Deploying to Maven Central from GitHub Actions
This page explains how to publish to Maven Central via the Maven Central Portal from GitHub Actions, assuming you already can release there manually. See their Getting Started Guide if you do not have an account already.
In order to publish directly to Maven Central from GitHub Actions, you will need a Maven Central user token, a PGP key for signing artifacts, and the correct plugins configured.
Plugin setup
There are some plugins that should only be executed during releases, like the central-publishing-maven-plugin, so you
may wish to enable a profile during a release which has those plugins. The following will enable the release profile
during a release:
<build>
<plugins>
<plugin>
<groupId>com.github.danielflower.mavenplugins</groupId>
<artifactId>multi-module-maven-release-plugin</artifactId>
<version>3.8.2</version>
<configuration>
<releaseProfiles>
<releaseProfile>release</releaseProfile>
</releaseProfiles>
</configuration>
</plugin>
</plugins>
</build>
The release profile can just have the maven-gpg-plugin (used to sign all the generated artifacts) and the
central-publishing-maven-plugin. Note that both plugins will use secrets that will be managed by GitHub Actions.
<profiles>
<profile>
<id>release</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<signer>bc</signer>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>
<autoPublish>true</autoPublish>
<waitUntil>published</waitUntil>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
You'll also need to enable the maven-javadoc-plugin and maven-sources-plugin as per Maven Central requirements. You
can put these in your release profile or normal build section.
Secrets management
Add the following secrets to your repository or organisation:
- CENTRAL_USERNAME - the user token name generated at https://central.sonatype.org/publish/generate-portal-token/
- CENTRAL_TOKEN - the password for your generated token
- GPG_SECRET_KEY - your GPG key as described here.
- GPG_SECRET_KEY_PASSPHRASE - the password for your GPG key
Set your SCM plugin URLs to use HTTPS
Make sure HTTPS is used in your scm section as SSH URLs will not work during the release from GitHub Actions. For example:
<scm>
<url>https://github.com/3redronin/mu-acme</url>
<connection>scm:git:https://github.com/3redronin/mu-acme.git</connection>
</scm>
Create a release workflow
Create a file in your git repository at .github/workflows/release.yaml which has the following contents which will
first test and verify your package using Java 21, and then release to Maven Central:
name: Publish to Maven Central Repository
on: workflow_dispatch
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Maven Central Repository
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
cache: 'maven'
server-id: central
server-username: CENTRAL_USERNAME
server-password: CENTRAL_TOKEN
- name: Verify package
run: mvn --batch-mode verify
- name: Release package
run: mvn --batch-mode -DskipTests=true releaser:release
env:
CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SECRET_KEY_PASSWORD }}
MAVEN_GPG_KEY: ${{ secrets.GPG_SECRET_KEY }}
Build triggers, java versions and build steps can be customised for your own requirements. The important bits to make sure remain
are the fetch-depth: 0 for checkout (so the plugin can look at the git tags in your repo), the GPG secret key
installation and the maven-settings action.
With these settings committed and pushed to GitHub, you should see a Publish to Maven Central job in the Actions
section which lets you manually run the release.