ci: stage to Central portal + manual release, not irreversible auto-release (#14)#24
Merged
Merged
Conversation
After this commit, a release tag stages to the Central portal and waits for a human to release -- no more irreversible auto-release. The publish workflow ran `publishAndReleaseToMavenCentral`, which uploads AND auto-releases both :sharingan and :sharingan-noop to Maven Central in one irreversible shot on every v* tag (Central releases can never be unpublished). It now runs `publishToMavenCentral`, which uploads to a new Central Portal deployment and STOPS; a maintainer verifies the staged artifact and clicks Publish in the portal. - publish.yml: swap the Gradle task to the stage-only `publishToMavenCentral`, drop the auto GitHub Release step (it would announce a release while the artifact is still only staged -- the maintainer cuts it after the portal Publish), and add a `workflow_dispatch` trigger so the staged flow can be dry-run without cutting a tag (tag trigger kept; version-tag assert skipped on dispatch since it has no tag). Inline comment records the decision. - docs/RELEASING.md: new two-step maintainer guide -- push tag, verify the staged deployment in the Central Portal (coordinates io.github.mibrahimdev, both :sharingan and :sharingan-noop present, VALIDATED, POM + .asc signatures complete), click Publish, then cut the GitHub Release. Includes the dry-run via workflow_dispatch. - docs/adr/0001-stage-then-manual-release.md: ADR recording the deliberate choice of staging + manual release over auto-release-with-a-CI-gate, because Central releases are irreversible. - README: link maintainers to docs/RELEASING.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #14.
What & why
The publish workflow ran
publishAndReleaseToMavenCentral, which on everyv*tag uploads and auto-releases both
:sharinganand:sharingan-nooptoMaven Central in one irreversible shot. Central releases can never be
unpublished — a bad coordinate, a broken/unsigned POM, or only one of the two
modules uploaded would be a forever-public mistake.
This PR switches the flow to stage + manual release (the maintainer's
decision on #14): a tag now stages a deployment to the Central Portal and
stops; a human verifies it and clicks Publish in the portal.
Before / after Gradle task
publishAndReleaseToMavenCentralpublishToMavenCentralTask semantics confirmed against the vanniktech 0.36.0 plugin docs (Central
Portal page):
publishToMavenCentralstages and stops;publishAndReleaseToMavenCentralauto-releases. The Gradle config (
mavenPublishing { publishToMavenCentral() },no
automaticRelease) already matches the stage-only task.Acceptance criteria (issue #14)
docs/adr/0001-stage-then-manual-release.md, in this PR body, and as an inline comment inpublish.yml.publish.ymlrunspublishToMavenCentral(stage-only) instead ofpublishAndReleaseToMavenCentral.docs/RELEASING.md(linked from README).Workflow diff summary
.github/workflows/publish.yml(only this workflow touched — left other workflow files alone):./gradlew publishToMavenCentral(stage-only) instead ofpublishAndReleaseToMavenCentral.gh release createstep — it would announce a GitHub "release" while the artifact is still only staged on the portal. The maintainer cuts the GitHub Release after clicking Publish (documented in RELEASING.md).permissionsdropped fromcontents: writetocontents: readaccordingly.workflow_dispatchtrigger (tagpushtrigger kept) so the maintainer can dry-run the staged flow without cutting a tag. The version-tag assertion now hasif: github.event_name == 'push'so it's skipped on dispatch runs (which have no tag).Staged - next stepssummary step recording the decision and pointing atdocs/RELEASING.md.YAML validated with
yaml.safe_load(parses clean); triggers resolve topush+workflow_dispatch; the single gradle run line is./gradlew publishToMavenCentral.Dry-run instructions for the maintainer
You can't release-by-accident here — the task is stage-only — so a real
dry-run is safe:
mainafter merge). Aworkflow_dispatchrun skips the version-tag assert and stages the current catalog version.v0.0.1-rc1only if you also set the catalogsharinganversion to match (the assert enforces tag == catalog version). The dispatch route avoids this.VALIDATED, NOT released, with bothio.github.mibrahimdev:sharinganandio.github.mibrahimdev:sharingan-noop. The workflow makes no Publish/Release API call — verify nothing landed oncentral.sonatype.com/artifact/....Once you're happy with the real release, follow
docs/RELEASING.md: verify the staged deployment → click Publish → cut the GitHub Release.🤖 Generated with Claude Code