ci(release): Tag-triggered Maven Central release workflow

[jeffjensen]

Commits and standardizes release.yml so releases publish from CI instead of a local release:perform.

Flow

mvn release:prepare -N (local) bumps the version, tags v<version>, and auto-pushes (pushChanges default). The tag triggers release.yml, which waits for approval on the release environment, then runs deploy -Prelease -N (GPG-signed, auto-published to Central).

Changes

• jdk-setup composite — extended with the optional Central/GPG inputs the other repos' copies already have (was JDK + cache only), so the release workflow can sign/deploy through it. Backward compatible.
• release.yml — committed (was untracked); now uses the composite and adds permissions: contents: read, release-deploy concurrency, environment: release (approval gate), and checkout@v7. Keeps -N (single pom).

No releasing.adoc — parent has no Maven site. Its release steps match core/boot (minus Docker; uses -N).

Prerequisites before first use

• Repo secrets: CENTRAL_USERNAME, CENTRAL_TOKEN, GPG_PRIVATE_KEY, GPG_PASSPHRASE.
• A release environment with a required reviewer (the approval gate).

🤖 Generated with Claude Code

https://claude.ai/code/session_013DKrZ3wSe6H5HXPzg8iWC6

Summary by CodeRabbit

• Chores
  • Added an automated “Release to Maven Central” workflow that triggers on version tags and deploys artifacts with the release profile (skipping tests).
  • Enhanced the JDK setup process with optional Maven Central credentials and configurable GPG signing inputs for artifact deployment.
  • Updated snapshot deployments to avoid persisting checkout credentials during the workflow run.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 321294c3-6616-4785-9606-da98402b2ca7

📥 Commits

Reviewing files that changed from the base of the PR and between ef7752a and fd719d6.

📒 Files selected for processing (1)

• .github/workflows/deploy-snapshot.yml

---

📝 Walkthrough

Walkthrough

Two files are modified and one new workflow is added to support automated Maven Central releases with improved credential security. The jdk-setup composite action gains five optional inputs for Maven server credentials and GPG signing, with conditional setup-java steps that configure environment variables and caching. A new release.yml workflow triggers on v* tag pushes, invokes jdk-setup with secrets, and deploys via mvn deploy -Prelease -DskipTests. The existing deploy-snapshot workflow is updated to disable credential persistence.

Changes

Maven Central Release Pipeline

Layer / File(s)	Summary
jdk-setup credential inputs and conditional JDK setup steps .github/actions/jdk-setup/action.yml	Adds server-id, server-username, server-password, gpg-private-key, and gpg-passphrase optional inputs. Splits the actions/setup-java@v5 step into two conditional paths: Maven dependency cache only when server-id is empty, and full Maven server credentials plus GPG inputs when server-id is non-empty.
Release workflow .github/workflows/release.yml	New workflow triggered on v* tag pushes with read-only repository permissions and a non-canceling release-deploy concurrency group. Runs a single release job (30-minute timeout) that checks out the repo with persist-credentials: false, invokes .github/actions/jdk-setup with Maven Central and GPG secrets, then executes mvn deploy with the release profile and -DskipTests while injecting Central username/token and GPG passphrase from repository secrets.
Snapshot workflow credential security .github/workflows/deploy-snapshot.yml	Configures the repository checkout step with persist-credentials: false to prevent credential persistence during snapshot deployments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a tag-triggered Maven Central release workflow is being added to CI. It directly aligns with the primary objective of enabling releases from CI via a tag-triggered workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-workflow

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/jdk-setup/action.yml:
- Line 29: The `actions/setup-java` action in the jdk-setup composite action
uses a mutable major-version tag (v5) which can change unexpectedly and poses a
security risk in the release path. Replace the `@v5` tag with an immutable full
commit SHA for the exact version of `actions/setup-java` that should be used,
ensuring reproducibility and preventing accidental updates to different versions
during release workflows.

In @.github/workflows/release.yml:
- Line 24: The checkout action at line 24 uses a mutable tag (v7) which poses a
security risk in a release workflow that handles sensitive secrets like
CENTRAL_USERNAME, CENTRAL_TOKEN, and GPG_PASSPHRASE. Replace the
`actions/checkout@v7` reference with a pin to a specific commit SHA instead of
the mutable tag, and add the `persist-credentials: false` option to disable
credential persistence since this workflow does not perform any git operations
after the checkout step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b5995d98-89eb-4394-a594-b58fd46ebb12

📥 Commits

Reviewing files that changed from the base of the PR and between e000fa9 and 61630d7.

📒 Files selected for processing (2)

• .github/actions/jdk-setup/action.yml
• .github/workflows/release.yml