This project aims to demonstrates building complete CI/CD workflow using GitHub Actions which includes following agenda:

• Automate unit/integration testing
• Validate code formatting
• Add code owners to review code
• Create release drafts and publish them
• Upload artifacts to Sonatype OSSRH and subsequently to Maven Central
• Upload code coverage reports on Codecov.io
• Notify release on Slack

Notes:

• With following issue, I was able to secure the namespace com.shivamkapoor in Sonatype OSSRH (Open Source Software Repository Hosting).

  https://issues.sonatype.org/browse/OSSRH-71578

1. Install GnuPG and verify the installation

   Refer: https://www.gnupg.org/download/

   $ gpg --version
   
   gpg (GnuPG/MacGPG2) 2.2.8
   libgcrypt 1.8.3
   Copyright (C) 2018 Free Software Foundation, Inc.
   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

2. Generate a key

   A key pair allows you to sign artifacts with GPG and users can subsequently validate that artifacts have been signed by you. You can generate a key with:

   $ gpg --gen-key

3. List the keys

   Once key pair is generated, we can list them along with any other keys installed:

   $ gpg --list-keys
   
   /home/foo/.gnupg/pubring.gpg
   ------------------------------
   
   pub   rsa4096 2018-08-22 [SC]
       1234517530FB96F147C6A146A326F592D39AAAAA
   uid           [ultimate] your name <[email protected]>
   sub   rsa4096 2018-08-22 [E]

4. Distribute the key and verify

   Since other people need your public key to verify your files, you have to distribute your public key to a key server:

   $ gpg --keyserver keyserver.ubuntu.com --send-keys 1234517530FB96F147C6A146A326F592D39AAAAA
   $ gpg --keyserver keyserver.ubuntu.com --search-keys '[email protected]'

5. Export secret keys for sbt

   $ gpg -a --export-secret-keys > ~/.sbt/gpg/secring.asc

6. Create Sonatype credentials file under .sbt and add following to that file:

   $ cat sonatype_credentials
   
   realm=Sonatype Nexus Repository Manager
   host=s01.oss.sonatype.org
   user=<your username>
   password=<your password>

7. Create sonatype.sbt and add location to sonatype credentials

   This lets sbt know what credentials to use to access sonatype OSSRH.

   $ cat ~/.sbt/1.0/sonatype.sbt
   credentials += Credentials(Path.userHome / ".sbt" / "sonatype_credentials")

Publish artifacts to nexus repository

$ sbt publishSigned

Note: Versions that end with -SNAPSHOT will end up in snapshot repository and won't be eligible for release. Other versions would be released to staging repository which are eligible for release to maven central.

In order to release artifacts against a version, go to staging repository, select the repository, close it and then release.

Note: After you successfully release, your component will be available to the public on Central https://repo1.maven.org/maven2/, typically within 30 minutes, though updates to https://search.maven.org can take up to four hours.

Alternatively, you could use sbt-sonatype plugin to take care of steps above for you, like so:

$ sbt sonatypeRelease

• Publish Guide
• SBT Sonatype
• How to publish scala module in sonatype and maven?
• How to Publish a Java Library to Maven Central
• Nexus Repository Tutorial