1) to attach source JAR artifacts
    • Added maven-javadoc-plugin (v3.11.2) to attach Javadoc JAR artifacts
    • Updated maven-gpg-plugin from v3.1.0 to v3.2.7 with enhanced configuration for GPG signing (pinentry-mode loopback support and keyname parameter)
  • Code Cleanup: Removed unnecessary whitespace in developer section

Notable Details

  • The new Central Publishing Maven Plugin uses publishingServerId: central instead of the legacy ossrh server ID
  • Auto-publish is enabled with waitUntil: published to ensure artifacts are fully published before build completion
  • GPG signing configuration now supports non-interactive signing via loopback pinentry mode

https://claude.ai/code/session_01TPLSUAgEHPFGSoDesiPZ5N

- Remove distributionManagement pointing to s01.oss.sonatype.org
- Fix SCM URLs to HTTPS (was git:// and ssh://)
- Add distribution=repo to MIT license entry
- Replace release profile: remove nexus-staging-maven-plugin,
  add central-publishing-maven-plugin 0.9.0, upgrade maven-gpg-plugin
  to 3.2.7 with keyname + --pinentry-mode loopback, add source 3.3.1
  and javadoc 3.11.2 plugins; retain cuda classifier jar execution
Comment thread pom.xml Outdated
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.11.2</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Version inconsistency detected: The base build section uses maven-javadoc-plugin v3.5.0 (line 136), but this release profile specifies v3.11.2. This is a significant version jump (v3.5 → v3.11) with potentially breaking changes.

Consider:

  1. Unify versions: Use the same version in both profiles, or explain why the release profile needs a newer version
  2. Check compatibility: Review the v3.11.2 release notes for any breaking changes or behavioral differences from v3.5.0
  3. Remove redundancy: Lines 159-167 duplicate the maven-source-plugin definition from the base build. Remove this duplication or explain why it's needed in the release profile

Comment thread pom.xml
Comment on lines +190 to +195
<configuration>
<keyname>${gpg.keyname}</keyname>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GPG Configuration - Documentation Needed: The --pinentry-mode loopback configuration enables non-interactive GPG signing, which is appropriate for CI/CD environments. However, this requires specific setup that should be documented:

  1. The GPG agent must have allow-loopback-pinentry configured in ~/.gnupg/gpg-agent.conf
  2. The ${gpg.keyname} property must be set (typically via -Dgpg.keyname=<key-id> or in ~/.m2/settings.xml)
  3. The GPG passphrase needs to be available to the build environment (e.g., via environment variable or ~/.m2/settings.xml)

Recommendation: Add a comment or update documentation (CONTRIBUTING.md or README) with these requirements for maintainers setting up release builds.

Comment thread pom.xml
Comment on lines +206 to +210
<configuration>
<publishingServerId>central</publishingServerId>
<autoPublish>true</autoPublish>
<waitUntil>published</waitUntil>
</configuration>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Central Publishing Maven Plugin Configuration: The migration from OSSRH to Sonatype Central Portal is correct and uses appropriate configuration:

publishingServerId: central correctly replaces legacy ossrh ID
autoPublish: true automates the publishing workflow
waitUntil: published ensures artifacts are fully available before build completion

Note: Users will need to configure credentials in ~/.m2/settings.xml:

<server>
  <id>central</id>
  <username>SONATYPE_USERNAME</username>
  <password>SONATYPE_PASSWORD</password>
</server>

This should be documented for contributors who need to perform releases. Also ensure CI/CD credentials are properly scoped to this server ID.

@claude

claude Bot commented May 10, 2026

Copy link
Copy Markdown

Review Summary

Overall Assessment ✅

The migration from OSSRH to Sonatype Central Portal is well-executed. The modern Central Publishing Maven Plugin is the correct choice, and the GPG signing configuration is appropriate for CI/CD workflows.

Key Findings

Issues to Address:

  1. Version Inconsistency: maven-javadoc-plugin differs between base build (v3.5.0) and release profile (v3.11.2). This significant jump should be tested for compatibility and the versions should be unified.
  2. Plugin Duplication: maven-source-plugin and maven-javadoc-plugin are defined twice (base build and release profile). This redundancy should be consolidated.

Documentation Gaps:

  1. GPG Setup: The loopback pinentry mode requires specific gpg-agent configuration and environment setup that should be documented for release maintainers.
  2. Sonatype Credentials: Contributors need guidance on configuring the 'central' server ID in their ~/.m2/settings.xml for local release builds.
  3. Maven Version Requirement: The central-publishing-maven-plugin requires Maven 3.6.1+, which should be documented.

Security & Quality Notes

  • SCM URLs correctly updated to HTTPS (more secure than git:// and ssh://)
  • SCM fork corrected from kherud to bernardladenthin (appropriate ownership change)
  • GPG signing configuration is secure and CI/CD-friendly
  • No security vulnerabilities detected in the plugin configuration

Recommendations

  1. Resolve the javadoc plugin version inconsistency before merging
  2. Consolidate duplicate plugin definitions
  3. Document the GPG setup requirements and Central credentials configuration for the project's maintainers

Plugins (main build):
- maven-compiler-plugin 3.13.0 -> 3.15.0
- maven-resources-plugin 3.3.1 -> 3.5.0
- maven-source-plugin 3.3.0 -> 3.4.0
- maven-javadoc-plugin 3.5.0 -> 3.12.0

Plugins (release profile):
- maven-source-plugin 3.3.1 -> 3.4.0
- maven-javadoc-plugin 3.11.2 -> 3.12.0
- maven-gpg-plugin 3.2.7 -> 3.2.8
- central-publishing-maven-plugin 0.9.0 -> 0.10.0
- maven-jar-plugin 3.4.2 -> 3.5.0

Dependencies:
- jackson-databind 2.21.2 -> 2.21.3
- org.jetbrains:annotations 24.1.0 -> 26.1.0

Skipped: Maven 4.x beta/rc plugins
@claude

claude Bot commented May 10, 2026

Copy link
Copy Markdown

Review: PR #116 - Maven Central Repository Migration

Overall Assessment ✓

The migration from legacy OSSRH to Sonatype Central Publishing Maven Plugin is implemented correctly and follows modern Maven best practices. The plugin version updates are to stable releases.

Key Changes Reviewed

  • ✓ SCM URLs correctly migrated from mixed protocols (git://, ssh://) to consistent HTTPS
  • ✓ Legacy distributionManagement block properly removed
  • ✓ Central Publishing Maven Plugin configuration is correct (v0.10.0, autoPublish enabled, waitUntil published)
  • ✓ Maven-gpg-plugin updated to v3.2.8 with loopback pinentry mode for CI/CD automation
  • ✓ Source and Javadoc plugins added to ensure Maven Central requirements are met
  • ✓ All dependency and plugin versions updated to latest stable releases

Issues Found

1. Duplicate Plugin Configuration (Medium)
Lines 157-179 in the release profile duplicate the source and javadoc plugin configurations from the main build (lines 120-148). These should be removed from the release profile since:

  • The main build already generates these artifacts
  • The release profile should only contain signing and publishing-specific plugins
  • This violates DRY principle and increases maintenance burden

2. GPG Keyname Property Documentation (Minor)
The GPG configuration uses ${gpg.keyname} placeholder. Ensure CI/CD is documented to provide this via -Dgpg.keyname= or settings.xml. Without it, the build will fail during the release process.

Recommendations

  1. Remove source and javadoc plugins from the release profile (they're already in main build)
  2. Document the required GPG properties for CI/CD release builds
  3. Test the release build locally before merging: mvn clean deploy -Prelease -Dgpg.keyname=

Comment thread pom.xml Outdated
Comment on lines +157 to +166
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.13</version>
<extensions>true</extensions>
<configuration>
<serverId>ossrh</serverId>
<nexusUrl>https://s01.oss.sonatype.org/</nexusUrl>
<autoReleaseAfterClose>true</autoReleaseAfterClose>
</configuration>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.4.0</version>
<executions>
<execution>
<id>attach-sources</id>
<goals><goal>jar-no-fork</goal></goals>
</execution>
</executions>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Duplicate Configuration Alert

The maven-source-plugin configuration here is identical to lines 120-131 in the main build section. Since the main build already generates source artifacts, this duplication in the release profile is unnecessary.

Suggestion: Remove this plugin block from the release profile. The main build will provide the source artifacts, and the release profile can focus solely on signing and publishing.

Comment thread pom.xml Outdated
Comment on lines +169 to +179
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.12.0</version>
<executions>
<execution>
<id>attach-javadocs</id>
<goals><goal>jar</goal></goals>
</execution>
</executions>
</plugin>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Duplicate Configuration Alert

The maven-javadoc-plugin configuration here is identical to lines 133-148 in the main build section. This duplication should be removed from the release profile.

Why: The main build already runs these plugins and generates artifacts. The release profile should only add signing and publishing-specific configuration, not duplicate the main build's work.

Comment thread pom.xml
Comment on lines +190 to +196
<configuration>
<keyname>${gpg.keyname}</keyname>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📝 CI/CD Configuration Note

The ${gpg.keyname} property and --pinentry-mode loopback configuration are correct for automated signing in CI/CD environments. However, ensure that:

  1. The CI/CD pipeline passes -Dgpg.keyname=<GPG_KEY_ID> when invoking the release build
  2. The GPG passphrase is available via GPG_PASSPHRASE environment variable or settings.xml
  3. Release documentation is updated with these requirements

Example CI command: mvn clean deploy -Prelease -Dgpg.keyname=ABC123DEF

@claude

claude Bot commented May 10, 2026

Copy link
Copy Markdown

Review Summary

This PR migrates the Maven build from OSSRH to Sonatype Central Publisher Portal with updated dependencies and a new Dependabot configuration. While the migration approach is sound, there are several points worth addressing:

Issues Found

1. Significant SCM Connection URL Change

  • The scm:git:connection URL was changed from pointing to the upstream kherud/java-llama.cpp repository to the personal bernardladenthin/java-llama.cpp fork
  • This is used by Maven/CI tools to identify the canonical source and can affect:
    • Artifact metadata in Central Repository (scm tags in POM)
    • CI/CD systems checking out code
    • Build reproducibility
  • Recommendation: Clarify if this is intentional (e.g., project transferred) or if the upstream repository should remain as the canonical source

2. Duplicate Plugin Configurations

  • maven-source-plugin and maven-javadoc-plugin are defined in both the main build section and the release profile
  • These already run in the main build, so repeating them in the release profile is unnecessary duplication
  • Recommendation: Remove the duplicate plugin definitions from the release profile

3. Configuration Details

  • The GPG configuration uses ${gpg.keyname} variable which should be defined in CI/CD environment or Maven settings, but isn't documented
  • Recommendation: Document where this variable is set and ensure CI/CD is configured to provide it

Positive Aspects

✅ Dependabot configuration is well-structured for both Maven and GitHub Actions
✅ Plugin versions are updated to latest stable releases
✅ Modern Central Publisher Portal approach is correct
✅ GPG signing with pinentry-mode loopback is appropriate for CI/CD automation

Minor Notes

  • The autoPublish: true and waitUntil: published settings mean builds will block until artifacts are published to Central Repository, which could impact build times

Comment thread pom.xml
Comment on lines +32 to +33
<connection>scm:git:https://github.com/bernardladenthin/java-llama.cpp.git</connection>
<developerConnection>scm:git:https://github.com/bernardladenthin/java-llama.cpp.git</developerConnection>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ SCM URLs now point to personal fork

The original connection URL pointed to kherud/java-llama.cpp (upstream), while both now point to bernardladenthin/java-llama.cpp. This is a significant change:

  • The connection URL identifies the canonical source for Maven Central metadata
  • CI/CD systems use this URL for builds
  • Affects build reproducibility and project attribution

If this is intentional (e.g., project maintenance transferred): proceed, but document the change in commit history.

If not intentional: Consider keeping the upstream URL as the canonical source while using the personal fork for developerConnection (as it was originally configured).

Comment thread pom.xml Outdated
Comment on lines +159 to +179
<artifactId>maven-source-plugin</artifactId>
<version>3.4.0</version>
<executions>
<execution>
<id>attach-sources</id>
<goals><goal>jar-no-fork</goal></goals>
</execution>
</executions>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.12.0</version>
<executions>
<execution>
<id>attach-javadocs</id>
<goals><goal>jar</goal></goals>
</execution>
</executions>
</plugin>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔄 Duplicate plugin configuration

Both maven-source-plugin (v3.4.0) and maven-javadoc-plugin (v3.12.0) are already configured in the main <build> section above (lines 122-148) and will always execute. Repeating them in the release profile is unnecessary duplication.

Recommendation: Remove these duplicate plugin blocks since:

  1. They have identical configuration to the main build
  2. Source and Javadoc JARs are required for all builds, not just release builds
  3. Reduces maintenance burden and configuration complexity

Keep only the maven-gpg-plugin and central-publishing-maven-plugin which are release-specific.

Comment thread pom.xml
Comment on lines +190 to +196
<configuration>
<keyname>${gpg.keyname}</keyname>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📋 GPG Configuration - Missing Documentation

The GPG signing configuration references ${gpg.keyname} variable which needs to be defined for the build to work. This should be:

  1. Set in CI/CD environment (e.g., GitHub Actions secrets)
  2. Or defined in Maven settings.xml (~/.m2/settings.xml)
  3. Or passed via command line (mvn -Dgpg.keyname=YOUR_KEY_ID)

Recommendation: Add a comment above this configuration block documenting where the gpg.keyname property should be defined. Also ensure your CI/CD workflow passes this value correctly during release builds.

Example CI/CD usage:

mvn deploy -P release -Dgpg.keyname=${{ secrets.GPG_KEYNAME }}

Comment thread .github/dependabot.yml
@@ -0,0 +1,10 @@
version: 2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good Addition: Dependabot Configuration

This Dependabot setup is well-configured for automated dependency updates. A few notes:

  • Weekly Maven updates: Will check for plugin and dependency updates
  • Weekly GitHub Actions updates: Will keep your CI/CD workflows current

Optional enhancement: Consider setting open-pull-requests-limit if you want to limit concurrent PRs:

updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5

Also consider adding labels or assignees to make PRs easier to manage:

labels: ["dependencies"]
reviewers: ["bernardladenthin"]

These are optional but helpful for managing many dependency updates.

Comment thread pom.xml
<license>
<name>MIT License</name>
<url>https://www.opensource.org/licenses/mit-license.php</url>
<distribution>repo</distribution>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good Addition: License Distribution Tag

Adding <distribution>repo</distribution> is correct for Maven Central requirements. This indicates the license applies to repository-hosted distributions, which is standard for open-source projects published to Maven Central.

maven-source-plugin and maven-javadoc-plugin are already configured in
the main build section and run on every build. Repeating them in the
release profile is redundant; the release profile now contains only the
release-specific plugins: maven-gpg-plugin and central-publishing-maven-plugin.

https://claude.ai/code/session_01TPLSUAgEHPFGSoDesiPZ5N
Comment thread pom.xml
</goals>
<goals><goal>sign</goal></goals>
<configuration>
<keyname>${gpg.keyname}</keyname>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Issue: The pom.xml references ${gpg.keyname}, but this property is:

  1. Not defined as a property in pom.xml
  2. Not passed by the release workflow

The .github/workflows/release.yaml (line 667) runs mvn deploy without passing -Dgpg.keyname=<KEY_ID>. This will cause GPG signing to fail with "Unable to use configured keyname".

Fix: Either:

  • Define <gpg.keyname> as a property in pom.xml (not recommended for security)
  • Update the workflow to pass it: mvn ... -Dgpg.keyname=YOUR_KEY_ID deploy

Note: The property should be the GPG key ID (usually the last 16 hex characters of the fingerprint)

Comment thread pom.xml
<version>0.10.0</version>
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical Issue: The pom.xml now uses publishingServerId: central, but the release workflow (.github/workflows/release.yaml line 661) still configures the Maven server with server-id: ossrh.

The Central Publishing Maven Plugin will look for a server named central in Maven's settings.xml, not ossrh. Since the workflow sets up ossrh, the deployment will fail with authentication errors.

Fix: Update .github/workflows/release.yaml publish job:

  1. Change server-id: ossrhserver-id: central (line 661)
  2. Use Central Publisher OAuth token instead of OSSRH credentials (lines 669-670)
  3. Ensure ~/.m2/settings.xml has a <server> section with id central containing the OAuth token

Reference: https://central.sonatype.org/publish/publish-maven/ for complete setup instructions

Comment thread .github/dependabot.yml
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good addition! Weekly dependency updates for Maven dependencies and GitHub Actions.

Note: This PR's pom.xml changes require careful testing in CI. The workflow (.github/workflows/release.yaml) was not updated to match the new Central Publishing Maven Plugin configuration - there's a critical mismatch between the pom.xml and workflow that will cause release builds to fail. Be sure to coordinate the workflow updates before merging this PR or releasing.

Comment thread pom.xml
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.5.0</version>
<version>3.12.0</version>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version bump from 3.5.0 → 3.12.0 is a significant jump. This plugin was previously at 3.5.0, now 3.12.0.

Good news: This update is a stable release, not a beta. However, with such a version jump (3.5 → 3.12), ensure:

  1. Javadoc generation still works as expected on Java 1.8 source
  2. Test that mvn package -P release successfully attaches javadoc JARs
  3. Run a full test cycle before releasing

The corresponding update in the main build section is the same version, so at least they're consistent now.

Comment thread pom.xml
<license>
<name>MIT License</name>
<url>https://www.opensource.org/licenses/mit-license.php</url>
<distribution>repo</distribution>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - adding <distribution>repo</distribution> is required by Maven Central Repository. This was added correctly.

This setting indicates the license is available from the Maven Central repository (as opposed to manual/external distribution). It's one of the requirements for publishing to Maven Central.

Comment thread pom.xml
<scm>
<connection>scm:git:git://github.com/kherud/java-llama.cpp.git</connection>
<developerConnection>scm:git:ssh://github.com:bernardladenthin/java-llama.cpp.git</developerConnection>
<connection>scm:git:https://github.com/bernardladenthin/java-llama.cpp.git</connection>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security improvement: SCM URLs changed from mixed protocols (git://, ssh://) to consistent HTTPS.

The original configuration used:

  • scm:git:git://... (unencrypted)
  • scm:git:ssh://... (requires SSH key)

New configuration uses:

  • scm:git:https://... (encrypted + standard credentials)

This is more secure and compatible with Maven Central requirements. HTTPS is the recommended protocol for Maven Central artifacts.

@bernardladenthin bernardladenthin merged commit 42203c7 into main May 10, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants