From b0c564a3d56d87ca829cdde5a3257ee93e47d216 Mon Sep 17 00:00:00 2001
From: alexeid <alexei.drummond@gmail.com>
Date: Mon, 4 May 2026 09:45:58 +1200
Subject: [PATCH] ci: clean-deploy on tag and skip redundant verify

- Gate "Build and test" to non-tag pushes (the same mvn verify runs as
  part of the deploy lifecycle on tag).
- Replace two-step `mvn deploy -Prelease -DskipTests` with single
  `mvn -Prelease clean deploy`. The previous flow left unsigned
  package outputs in target/ from an earlier run, so the second
  invocation could deploy artifact bytes that did not match the
  freshly generated .asc files. Sonatype rejected such tag releases
  with "Invalid signature" on zip/sources/javadoc while jar/pom
  verified. A single clean deploy from the tag avoids that.
---
 .github/workflows/ci-publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-publish.yml b/.github/workflows/ci-publish.yml
index 1023d05..d9e0027 100644
--- a/.github/workflows/ci-publish.yml
+++ b/.github/workflows/ci-publish.yml
@@ -44,11 +44,12 @@ jobs:
           mvn versions:set -DnewVersion=$VERSION -DgenerateBackupPoms=false
 
       - name: Build and test
+        if: "!startsWith(github.ref, 'refs/tags/v')"
         run: mvn verify
 
       - name: Publish to Maven Central
         if: startsWith(github.ref, 'refs/tags/v')
-        run: mvn deploy -Prelease -DskipTests
+        run: mvn -Prelease clean deploy
         env:
           CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
           CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}