HHH-19341 Add JReleaser config for publishing to Maven Central (OSSRH)

and add a placeholder config for the future switch to Central

Author: marko-bekhta

.gitignore

@@ -50,4 +50,4 @@ ObjectStore
 *.swo
 
 # SDKman, used by some module maintainers
-.sdkmanrc
+.sdkmanrc

MAINTAINERS.md

@@ -106,6 +106,18 @@ and the documentation to [docs.jboss.org](https://docs.jboss.org/hibernate/orm/)
 
 After the job succeeds:
 
+* Release the artifacts on the [OSSRH repository manager](https://oss.sonatype.org/#stagingRepositories).
+  * Log into Nexus. The credentials can be found on Bitwarden; ask a teammate if you don't have access.
+  * Click "staging repositories" to the left.
+  * Examine your staging repository: check that all expected artifacts are there.
+  * If necessary (that's very rare), test the release in the staging repository.
+    You can drop the staging repo if there is a problem,
+    but you'll need to revert the commits pushed during the release.
+  * If everything is ok, select the staging repository and click the "Release" button.
+    * For branches with automated releases (e.g. 6.6) the "release repository" will happen automatically.
+      to enable/disable the automatic release of the staging repository update the [jreleaser.yml](jreleaser.yml) file,
+      in particular change the `deploy.maven.nexus2.maven-central.releaseRepository` to `true`/`false`.
+
 * Update [hibernate.org](https://github.com/hibernate/hibernate.org) if necessary:
   * If it is a new major or minor release, add a `_data/projects/orm/releases/series.yml` file
     and a `orm/releases/<version>/index.adoc` file.

build.gradle

@@ -55,14 +55,6 @@ tasks.register( 'releasePerform' ) {
 	// See `:release:releasePerform` which does a lot of heavy lifting here
 }
 
-
-nexusPublishing {
-	repositories {
-		sonatype()
-	}
-}
-
-
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // CI Build Task
 

ci/release/Jenkinsfile

@@ -190,12 +190,11 @@ pipeline {
 							// tags the version
 							// changes the version to the provided development version
 							withEnv([
-									"BRANCH=${env.GIT_BRANCH}",
 									"DISABLE_REMOTE_GRADLE_CACHE=true",
 									// Increase the amount of memory for this part since asciidoctor doc rendering consumes a lot of metaspace
 									"GRADLE_OPTS=-Dorg.gradle.jvmargs='-Dlog4j2.disableJmx -Xmx4g -XX:MaxMetaspaceSize=768m -XX:+HeapDumpOnOutOfMemoryError -Duser.language=en -Duser.country=US -Duser.timezone=UTC -Dfile.encoding=UTF-8'"
 							]) {
-								sh ".release/scripts/prepare-release.sh ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION}"
+								sh ".release/scripts/prepare-release.sh -b ${env.GIT_BRANCH} -d ${env.DEVELOPMENT_VERSION} ${env.PROJECT} ${env.RELEASE_VERSION}"
 							}
 						}
 					}
@@ -213,19 +212,28 @@ pipeline {
 					]) {
 						withCredentials([
 							// https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
-							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername'),
+							// TODO: HHH-19309:
+							//  Once we switch to maven-central publishing (from nexus2) we need to add a new credentials
+							//  to use the following env variable names to set the user/password:
+							//  - JRELEASER_MAVENCENTRAL_USERNAME
+							//  - JRELEASER_MAVENCENTRAL_TOKEN
+							//  Also use the new `credentialsId` for Maven Central, e.g.:
+							//  usernamePassword(credentialsId: '???????', passwordVariable: 'JRELEASER_MAVENCENTRAL_TOKEN', usernameVariable: 'JRELEASER_MAVENCENTRAL_USERNAME'),
+							usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'JRELEASER_NEXUS2_PASSWORD', usernameVariable: 'JRELEASER_NEXUS2_USERNAME'),
 							// https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
 							usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'GRADLE_PUBLISH_SECRET', usernameVariable: 'GRADLE_PUBLISH_KEY'),
+							gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default'),
 							file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
-							string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE'),
-							gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
+							string(credentialsId: 'release.gpg.passphrase', variable: 'JRELEASER_GPG_PASSPHRASE'),
+							string(credentialsId: 'Hibernate-CI.github.com', variable: 'JRELEASER_GITHUB_TOKEN')
 						]) {
 							sshagent(['ed25519.Hibernate-CI.github.com', 'hibernate.filemgmt.jboss.org', 'hibernate-ci.frs.sourceforge.net']) {
 								// performs documentation upload and Sonatype release
 								// push to github
 								withEnv([
 										"DISABLE_REMOTE_GRADLE_CACHE=true"
 								]) {
+									env.RELEASE_GPG_HOMEDIR = env.WORKSPACE_TMP + '/.gpg'
 									sh ".release/scripts/publish.sh ${env.SCRIPT_OPTIONS} ${env.PROJECT} ${env.RELEASE_VERSION} ${env.DEVELOPMENT_VERSION} ${env.GIT_BRANCH}"
 								}
 							}

ci/snapshot-publish.Jenkinsfile

@@ -10,6 +10,14 @@ if (currentBuild.getBuildCauses().toString().contains('BranchIndexingCause')) {
   	return
 }
 
+def checkoutReleaseScripts() {
+    dir('.release/scripts') {
+        checkout scmGit(branches: [[name: '*/main']], extensions: [],
+                userRemoteConfigs: [[credentialsId: 'ed25519.Hibernate-CI.github.com',
+                                     url: 'https://github.com/hibernate/hibernate-release-scripts.git']])
+    }
+}
+
 pipeline {
     agent {
         label 'Release'
@@ -30,21 +38,35 @@ pipeline {
 		}
 		stage('Publish') {
 			steps {
-                withCredentials([
-                    // https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
-                    usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'ORG_GRADLE_PROJECT_sonatypePassword', usernameVariable: 'ORG_GRADLE_PROJECT_sonatypeUsername'),
-                    // https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
-                    usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'GRADLE_PUBLISH_SECRET', usernameVariable: 'GRADLE_PUBLISH_KEY'),
-                    file(credentialsId: 'release.gpg.private-key', variable: 'SIGNING_GPG_PRIVATE_KEY_PATH'),
-                    string(credentialsId: 'release.gpg.passphrase', variable: 'SIGNING_GPG_PASSPHRASE'),
-                    gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
-                ]) {
-					withEnv([
-							"DISABLE_REMOTE_GRADLE_CACHE=true"
-					]) {
-						sh './gradlew clean publish -x test --no-scan --no-daemon --no-build-cache --stacktrace -PmavenMirror=nexus-load-balancer-c4cf05fd92f43ef8.elb.us-east-1.amazonaws.com'
-					}
-				}
+                script {
+                    withCredentials([
+                            // https://github.com/gradle-nexus/publish-plugin#publishing-to-maven-central-via-sonatype-ossrh
+                            // TODO: HHH-19309:
+                            //  Once we switch to maven-central publishing (from nexus2) we need to add a new credentials
+                            //  to use the following env variable names to set the user/password:
+                            //  - JRELEASER_MAVENCENTRAL_USERNAME
+                            //  - JRELEASER_MAVENCENTRAL_TOKEN
+                            //  Also use the new `credentialsId` for Maven Central, e.g.:
+                            //  usernamePassword(credentialsId: '???????', passwordVariable: 'JRELEASER_MAVENCENTRAL_TOKEN', usernameVariable: 'JRELEASER_MAVENCENTRAL_USERNAME'),
+                            usernamePassword(credentialsId: 'ossrh.sonatype.org', passwordVariable: 'JRELEASER_NEXUS2_PASSWORD', usernameVariable: 'JRELEASER_NEXUS2_USERNAME'),
+                            string(credentialsId: 'Hibernate-CI.github.com', variable: 'JRELEASER_GITHUB_TOKEN'),
+                            // https://docs.gradle.org/current/userguide/publishing_gradle_plugins.html#account_setup
+                            usernamePassword(credentialsId: 'gradle-plugin-portal-api-key', passwordVariable: 'GRADLE_PUBLISH_SECRET', usernameVariable: 'GRADLE_PUBLISH_KEY'),
+                            gitUsernamePassword(credentialsId: 'username-and-token.Hibernate-CI.github.com', gitToolName: 'Default')
+                    ]) {
+                        withEnv([
+                                "DISABLE_REMOTE_GRADLE_CACHE=true"
+                        ]) {
+                            checkoutReleaseScripts()
+                            def version = sh(
+                                    script: ".release/scripts/determine-current-version.sh orm",
+                                    returnStdout: true
+                            ).trim()
+                            echo "Current version: '${version}'"
+                            sh "bash -xe .release/scripts/snapshot-deploy.sh orm ${version}"
+                        }
+                    }
+                }
 			}
         }
     }
@@ -55,4 +77,4 @@ pipeline {
             }
         }
     }
-}
+}

hibernate-platform/hibernate-platform.gradle

@@ -65,11 +65,3 @@ var publishingExtension = project.getExtensions().getByType(PublishingExtension)
 publishingExtension.publications.named("publishedArtifacts", MavenPublication) {
     from components.javaPlatform
 }
-
-tasks.register("releasePerform") {
-    group "release"
-    description "See :release:releasePerform for details.  Here we hook in publishing to Sonatype"
-
-    dependsOn tasks.publishToSonatype
-}
-

jreleaser.yml

@@ -0,0 +1,63 @@
+project:
+  languages:
+    java:
+      groupId: org.hibernate.orm
+
+release:
+  github:
+    skipTag: true
+    skipRelease: true
+    tagName: '{{projectVersion}}'
+
+# File signing is always active
+signing:
+  mode: COMMAND
+  active: RELEASE
+  armored: true
+
+deploy:
+  maven:
+    # TODO: HHH-19309: Remove the entire nexus2 section:
+    nexus2:
+      maven-central:
+        active: RELEASE
+        url: https://oss.sonatype.org/service/local
+        snapshotUrl: https://oss.sonatype.org/content/repositories/snapshots/
+        closeRepository: true
+        releaseRepository: false
+        stagingRepositories:
+          - target/staging-deploy/maven
+      maven-central-snapshot:
+        active: SNAPSHOT
+        url: https://oss.sonatype.org/service/local
+        snapshotUrl: https://oss.sonatype.org/content/repositories/snapshots/
+        closeRepository: true
+        releaseRepository: true
+        javadocJar: false
+        sign: false
+        stagingRepositories:
+          - target/staging-deploy/maven
+    mavenCentral:
+      maven-central:
+        # TODO: HHH-19309: Change to RELEASE once switching to Maven-Central:
+        # Note, this is an untested configuration, hence might need further adjustments
+        active: NEVER
+        url: https://central.sonatype.com/api/v1/publisher
+        snapshotSupported: false
+        applyMavenCentralRules: true
+        stagingRepositories:
+          - target/staging-deploy/maven
+        # Deployment identifier used for publication.
+        # deploymentId: dd9991b0-18a7-41e7-b1fe-37b8ea936f85
+      maven-central-snapshot:
+        # TODO: HHH-19309: Change to SNAPSHOT once switching to Maven-Central:
+        active: NEVER
+        url: https://central.sonatype.com/api/v1/publisher
+        snapshotSupported: true
+        applyMavenCentralRules: true
+        javadocJar: false
+        sign: false
+        stagingRepositories:
+          - target/staging-deploy/maven
+        # Deployment identifier used for publication.
+        # deploymentId: dd9991b0-18a7-41e7-b1fe-37b8ea936f85

local-build-plugins/src/main/groovy/local.publishing-java-module.gradle

@@ -53,9 +53,3 @@ tasks.register("preVerifyRelease") {
     dependsOn releasePrepareTask
 }
 
-tasks.register( 'releasePerform' ) {
-    group "release-perform"
-    description "See :release:releasePerform for details.  Here we hook in publishing to Sonatype"
-
-    dependsOn tasks.publishToSonatype
-}

local-build-plugins/src/main/groovy/local.publishing.gradle

@@ -5,7 +5,6 @@
 
 plugins {
     id "maven-publish"
-    id "signing"
 }
 
 // Disable Gradle module metadata publishing until we know what we want.
@@ -63,6 +62,12 @@ publishingExtension.publications.configureEach {
     }
 }
 
+publishingExtension.repositories {
+    maven {
+        url = rootProject.layout.buildDirectory.dir("staging-deploy${File.separator}maven")
+    }
+}
+
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // register the "main" publication named `publishedArtifacts`
 publishingExtension.publications.register("publishedArtifacts", MavenPublication) {
@@ -72,76 +77,6 @@ publishingExtension.publications.register("publishedArtifacts", MavenPublication
     }
 }
 
-// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-// Create a special local repository used for local testing of PublishToMavenRepository
-
-if ( project.hasProperty("local_pub_repo") ) {
-    // to use -
-    //      1. run `gradlew -Plocal_pub_repo publishAllPublicationsToLocalRepoRepository`
-    //      2. check ${rootProject}/target/maven-repo
-    publishingExtension.repositories {
-        maven {
-            name = "localRepo"
-            url = rootProject.layout.buildDirectory.dir("maven-repo").get().asFile.toURI()
-        }
-    }
-}
-
-// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-// Signing
-
-def signingKey = resolveSigningKey()
-def signingPassphrase = resolveSigningPassphrase()
-
-var signingExtension = project.getExtensions().getByType(SigningExtension) as SigningExtension
-signingExtension.sign publishingExtension.publications.publishedArtifacts
-signingExtension.useInMemoryPgpKeys(signingKey, signingPassphrase)
-
-gradle.taskGraph.whenReady { TaskExecutionGraph graph ->
-    // are we publishing to OSSRH?
-    boolean wasPublishingRequested = false
-
-    graph.allTasks.each {task ->
-        if ( task instanceof PublishToMavenRepository ) {
-            if ( "sonatype" == task.repository.name ) {
-                wasPublishingRequested = true
-            }
-        }
-    }
-
-    if ( wasPublishingRequested ) {
-        def ossrhUser = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypeUsername" )
-        def ossrhPass = System.getenv().get( "ORG_GRADLE_PROJECT_sonatypePassword" )
-        if ( ossrhUser == null || ossrhPass == null ) {
-            throw new RuntimeException( "Cannot perform publishing to OSSRH without credentials." )
-        }
-        logger.lifecycle "Publishing {} : {} : {}", project.group, project.name, project.version
-        signingExtension.required = true
-    }
-    else if ( signingKey == null || signingPassphrase == null ) {
-        tasks.withType( Sign ).each { t-> t.enabled = false }
-    }
-}
-
-static String resolveSigningKey() {
-    var key = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY" )
-    if ( key != null ) {
-        return key
-    }
-
-    var keyFile = System.getenv().get( "SIGNING_GPG_PRIVATE_KEY_PATH" )
-    if ( keyFile != null ) {
-        return new File( keyFile ).text
-    }
-
-    return null
-}
-
-static String resolveSigningPassphrase() {
-    return System.getenv().get( "SIGNING_GPG_PASSPHRASE" )
-}
-
-
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Ancillary tasks
 
@@ -176,4 +111,4 @@ tasks.withType(PublishToMavenRepository).configureEach {
             logger.lifecycle("        - artifact ({}) : {} ({})" , it.classifier, it.file, it.file.size())
         }
     }
-}
+}

release/README.adoc

@@ -1,7 +1,11 @@
 = ORM Releases
 :toc:
 
-This module performs the tasks needed as part of creating a release for Hibernate ORM.  Releases are triggered as a Jenkins job.
+This module performs the tasks needed as part of creating a release for Hibernate ORM.
+Releases are triggered as a link:../ci/release/Jenkinsfile[Jenkins pipeline].
+
+Hibernate ORM also publishes SNAPSHOT releases using an automated link:../ci/snapshot-publish.Jenkinsfile[Jenkins pipeline],
+which is triggered on a merge to the main branch. This job requires no user interactions.
 
 == Preparation
 
@@ -38,7 +42,7 @@ If this is a new series, some additional steps are required to prepare the websi
 Start the appropriate Jenkins https://ci.hibernate.org/view/Release/job/hibernate-orm-release[job].
 
 NOTE: When a release is started, the job coordinates with the unified Hibernate https://github.com/hibernate/hibernate-release-scripts[release scripts] in a number of stages and steps,
-calling tasks on this module's link:./release.gradle[Gradle script].
+calling tasks on this module's link:./release.gradle[Gradle script] and leveraging link:../jreleaser.yml[JReleaser configuration].
 
 At a high-level, this process:
 

tooling/hibernate-maven-plugin/hibernate-maven-plugin.gradle

@@ -37,13 +37,6 @@ tasks.register("preVerifyRelease") {
     dependsOn releasePrepareTask
 }
 
-tasks.register( 'releasePerform' ) {
-    group "release-perform"
-    description "See :release:releasePerform for details.  Here we hook in publishing to Sonatype"
-
-    dependsOn tasks.publishAllPublicationsToSonatypeRepository
-}
-
 var publishingExtension = project.getExtensions().getByType(PublishingExtension) as PublishingExtension
 publishingExtension.publications.named("publishedArtifacts") {
     from components.java