ci(release): Tag-triggered Maven Central release workflow

[jeffjensen]

Commits and standardizes release.yml so releases publish from CI instead of a local release:perform.

Flow

mvn release:prepare (local) bumps versions, tags v<version>, and auto-pushes (pushChanges default). The tag triggers release.yml, which waits for approval on the release environment, then runs deploy -Prelease (GPG-signed, sources + javadoc, auto-published to Central).

Changes

• release.yml — committed (was untracked); switched from raw setup-java to the jdk-setup composite and bumped checkout@v7, to match the other workflows. (permissions/concurrency/environment: release were already present.)
• releasing.adoc — rewritten for the real (auto-push + gate) flow; adds one-time prerequisites; the old git push --tags step (which would have skipped the branch commits) is gone.

Prerequisites before first use

• Repo secrets: CENTRAL_USERNAME, CENTRAL_TOKEN, GPG_PRIVATE_KEY, GPG_PASSPHRASE (the GPG ones have never been exercised — snapshot deploy doesn't sign).
• A release environment with a required reviewer (the approval gate).

🤖 Generated with Claude Code

https://claude.ai/code/session_013DKrZ3wSe6H5HXPzg8iWC6

Summary by CodeRabbit

• New Features
  • Added an approval-gated CI workflow that deploys v* tagged releases to Maven Central with GPG-signed artifacts (including sources and Javadoc), and skips test re-runs during deployment.
• Documentation
  • Streamlined the release guide to match the CI-driven process, including required secrets, what approval rejection does, and how to roll back if needed.
• Chores
  • Updated the snapshot deployment workflow to disable credential persistence during repository checkout.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e878933e-bb08-4bfb-a8ea-5d3f0ecdd727

📥 Commits

Reviewing files that changed from the base of the PR and between 22b0589 and 90c0719.

📒 Files selected for processing (3)

• .github/workflows/deploy-snapshot.yml
• .github/workflows/release.yml
• src/site/asciidoc/releasing.adoc

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/deploy-snapshot.yml
• src/site/asciidoc/releasing.adoc

---

📝 Walkthrough

Walkthrough

Adds a release.yml GitHub Actions workflow triggered on v* tag pushes that runs mvn deploy -Prelease -DskipTests with GPG signing and Maven Central credentials behind a manual approval gate. Updates releasing.adoc to document the new CI-driven flow, prerequisites, and an abort procedure. Hardens the snapshot deployment workflow by disabling credential persistence in checkout.

Changes

Maven Central Release Workflow and Docs

Layer / File(s)	Summary
release.yml: trigger, job, and deploy step .github/workflows/release.yml	Defines the v* tag trigger, read-only permissions, release-deploy concurrency group, Maven env vars, a release job with 30-minute timeout and environment approval gate, JDK/GPG setup using secrets, and a mvn deploy -Prelease -DskipTests step that publishes GPG-signed artifacts with sources and javadoc to Maven Central.
releasing.adoc: prerequisites, flow, and abort src/site/asciidoc/releasing.adoc	Rewrites the release docs to add a prerequisites section (required secrets, approval reviewer, local Docker for Testcontainers), condense snapshot deployment guidance, describe the full CI-driven release flow including the approval gate and -Prelease deployment, and introduce an Aborting section covering approval rejection and cleanup steps (delete remote tag, revert two release commits).
Snapshot deployment credential isolation .github/workflows/deploy-snapshot.yml	Adds persist-credentials: false to the actions/checkout step to prevent GitHub credentials from persisting in the checkout environment.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant Git as GitHub (v* tag push)
  participant GHA as release.yml
  participant Approver as release environment approver
  participant Central as Maven Central

  Dev->>Git: mvn release:prepare (pushes commits + v* tag)
  Git->>GHA: triggers release.yml
  GHA->>Approver: waits for deployment approval
  Approver->>GHA: approves release environment
  GHA->>GHA: JDK/GPG setup (secrets injected)
  GHA->>Central: mvn deploy -Prelease -DskipTests (GPG-signed, sources + javadoc)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a GitHub Actions workflow for automated Maven Central releases triggered by tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-workflow

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 24-32: The release workflow needs security hardening on external
actions. Update the actions/checkout action on line 24 to replace the floating
version tag (v7) with a full commit SHA and add persist-credentials: false to
disable credential persistence. Additionally, locate the jdk-setup composite
action file at ./.github/actions/jdk-setup/action.yml and update all instances
of floating actions/setup-java@v5 tags (mentioned at lines 29 and 37) to use
pinned full commit SHAs instead. This ensures the release pipeline only uses
specific, immutable versions of external actions to prevent supply chain
attacks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: af6502d9-0018-4931-a272-8453e44db384

📥 Commits

Reviewing files that changed from the base of the PR and between a3b62f5 and 2770820.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• src/site/asciidoc/releasing.adoc