This document describes how to publish the Permit.io Java SDK to Maven Central and GitHub Packages.
The SDK is published to two repositories:
- Maven Central - Primary distribution for public consumption
- GitHub Packages - Secondary distribution for GitHub-based workflows
- Create an account at central.sonatype.com
- Verify ownership of the
io.permitnamespace - Generate a User Token: Account → Generate User Token
Maven Central requires all artifacts to be signed with GPG. For more info see here.
gpg --full-generate-keyWhen prompted:
- Key type: Select
1(RSA and RSA) - Key size: Enter
4096 - Expiration: Enter
0(doesn't expire) or set a reasonable expiration - Name and email: Use the same email as your Maven Central account
- Passphrase: Set a strong passphrase (this is your
signingInMemoryKeyPassword)
gpg --list-secret-keys --keyid-format LONGFor local use:
gpg --armor --export-secret-keys YOUR_KEY_ID > key.ascFor CI/CD (base64 encoded):
gpg --armor --export-secret-keys YOUR_KEY_ID | base64gpg --keyserver keyserver.ubuntu.com --send-keys YOUR_KEY_ID
# Note: if you get a "no route to host" error, try an alternative keyserver such as keys.openpgp.org or pgp.mit.edu.Configure these secrets in your GitHub repository:
| Secret | Description |
|---|---|
MAVEN_CENTRAL_USERNAME |
Username from Central Portal TOKEN (not the user) |
MAVEN_CENTRAL_PASSWORD |
Password from Central Portal TOKEN (not user password) |
GPG_SIGNING_KEY |
Base64-encoded GPG private key |
GPG_SIGNING_PASSPHRASE |
Passphrase for the GPG key |
Publishing is triggered automatically when:
- A GitHub Release is created
- The workflow is manually dispatched
The workflow (.github/workflows/publish.yaml) handles:
- Javadoc verification
- Publishing to GitHub Packages
- Publishing to Maven Central
Test artifact generation without uploading:
./gradlew publishToMavenLocal -PskipSigningArtifacts are published to ~/.m2/repository/io/permit/permit-sdk-java/
Note: Use -PskipSigning for local testing without GPG keys. This flag is not available for Maven Central publishing (signing is required).
Upload to Central Portal without releasing:
./gradlew publishToMavenCentral \
-PmavenCentralUsername=TOKEN_USERNAME \
-PmavenCentralPassword=TOKEN_PASSWORD \
-PsigningInMemoryKey="$(cat key.asc)" \
-PsigningInMemoryKeyPassword=KEY_PASSPHRASEReview at Central Portal Deployments
Full publish with automatic release:
./gradlew publishAndReleaseToMavenCentral \
-PmavenCentralUsername=TOKEN_USERNAME \
-PmavenCentralPassword=TOKEN_PASSWORD \
-PsigningInMemoryKey="$(cat key.asc)" \
-PsigningInMemoryKeyPassword=KEY_PASSPHRASEGITHUB_ACTOR=username GITHUB_TOKEN=token ./gradlew publish| Task | Description |
|---|---|
publishToMavenLocal |
Publish to local Maven cache (~/.m2) |
publishToMavenCentral |
Upload to Central Portal (staging) |
publishAndReleaseToMavenCentral |
Upload and release to Maven Central |
publish |
Publish to all configured repositories (GitHub Packages) |
Version is automatically determined by the com.palantir.git-version plugin based on git tags:
- Tagged commit:
2.2.0 - Commits after tag:
2.2.0-1-gabcdef - Dirty working directory:
2.2.0-1-gabcdef.dirty
To release a new version:
git tag 2.3.0
git push origin 2.3.0- Credentials may be invalid or expired
- Regenerate token at Central Portal
- GPG key may be malformed
- Ensure key is base64 encoded without line breaks
- Maven Central doesn't allow overwriting versions
- Bump the version and try again