[andr] Adding steps for CI releases to publish to maven central (#585)

* [andr] Adding steps for CI releases to publish to maven central

* Tests

* cleanup

* Tests

* cleanup

* rename

* Remove conditional execution

* bail if no secrets

Author: murki

.github/workflows/release_public.yaml

@@ -1,4 +1,4 @@
-name: Release to dl.bitdrift.io
+name: Release to public
 on:
   workflow_call:
     inputs:
@@ -61,7 +61,7 @@ jobs:
     name: Upload Android artifacts to dl.bitdrift.io
     permissions:
       id-token: write # required to use OIDC authentication (set up aws credentials)
-      contents: read
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -93,6 +93,93 @@ jobs:
       env:
         VERSION: ${{ inputs.version }}
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Upload Android Artifacts to aws bucket
+    - name: Upload Android Artifacts to aws bucket and prepare Maven Central bundles
+      env:
+        # GPG signing configuration (existing repo/org secrets)
+        GPG_PRIVATE_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+        GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
       run: ./ci/capture_android_release.sh ${{ inputs.version }} "Capture-${{ inputs.version }}.android.zip" "capture-timber-${{ inputs.version }}.android.zip" "capture-apollo-${{ inputs.version }}.android.zip" "capture-plugin-${{ inputs.version }}.android.zip" "capture-plugin-marker-${{ inputs.version }}.android.zip"
+    - name: Upload bundles to Maven Central
+      env:
+        MAVEN_CENTRAL_TOKEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_TOKEN_USERNAME }}
+        MAVEN_CENTRAL_TOKEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_TOKEN_PASSWORD }}
+      run: |
+        # Avoid echoing commands to logs; keep credentials out of output
+        set -euo pipefail
+        set +x
+        if [[ -z "${MAVEN_CENTRAL_TOKEN_USERNAME:-}" || -z "${MAVEN_CENTRAL_TOKEN_PASSWORD:-}" ]]; then
+          echo "Maven Central tokens not provided; skipping upload."
+          exit 0
+        fi
+        if [[ ! -d dist/maven-central ]]; then
+          echo "No Maven Central bundles directory found; skipping."
+          exit 0
+        fi
+        cd dist/maven-central
+        shopt -s nullglob
+        bundles=( *.maven-central.zip )
+        shopt -u nullglob
+        if (( ${#bundles[@]} == 0 )); then
+          echo "No bundle zips found to upload."
+          exit 0
+        fi
+        : > deployment_ids.txt
+        for b in "${bundles[@]}"; do
+          [[ -f "$b" ]] || continue
+          echo "Uploading $b to Sonatype Central Portal..."
+          resp=$(curl -sS -u "${MAVEN_CENTRAL_TOKEN_USERNAME}:${MAVEN_CENTRAL_TOKEN_PASSWORD}" \
+            -F "bundle=@${b}" \
+            "https://central.sonatype.com/api/v1/publisher/upload?publishingType=AUTOMATIC" || true)
+          # Echo server response for visibility
+          printf '%s\n' "$resp" | tee /dev/stderr
+          # Try to extract a UUID-like deployment id and save for the polling step
+          dep_id=$(printf '%s' "$resp" | grep -Eo '[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}' | head -n1 || true)
+          if [[ -n "$dep_id" ]]; then
+            echo "$dep_id" >> deployment_ids.txt
+          fi
+        done
+        echo "Saved deployment IDs (if any) to dist/maven-central/deployment_ids.txt"
+
+    - name: Poll Maven Central deployment status
+      env:
+        MAVEN_CENTRAL_TOKEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_TOKEN_USERNAME }}
+        MAVEN_CENTRAL_TOKEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_TOKEN_PASSWORD }}
+      run: |
+        set -euo pipefail
+        set +x
+        ids_file="dist/maven-central/deployment_ids.txt"
+        if [[ ! -f "$ids_file" ]]; then
+          echo "No deployment IDs file found; nothing to poll."
+          exit 0
+        fi
+        mapfile -t ids < "$ids_file" || true
+        if (( ${#ids[@]} == 0 )); then
+          echo "No deployment IDs captured; nothing to poll."
+          exit 0
+        fi
+        for id in "${ids[@]}"; do
+          echo "Polling deployment status for $id..."
+          deadline=$((SECONDS + 300)) # 5 minutes per artifact
+          while (( SECONDS < deadline )); do
+            resp=$(curl -sS -X POST -u "${MAVEN_CENTRAL_TOKEN_USERNAME}:${MAVEN_CENTRAL_TOKEN_PASSWORD}" \
+              "https://central.sonatype.com/api/v1/publisher/status?id=$id" || true)
+            state=$(printf '%s' "$resp" | sed -n 's/.*"deploymentState"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')
+            if [[ -z "$state" ]]; then
+              state="UNKNOWN"
+            fi
+            echo "Deployment $id state: $state"
+            if [[ "$state" == "FAILED" ]]; then
+              echo "Deployment $id failed." >&2
+              exit 1
+            fi
+            if [[ "$state" == "VALIDATED" || "$state" == "PUBLISHING" || "$state" == "PUBLISHED" ]]; then
+              break
+            fi
+            sleep 15
+          done
+          if (( SECONDS >= deadline )); then
+            echo "Deployment $id polling timed out after 5 minutes." >&2
+            exit 1
+          fi
+        done
 

ci/capture_android_release.sh

@@ -13,6 +13,155 @@ readonly capture_apollo_archive="$4"
 readonly capture_plugin_archive="$5"
 readonly capture_plugin_marker_archive="$6"
 
+#############################################
+# Helpers for Maven Central bundle creation #
+#############################################
+
+# Import a GPG private key if provided via env vars.
+# Supports either raw ASCII-armored key in GPG_PRIVATE_KEY or base64-encoded in GPG_PRIVATE_KEY_BASE64.
+function import_gpg_key_if_available() {
+  if [[ -z "${GPG_PRIVATE_KEY:-${GPG_PRIVATE_KEY_BASE64:-}}" ]]; then
+    echo "GPG signing key not provided; cannot proceed with Maven Central bundle creation." >&2
+    exit 1
+  fi
+
+  # Ensure gpg is available
+  if ! command -v gpg >/dev/null 2>&1; then
+    echo "gpg is required to sign artifacts; please install it in the CI runner." >&2
+    exit 1
+  fi
+
+  # Create a temp GNUPGHOME to avoid polluting the runner account
+  GNUPGHOME="$(mktemp -d)"
+  export GNUPGHOME
+  chmod 700 "$GNUPGHOME"
+
+  # Decode if necessary and import (ensure no command echo)
+  local _xtrace_was_on=0
+  case $- in
+    *x*) _xtrace_was_on=1; set +x ;;
+  esac
+
+  # Prepare temp files
+  local -r key_raw_file="$(mktemp)"
+  local -r key_sanitized_file="$(mktemp)"
+
+  if [[ -n "${GPG_PRIVATE_KEY_BASE64:-}" ]]; then
+    printf '%s' "$GPG_PRIVATE_KEY_BASE64" | base64 -d >"$key_raw_file"
+  else
+    printf '%s' "$GPG_PRIVATE_KEY" >"$key_raw_file"
+  fi
+
+  # Normalize line endings and extract only the private key block(s)
+  tr -d '\r' <"$key_raw_file" | \
+    sed -n '/-----BEGIN PGP .*PRIVATE KEY BLOCK-----/,/-----END PGP .*PRIVATE KEY BLOCK-----/p' >"$key_sanitized_file"
+
+  # If sanitize produced nothing, fall back to raw file
+  local import_file="$key_sanitized_file"
+  if [[ ! -s "$import_file" ]]; then
+    import_file="$key_raw_file"
+  fi
+
+  # Import, but don't fail the whole script if gpg returns non-zero due to warnings
+  set +e
+  gpg --batch --yes --import "$import_file"
+  local gpg_rc=$?
+  set -e
+  # If gpg returned a non-zero code, log and continue; we'll verify presence of a secret key below.
+  if (( gpg_rc != 0 )); then
+    echo "gpg import exited with code $gpg_rc; continuing and verifying secret key presence." >&2
+  fi
+
+  # Verify a secret key is available after import
+  if ! gpg --batch --list-secret-keys >/dev/null 2>&1; then
+    echo "Failed to import GPG private key for signing." >&2
+    rm -f "$key_raw_file" "$key_sanitized_file"
+    exit 1
+  fi
+
+  # Cleanup
+  rm -f "$key_raw_file" "$key_sanitized_file"
+  if [[ $_xtrace_was_on -eq 1 ]]; then set -x; fi
+
+  # Do not print any key details to logs to avoid leaking identifiers
+}
+
+function sign_file() {
+  local -r file="$1"
+  # --armor --detach-sign to create .asc
+  local _xtrace_was_on=0
+  case $- in *x*) _xtrace_was_on=1; set +x ;; esac
+  if [[ -n "${GPG_PASSPHRASE:-}" ]]; then
+    if [[ -n "${GPG_KEY_ID:-}" ]]; then
+      printf '%s' "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 -u "$GPG_KEY_ID" --armor --detach-sign "$file"
+    else
+      printf '%s' "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign "$file"
+    fi
+  else
+    if [[ -n "${GPG_KEY_ID:-}" ]]; then
+      gpg --batch --yes --pinentry-mode loopback -u "$GPG_KEY_ID" --armor --detach-sign "$file"
+    else
+      gpg --batch --yes --pinentry-mode loopback --armor --detach-sign "$file"
+    fi
+  fi
+  if [[ $_xtrace_was_on -eq 1 ]]; then set -x; fi
+}
+
+function generate_all_checksums() {
+  local -r file="$1"
+  "$sdk_repo/ci/checksum.sh" md5 "$file"
+  "$sdk_repo/ci/checksum.sh" sha1 "$file"
+  "$sdk_repo/ci/checksum.sh" sha256 "$file"
+  "$sdk_repo/ci/checksum.sh" sha512 "$file"
+}
+
+# Create Maven Central-ready structure under dist/maven-central for a single artifact
+# Args:
+#   $1 - group path (e.g., io/bitdrift)
+#   $2 - artifact id (e.g., capture)
+#   $3 - version
+#   $4.. - files to include (must be located in current CWD)
+function package_maven_central_bundle() {
+  local -r group_path="$1"
+  local -r artifact_id="$2"
+  local -r ver="$3"
+  shift 3
+  local -a files=("$@")
+
+  local -r out_root="$sdk_repo/dist/maven-central/$group_path/$artifact_id/$ver"
+  mkdir -p "$out_root"
+
+  # Copy, sign, and checksum primary files
+  for f in "${files[@]}"; do
+    if [[ ! -f "$f" ]]; then
+      echo "Warning: expected file '$f' not found; skipping." >&2
+      continue
+    fi
+    # Exclude LICENSE/NOTICE from Maven Central bundles (even if accidentally provided)
+    case "$(basename "$f" | tr '[:upper:]' '[:lower:]')" in
+      license|license.*|notice|notice.*)
+        echo "Excluding $(basename "$f") from Maven Central bundle"
+        continue
+        ;;
+    esac
+    cp -f "$f" "$out_root/"
+    pushd "$out_root" >/dev/null
+    sign_file "$(basename "$f")"
+    generate_all_checksums "$(basename "$f")"
+    popd >/dev/null
+  done
+
+  # Zip the group root to ease upload via Sonatype UI/API
+  local -r zip_out_dir="$sdk_repo/dist/maven-central"
+  mkdir -p "$zip_out_dir"
+  local -r zip_name="${artifact_id}-${ver}.maven-central.zip"
+  pushd "$zip_out_dir" >/dev/null
+  # Create a zip that contains the repo path starting from the group root
+  zip -r "$zip_name" "$group_path/$artifact_id/$ver" >/dev/null
+  popd >/dev/null
+  echo "Created Maven Central bundle: $zip_out_dir/$zip_name"
+}
+
 function upload_file() {
   local -r location="$1"
   local -r file="$2"
@@ -23,8 +172,10 @@ function upload_file() {
   "$sdk_repo/ci/checksum.sh" sha512 "$file"
 
   for f in "$file" "$file.md5" "$file.sha1" "$file.sha256" "$file.sha512"; do
-    echo "Uploading $file..."
-    aws s3 cp "$f" "$location/$f" --region us-east-1
+    local base
+    base="$(basename "$f")"
+    echo "Uploading $base to $location/"
+    aws s3 cp "$f" "$location/$base" --region us-east-1
   done
 }
 
@@ -40,12 +191,12 @@ function generate_maven_file() {
     awk '{print $2}' |
     sed 's/^\///;s/\/$//')
 
-  python3 "$sdk_repo/ci/generate_maven_metadata.py" --releases "${releases//$'\n'/,}" --library "library_name"
+  python3 "$sdk_repo/ci/generate_maven_metadata.py" --releases "${releases//$'\n'/,}" --library "$library_name"
 
   echo "+++ Generated maven-metadata.xml:"
   cat maven-metadata.xml
 
-  upload_file "$remote_location_prefix" "maven-metadata.xml"
+  upload_file "$location" "maven-metadata.xml"
 }
 
 function release_capture_sdk() {
@@ -78,6 +229,10 @@ function release_capture_sdk() {
   done
 
   generate_maven_file "$remote_location_prefix" "capture"
+
+  # Prepare Maven Central bundle (group: io/bitdrift, artifact: capture)
+  package_maven_central_bundle "io/bitdrift" "capture" "$version" \
+    "$name.pom" "$name-javadoc.jar" "$name-sources.jar" "$name.aar"
   popd
 }
 
@@ -100,6 +255,32 @@ function release_gradle_library() {
   aws s3 cp . "$remote_location_prefix/$version/" --recursive --region us-east-1
 
   generate_maven_file "$remote_location_prefix" "$library_name"
+
+  # Prepare Maven Central bundle (group: io/bitdrift, artifact: $library_name)
+  # Try to derive base from .pom name
+  shopt -s nullglob
+  local poms=( *.pom )
+  if (( ${#poms[@]} > 0 )); then
+    local base="${poms[0]%.pom}"
+    # Select common files if present
+    local -a bundle_files=( "$base.pom" )
+    [[ -f "$base.jar" ]] && bundle_files+=( "$base.jar" )
+    [[ -f "$base.aar" ]] && bundle_files+=( "$base.aar" )
+    [[ -f "$base-sources.jar" ]] && bundle_files+=( "$base-sources.jar" )
+    [[ -f "$base-javadoc.jar" ]] && bundle_files+=( "$base-javadoc.jar" )
+    # Explicitly exclude LICENSE/NOTICE from bundle files if present nearby
+    for i in "${!bundle_files[@]}"; do
+      case "$(basename "${bundle_files[$i]}" | tr '[:upper:]' '[:lower:]')" in
+        license|license.*|notice|notice.*)
+          unset 'bundle_files[$i]'
+          ;;
+      esac
+    done
+    package_maven_central_bundle "io/bitdrift" "$library_name" "$version" "${bundle_files[@]}"
+  else
+    echo "Warning: No .pom found for $library_name; skipping Maven Central bundle."
+  fi
+  shopt -u nullglob
   popd
 }
 
@@ -121,9 +302,13 @@ function release_gradle_plugin() {
   aws s3 cp . "$remote_location_prefix/$version/" --recursive --region us-east-1
 
   generate_maven_file "$remote_location_prefix" "$plugin_marker"
+
   popd
 }
 
+# If requested, set up GPG for signing
+import_gpg_key_if_available
+
 release_capture_sdk
 release_gradle_library "capture-timber" "$capture_timber_archive"
 release_gradle_library "capture-apollo" "$capture_apollo_archive"

gradle/app/build.gradle

@@ -60,8 +60,8 @@ android {
 }
 
 dependencies {
-    implementation 'io.bitdrift:capture:0.18.0'
-    implementation 'io.bitdrift:capture-timber:0.18.0'
+    implementation 'io.bitdrift:capture:0.18.5'
+    implementation 'io.bitdrift:capture-timber:0.18.5'
 
     implementation 'androidx.appcompat:appcompat:1.7.1'
     implementation 'com.google.android.material:material:1.12.0'

gradle/build.gradle

@@ -6,7 +6,7 @@ buildscript {
     }
     dependencies {
         // TODO: Start publishing plugin to gradlePluginPortal
-        classpath 'io.bitdrift:capture-plugin:0.18.0'
+        classpath 'io.bitdrift:capture-plugin:0.18.5'
     }
 }
 plugins {