ci(release): Tag-triggered Maven Central release workflow

[jeffjensen]

Commits and standardizes release.yml so releases publish from CI instead of a local release:perform.

Flow

mvn release:prepare (local) bumps versions, tags v<version>, and auto-pushes (pushChanges default). The tag triggers release.yml, which waits for approval on the release environment, then runs deploy -Prelease (GPG-signed, sources + javadoc, auto-published to Central).

Changes

• release.yml — committed (was untracked) and standardized: release-deploy concurrency, environment: release approval gate, checkout@v7, jdk-setup composite. Keeps -DskipTests -Darchetype.test.skip=true (tests ran during prepare; the archetype IT needs Docker).
• releasing.adoc — rewritten for the real (auto-push + gate) flow; adds one-time prerequisites; drops the obsolete manual git push --tags step.

Prerequisites before first use

• Repo secrets: CENTRAL_USERNAME, CENTRAL_TOKEN, GPG_PRIVATE_KEY, GPG_PASSPHRASE (the GPG ones have never been exercised — snapshot deploy doesn't sign).
• A release environment with a required reviewer (the approval gate).

🤖 Generated with Claude Code

https://claude.ai/code/session_013DKrZ3wSe6H5HXPzg8iWC6

Summary by CodeRabbit

• Chores

  • Added an automated release workflow that publishes GPG-signed artifacts to Maven Central when version tags (v*) are pushed, gated by a GitHub release environment with reviewer approval.
  • Updated the snapshot deployment workflow to prevent persisting Git credentials after checkout.

• Documentation

  • Reworked the releasing guide to center on release:prepare, including required one-time prerequisites, clearer local preparation steps, updated artifact verification instructions, and a new “Aborting” flow to cancel pending deployments and revert the tag/commits.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8492131c-34a6-43b1-ae63-9698c77dffdb

📥 Commits

Reviewing files that changed from the base of the PR and between 0aa6922 and 197cda7.

📒 Files selected for processing (3)

• .github/workflows/deploy-snapshot.yml
• .github/workflows/release.yml
• integration/src/site/asciidoc/releasing.adoc

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/deploy-snapshot.yml
• integration/src/site/asciidoc/releasing.adoc

---

📝 Walkthrough

Walkthrough

A new release.yml GitHub Actions workflow is added, triggered on v* tag pushes, that gates deployment behind a release environment approver and then runs ./mvnw deploy with GPG signing and Maven Central credentials. The releasing.adoc guide is rewritten to document this CI-driven flow, including prerequisites, the new release:prepare-to-approval process, and an updated aborting procedure. Both new and existing workflows are hardened with persist-credentials: false.

Changes

Maven Central Release Workflow and Documentation

Layer / File(s)	Summary
release.yml workflow and credential security .github/workflows/release.yml, .github/workflows/deploy-snapshot.yml	New workflow triggered on v* tag push. Configures a non-canceling release-deploy concurrency group, a release environment with required-reviewer approval, a 30-minute timeout, and a jdk-setup action wired with CENTRAL_USERNAME/CENTRAL_TOKEN and GPG key/passphrase. Final step runs ./mvnw deploy -Prelease with tests skipped. Applies persist-credentials: false to both new and existing snapshot-deploy workflows for credential safety.
releasing.adoc: prerequisites, release flow, and aborting integration/src/site/asciidoc/releasing.adoc	Rewrites the release guide with an overview of the CI-driven process, a prerequisites section listing four required repo secrets and the release environment approval gate, a note on local Docker for archetype verification, a condensed snapshot deployment statement, a streamlined release flow describing release:prepare auto-push and release.yml approval with -Prelease GPG signing, and an aborting section replacing the old rollback instructions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a new GitHub Actions workflow for tag-triggered Maven Central releases, which is the primary focus of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-workflow

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 24: Replace the mutable tag reference `actions/checkout@v7` with a pinned
commit SHA (e.g., `actions/checkout@<specific-commit-sha>`) to ensure a specific
version is used. Additionally, add the `persist-credentials: false` parameter to
the checkout action configuration to disable credential persistence, which
minimizes security risk when handling sensitive secrets like GPG keys and Maven
Central credentials in the release workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 78d08ba6-00a7-48dc-8430-493bdda91179

📥 Commits

Reviewing files that changed from the base of the PR and between cea13d0 and 8450132.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• integration/src/site/asciidoc/releasing.adoc