Skip to content

fix: consolidate publishing onto pluginMaven to fix release signing collision#296

Merged
tnj merged 2 commits into
masterfrom
fix/release-signing-only-release-publication
Jun 17, 2026
Merged

fix: consolidate publishing onto pluginMaven to fix release signing collision#296
tnj merged 2 commits into
masterfrom
fix/release-signing-only-release-publication

Conversation

@tnj

@tnj tnj commented Jun 16, 2026

Copy link
Copy Markdown
Member

Problem

The 2.10.0 release failed at Task :signPluginMavenPublication:

Task ':publishReleasePublicationToMavenRepository' uses this output of task ':signPluginMavenPublication' (*.asc) without declaring an explicit or implicit dependency.

Root cause: the hand-rolled release publication and the plugin-publish-managed pluginMaven publication reference the same physical jars. With signing required, signReleasePublication and signPluginMavenPublication both write the same *.asc files, and the Central publish task consumes an .asc produced by the other publication's sign task. (Local publishToMavenLocal didn't catch this because signing was SKIPPED there.)

Nothing was published — Maven Central returns 404 for com.deploygate:gradle:2.10.0, so the same version can be re-released after this fix.

Fix

Drop the separate release publication and reuse plugin-publish's pluginMaven for both Maven Central and the Plugin Portal. One publication ⇒ one set of artifacts ⇒ one signing task per artifact ⇒ no .asc collision.

  • build.gradle: configure pluginMaven (set artifactId = gradle for back-compat + the pom) instead of a second publication; remove the explicit sign call (plugin-publish already signs pluginMaven + marker); gate signing on publishPluginMavenPublicationToMavenRepository.
  • release.sh: publish via publishPluginMavenPublicationToMavenRepository.

The marker still depends on com.deploygate:gradle (verified), and the jar still ships both deploygate.properties and com.deploygate.properties.

Verification (local, throwaway GPG key)

A signing-required (RELEASE_SCRIPT_TEST=true) publish of pluginMaven + the marker to a file:// repo succeeds with no implicit-dependency error, emitting signed jar/sources/javadoc/module/pom (+ .asc) for com.deploygate:gradle:2.10.0 and the signed marker pom. spotlessCheck and validatePlugins pass.

After merge

Re-point git tag -f 2.10.0 onto the new HEAD and force-push to re-trigger the release.

🤖 Generated with Claude Code

…igning

The 2.10.0 release failed at `signPluginMavenPublication` with an implicit
task-dependency error: the hand-rolled `release` publication and the
plugin-publish-managed `pluginMaven` publication both reference the same
physical jars, so `signReleasePublication` and `signPluginMavenPublication`
each wrote the same `*.asc` files. `publishReleasePublicationToMavenRepository`
then consumed an `.asc` produced by `signPluginMavenPublication` without a
declared dependency, which Gradle rejects.

Drop the separate `release` publication and reuse plugin-publish's
`pluginMaven` for both Maven Central and the Plugin Portal: a single
publication means a single set of artifacts and a single signing task per
artifact, so there is no `.asc` collision. The Maven Central coordinate stays
`com.deploygate:gradle` (artifactId override), and the plugin marker keeps
depending on `com.deploygate:gradle`.

- build.gradle: configure `pluginMaven` (artifactId + pom) instead of a
  separate `release` publication; drop the explicit `sign` call (plugin-publish
  already signs pluginMaven + marker); gate signing on the new
  `publishPluginMavenPublicationToMavenRepository` task.
- release.sh: publish via `publishPluginMavenPublicationToMavenRepository`.

Verified locally with a throwaway GPG key: a signing-required publish of both
`pluginMaven` and the marker to a file repository succeeds with no implicit-
dependency error and emits signed jar/sources/javadoc/module/pom (+ marker).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 16, 2026 02:08

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the publishing configuration in build.gradle to reuse the pluginMaven publication generated by the java-gradle-plugin instead of maintaining a separate hand-rolled publication. This avoids duplicate signing tasks and conflicting signature files. The publishing task name is updated accordingly in both build.gradle and release.sh. Feedback suggests improving the robustness of the task graph check in build.gradle by checking task names dynamically rather than using hasTask, which can fail depending on how the task path is specified.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread build.gradle Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix a Gradle publishing/signing collision during release by consolidating Maven Central publishing onto the existing pluginMaven publication (managed by com.gradle.plugin-publish), removing the separate hand-rolled release publication that caused .asc output conflicts.

Changes:

  • Update release.sh to publish to Maven Central via publishPluginMavenPublicationToMavenRepository instead of the removed release publication task.
  • Reconfigure build.gradle to customize the existing pluginMaven publication (notably the Maven Central artifactId) instead of defining a second publication.
  • Adjust signing configuration to gate on the new publish task (but currently removes explicit signing of publications).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
release.sh Switches release publishing task to publishPluginMavenPublicationToMavenRepository.
build.gradle Drops the custom release publication and reuses/configures pluginMaven; updates signing gating accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

`gradle.taskGraph.hasTask("publishPluginMavenPublicationToMavenRepository")`
compares against the task *path* (":publishPluginMavenPublicationToMavenRepository"),
so the bare-name argument never matched and `signing.required` was effectively
always false — signing only happened when a key was present, and a release run
with a missing key would silently publish unsigned artifacts (which Maven
Central then rejects).

Match by task name via `gradle.taskGraph.allTasks.any { it.name == ... }` so the
gate fails fast when a release runs without a signing key. Verified locally:
with a key the publish signs and succeeds; without a key the build now fails at
`signPluginMavenPublication` ("no configured signatory") instead of skipping.

Addresses review feedback from gemini-code-assist on PR #296.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tnj

tnj commented Jun 16, 2026

Copy link
Copy Markdown
Member Author

@copilot Thanks for the review — the summary is accurate. One clarification: removing the explicit sign call from the signing block is intentional. com.gradle.plugin-publish automatically signs the pluginMaven and marker publications when the signing plugin is applied, so adding our own sign would double-sign the same jars and produce conflicting .asc outputs (which is exactly what broke the release).

Verified locally with a real key: the com.deploygate:gradle:2.10.0 jar/sources/javadoc/module/pom and the marker pom are all emitted with .asc signatures.

@tnj tnj requested a review from satsukies June 16, 2026 04:24

@satsukies satsukies left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnj tnj merged commit 4931937 into master Jun 17, 2026
11 checks passed
@tnj tnj deleted the fix/release-signing-only-release-publication branch June 17, 2026 02:32
@tnj

tnj commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants