build: dual-publish 2.10.0 to the Gradle Plugin Portal and Maven Central#295
Conversation
The legacy Sonatype OSSRH was sunset on 2025-06-30, so the old publish
target returns HTTP 402. Migrate publishing to:
* Gradle Plugin Portal (id `com.deploygate`) via `com.gradle.plugin-publish`
* Maven Central (`com.deploygate:gradle`) via the OSSRH Staging API
compatibility endpoint, finalized with a POST that transfers the
deployment to the Central Portal.
Details:
- build.gradle: add the plugin-publish plugin (2.1.1, required for the
Gradle 9.x acceptance-matrix host) and a `gradlePlugin {}` block that
registers only the namespaced `com.deploygate` id. The legacy bare
`deploygate` id keeps working via the hand-written descriptor shipped
alongside the generated one. Point the publish URL at
ossrh-staging-api.central.sonatype.com. Drop the explicit sources/javadoc
artifacts from the `release` publication because plugin-publish already
enables withSourcesJar()/withJavadocJar() on components.java.
- release.sh: run `publishPlugins` alongside the Maven publish, then POST
the finalization request (publishing_type=automatic) to release to
Maven Central.
- release.yml: wire GRADLE_PORTAL_PUBLISH_KEY/SECRET and the Central
Portal token; update the Slack message.
- README: lead with the plugins DSL (resolved from the Portal) and drop
the now-unnecessary resolutionStrategy workaround; keep the legacy
buildscript classpath path for back-compat.
- UploadArtifactTask: annotate the abstract inputParamsProvider getter
with @internal so validatePlugins (now wired into `check` by
java-gradle-plugin) passes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request updates the Gradle DeployGate plugin to support publishing to the Gradle Plugin Portal and transitions the Maven Central deployment to the new Sonatype Central Portal API. It also updates the README documentation to recommend the plugins DSL. A critical issue was identified in release.sh where the Authorization header incorrectly uses Bearer instead of Basic for Base64-encoded credentials, which will cause authentication to fail.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR updates the release pipeline for v2.10.0 to dual-publish the Gradle DeployGate plugin to both the Gradle Plugin Portal (com.deploygate) and Maven Central (com.deploygate:gradle), migrating away from the legacy OSSRH endpoint that is being sunset.
Changes:
- Add
com.gradle.plugin-publishconfiguration and Gradle Plugin Portal metadata, while keeping the legacydeploygateplugin ID working via the existing descriptor. - Update Maven publishing to use Central Portal’s OSSRH Staging API compatibility endpoint, and add a post-upload finalization call.
- Wire new secrets into the release workflow and update README guidance to recommend the
plugins {}DSL.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/groovy/com/deploygate/gradle/plugins/tasks/UploadArtifactTask.groovy | Annotates an abstract task property to satisfy validatePlugins under plugin-publish/java-gradle-plugin. |
| release.sh | Publishes to both destinations and finalizes the Central Portal staging upload. |
| README.md | Recommends the plugins DSL via Plugin Portal and keeps legacy buildscript usage documented. |
| build.gradle | Adds plugin-publish plugin and Gradle Plugin Portal metadata; updates Central publishing endpoint and removes duplicate sources/javadoc artifacts. |
| .github/workflows/release.yml | Adds Plugin Portal credentials + Central finalization token env vars; updates Slack message. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add `set -o pipefail` so a failure in the `printf | base64` pipeline that computes the auth token aborts the release (per Copilot review). - Add a comment clarifying that the Central Portal Publisher API uses the Bearer scheme with a base64(user:pass) token (not HTTP Basic) — this is non-standard but documented, and was flagged by two automated reviewers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
ship it🚀 |
Overview
The legacy Sonatype OSSRH was sunset on 2025-06-30, so the old publish target now returns HTTP 402. This migrates 2.10.0 publishing to dual targets:
com.deploygate) viacom.gradle.plugin-publishcom.deploygate:gradle) via the OSSRH Staging API compatibility endpoint, finalized with a POST that transfers the deployment to the Central PortalChanges
plugin-publish2.1.1 (the 2.x line is required for the Gradle 9.x acceptance-matrix host) and agradlePlugin {}block that registers only the namespacedcom.deploygateid. The legacy baredeploygateid keeps working via the hand-written descriptor, shipped alongside the generated one. Point the publish URL atossrh-staging-api.central.sonatype.com. Drop the explicit sources/javadoc artifacts from thereleasepublication because plugin-publish already enableswithSourcesJar()/withJavadocJar()oncomponents.java.publishPluginsalongside the Maven publish, then issue the finalization POST (publishing_type=automatic) to release to Maven Central.GRADLE_PORTAL_PUBLISH_KEY/SECRETand the Central Portal token; update the Slack message.resolutionStrategyworkaround; keep the legacybuildscriptclasspath path for back-compat.inputParamsProvidergetter with@InternalsovalidatePlugins(now wired intocheckby java-gradle-plugin) passes.Local verification (wrapper 8.14.3 / JDK 17)
validatePlugins✅ /publishToMavenLocal(release, pluginMaven, marker publications) ✅ /spotlessCheck✅deploygate.properties(legacy) andcom.deploygate.properties(new)testPluginAcceptanceTest --dry-runsucceeds → plugin-publish 2.1.1 configures on the Gradle 9.x acceptance-matrix rowsPost-merge steps
git tag -f 2.10.0onto the new HEAD and force-push to trigger release.ymlGRADLE_PORTAL_PUBLISH_KEY/SECRET, andSHARED_NEXUS_TOKEN_*updated with the Central token). The_TOKEN-lessSHARED_NEXUS_USERNAME/PASSWORDare unreferenced and can be deleted.🤖 Generated with Claude Code