Release Scene Builder kit to maven central

[abhinayagarwal]

JReleaser needs to be updated to also release kit to Maven Central. Currently the kit jar file is only pushed to Github Releases and AWS S3.

In addition to this, we also need to push snapshots to maven central as well.

[aalmiray]

Is the release kit supposed to be consumed by Maven/Gradle builds (JARs and POMs)? If so then releasing to Maven Central is the way to go. If not, then publishing it as release asset (which is currently in place) is what I'd recommend.

[aalmiray]

Releasing artifacts to Maven Central with JReleaser is described in the guide at https://jreleaser.org/guide/latest/examples/maven/maven-central.html

Follow these steps:

0. Upgrade JReleaser to 1.14.0
1. Choose if you'll publish using the Sonatype Portal API (newest option) or OSSRH (legacy option). Both options require securing username/token from Sonatype (https://central.sonatype.org/publish/generate-portal-token/). Check your settings if you have OSSRH credentials (username/password) because you now require username/token https://central.sonatype.org/publish/generate-token/)
2. Stage all deployable artifacts (JARs, POMs) to a local directory. The guide shows how.
3. Configure the local directory as a stagingRepository in the JReleaser configuration
4. Ensure you have the minimum set of required secrets:

• JRELEASER_GPG_PUBLIC_KEY
• JRELEASER_GPG_SECRET_KEY
• JRELEASER_GPGP_PASSPHRASE
• JRELEASER_NEXUS2_USERNAME / JRELEASER_NEXUS2_PASSWORD (if using nexus2 deployer for OSSRH)
• JRELEASER_MAVENCENTRAL_USERNAME / JRELEASER_MAVENCENTRAL_PASSWORD (if using mavenCentral deployer)

You can try a deployment in dryrun mode by invoking mvn -B -ntp -N jreleaser:jreleaserDeploy -Djreleaser.dry.run=true. If everything looks good then give it a go without dryrun.

[jperedadnr]

Thanks, @aalmiray, I've followed your instructions, and created the PR #759.

In order to test it, which would require merging into main, I'm running a test branch here: https://github.com/jperedadnr/scenebuilder/tree/test-publish (see https://github.com/jperedadnr/scenebuilder/actions/runs/11392044901), and based on it I've done some more changes.

However, I'm not sure if there is an issue with the password/token I'm using (via secret), as I keep getting:

[INFO]      [nexus2]  - com/gluonhq/scenebuilder/kit/24.0.0-SNAPSHOT/kit-24.0.0-20241017.195447-1-javadoc.jar
[DEBUG]     [nexus2]  - deploying kit-24.0.0-20241017.195447-1-javadoc.jar as /com/gluonhq/scenebuilder/kit/24.0.0-SNAPSHOT/kit-24.0.0-20241017.195447-1-javadoc.jar
[DEBUG]     [nexus2] url: https://s01.oss.sonatype.org/content/repositories/snapshots/com/gluonhq/scenebuilder/kit/24.0.0-SNAPSHOT/kit-24.0.0-20241017.195447-1-javadoc.jar
[DEBUG]     [nexus2] opening connection
[DEBUG]     [nexus2] configuring connection
[DEBUG]     [nexus2] Accept: [*/*]
[DEBUG]     [nexus2] Expect: [100-continue]
[DEBUG]     [nexus2] User-Agent: [JReleaser/1.14.0]
[DEBUG]     [nexus2] Content-Type: [application/java-archive]
[DEBUG]     [nexus2] sending data
[DEBUG]     [nexus2] handling response
server replied with 401: Content access is protected by token
[ERROR]     [nexus2]  x kit-24.0.0-20241017.195447-1-javadoc.jar
org.jreleaser.sdk.nexus2.Nexus2Exception: Error when deploying artifact kit-24.0.0-20241017.195447-1-javadoc.jar
	at org.jreleaser.sdk.nexus2.Nexus2.fail(Nexus2.java:305)
	at org.jreleaser.sdk.nexus2.Nexus2.deploy(Nexus2.java:296)
	at org.jreleaser.sdk.nexus2.Nexus2MavenDeployer.uploadArtifacts(Nexus2MavenDeployer.java:250)
	at org.jreleaser.sdk.nexus2.Nexus2MavenDeployer.deploy(Nexus2MavenDeployer.java:160)
...

[aalmiray]

Right. You need username/token instead of username/password

https://community.sonatype.com/t/401-content-access-is-protected-by-token-authentication-failure-while-performing-maven-release/12741

https://central.sonatype.org/publish/generate-token/

[jperedadnr]

Sure, I've already got username/token, we've been using these to publish other artifacts to Maven Central successfully.

I've tried so far a number of times (see https://github.com/jperedadnr/scenebuilder/actions), always with the same error. I've set the secrets several times as well, just to double/triple check.

I've also added the server block to the settings.xml file with the same token (via setup-java action), but I guess this is not needed using JReleaser. In any case, it doesn't make a difference.

Do you have any further advice on how to proceed?

[aalmiray]

Well as far as I can tell this error occurs due to invalid credentials. Is the username/token combination valid for the chosen server (s01) or is it the other legacy server?

[jperedadnr]

Oh, you are right about using the legacy server https://oss.sonatype.org instead of https://s01.oss.sonatype.org

It is confusing, since we can sign in in both with the same old Nexus user/password, and therefore I thought the new user/token secrets were the same for both. But now I see there are different, and I have now a new pair of secrets for s01.

Running again with these and s01, I get:

Caused by: org.jreleaser.model.spi.deploy.DeployException: Unexpected error when deploying target/staging-deploy/com/gluonhq/scenebuilder/kit/24.0.0-SNAPSHOT/kit-24.0.0-20241018.163838-1-javadoc.jar: Error when deploying artifact kit-24.0.0-20241018.163838-1-javadoc.jar
	at org.jreleaser.sdk.nexus2.Nexus2MavenDeployer.uploadArtifacts(Nexus2MavenDeployer.java:253)
	at org.jreleaser.sdk.nexus2.Nexus2MavenDeployer.deploy(Nexus2MavenDeployer.java:160)
	at org.jreleaser.engine.deploy.maven.ProjectMavenDeployer.deploy(ProjectMavenDeployer.java:55)
	at org.jreleaser.engine.deploy.maven.MavenDeployers.deploy(MavenDeployers.java:167)
	... 33 more
Caused by: org.jreleaser.sdk.nexus2.Nexus2Exception: Error when deploying artifact kit-24.0.0-20241018.163838-1-javadoc.jar
	at org.jreleaser.sdk.nexus2.Nexus2.fail(Nexus2.java:305)
	at org.jreleaser.sdk.nexus2.Nexus2.deploy(Nexus2.java:296)
	at org.jreleaser.sdk.nexus2.Nexus2MavenDeployer.uploadArtifacts(Nexus2MavenDeployer.java:250)
	... 36 more
Caused by: org.jreleaser.model.spi.upload.UploadException: Got 403 reason: Forbidden
	at org.jreleaser.sdk.commons.ClientUtils.uploadFile(ClientUtils.java:327)
	at org.jreleaser.sdk.commons.ClientUtils.putFile(ClientUtils.java:253)
	at org.jreleaser.sdk.nexus2.Nexus2.deploy(Nexus2.java:288)
	... 37 more

Why can we publish to old Sonatype with maven-deploy-plugin, but not to s01 with JReleaser?

[jperedadnr]

Okay, changing back to oss.sonatype.org works...

[aalmiray]

You can only publish to the server where your namespace is registered. You can find out by login into a given server using the UI and inspecting your staging profiles.