Migrate using maven central (#926)

Motivation:

OSSRH is deprecated and will be shut down soon. Let's switch to using
maven central

Modifications:

- Replace old plugin with central-publishing-maven-plugin for release
- Adjust workflow to setup the right token / password
- Add scripts

Result:

Snapshot deployments and release works again

Author: normanmaurer

.github/scripts/bundle_create.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# ----------------------------------------------------------------------------
+# Copyright 2025 The Netty Project
+#
+# The Netty Project licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+set -e
+
+if [ "$#" -ne 2 ]; then
+    echo "Expected bundle name and directory"
+    exit 1
+fi
+
+# Create a bundle zip that contains all jars.
+# See https://central.sonatype.org/publish/publish-portal-upload/
+pushd $2
+zip -r $1 * -x maven-metadata-central-staging.xml
+popd

.github/scripts/bundle_upload.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ----------------------------------------------------------------------------
+# Copyright 2025 The Netty Project
+#
+# The Netty Project licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+set -e
+
+if [ "$#" -ne 3 ]; then
+    echo "Expected bundle-name, username, password"
+    exit 1
+fi
+
+# Generate the correct Bearer.
+# See https://central.sonatype.org/publish/publish-portal-api/
+BEARER=`printf "$2:$3" | base64`
+
+# Upload a previous build bundle.
+# See https://central.sonatype.org/publish/publish-portal-api/
+curl --request POST \
+  --header "Authorization: Bearer $BEARER" \
+  --form bundle=@$1 \
+  https://central.sonatype.com/api/v1/publisher/upload

.github/scripts/local_staging_install_release.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ----------------------------------------------------------------------------
+# Copyright 2021 The Netty Project
+#
+# The Netty Project licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+set -e
+if [ "$#" -lt 2 ]; then
+    echo "Expected target directory and at least one local staging directory"
+    exit 1
+fi
+TARGET=$1
+
+for ((i=2; i<=$#; i++))
+do
+  DIR="${!i}"
+
+  if [ ! -d "${TARGET}" ]
+  then
+      mkdir -p "${TARGET}"
+  fi
+  cp -r "${DIR}"/* "${TARGET}"/
+done

.github/scripts/install_local_staging.sh renamed to .github/scripts/local_staging_install_snapshot.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# ----------------------------------------------------------------------------
+# Copyright 2025 The Netty Project
+#
+# The Netty Project licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+set -e
+if [ "$#" -lt 2 ]; then
+    echo "Expected target directory and at least one local staging directory"
+    exit 1
+fi
+TARGET=$1
+
+for ((i=2; i<=$#; i++))
+do
+  DIR="${!i}"
+
+  if [ ! -d "${TARGET}" ]
+  then
+      mkdir -p "${TARGET}"
+  fi
+  cp -r "${DIR}"/"${SUB_DIR}"/* "${TARGET}/${SUB_DIR}"/
+done

.github/scripts/local_staging_merge_release.sh

@@ -14,6 +14,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 # ----------------------------------------------------------------------------
+
 set -e
 if [ "$#" -lt 2 ]; then
     echo "Expected target directory and at least one local staging directory"

.github/scripts/merge_local_staging.sh renamed to .github/scripts/local_staging_merge_snapshot.sh

@@ -102,7 +102,7 @@ jobs:
         run: mkdir -p ~/local-staging
 
       - name: Stage snapshots to local staging directory
-        run: ./mvnw -B -ntp -am -pl openssl-dynamic,boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=$HOME/local-staging -DskipRemoteStaging=true -DskipTests=true
+        run: ./mvnw -B -ntp -am -pl openssl-dynamic,boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=$HOME/local-staging -DskipTests=true
 
       - name: Upload local staging directory
         uses: actions/upload-artifact@v4
@@ -186,16 +186,11 @@ jobs:
         with:
           servers: |
             [{
-              "id": "sonatype-nexus-snapshots",
-              "username": "${{ secrets.SONATYPE_USERNAME }}",
-              "password": "${{ secrets.SONATYPE_PASSWORD }}"
+              "id": "central-portal-snapshots",
+              "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+              "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
             }]
 
-      # Setup some env to re-use later.
-      - name: Prepare enviroment variables
-        run: |
-          echo "LOCAL_STAGING_DIR=$HOME/local-staging" >> $GITHUB_ENV
-
       # Hardcode the staging artifacts that need to be downloaded.
       # These must match the matrix setups and windows build. There is currently no way to pull this out of the config.
       - name: Download windows_x86_64 staging directory
@@ -235,15 +230,15 @@ jobs:
           path: ~/centos6-x86_64-local-staging
 
       - name: Copy previous build artifacts to local maven repository
-        run: bash ./.github/scripts/install_local_staging.sh ~/.m2/repository ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging
+        run: bash ./.github/scripts/local_staging_install_snapshot.sh ~/.m2/repository ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging
 
       - name: Generate uber jar and deploy to local staging.
         run: |
           mkdir -p ~/uber-local-staging
-          ./mvnw -B --file pom.xml -Puber-snapshot -pl boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=$HOME/uber-local-staging -DskipRemoteStaging=true -DskipTests=true
+          ./mvnw -B --file pom.xml -Puber-snapshot -pl boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=$HOME/uber-local-staging -DskipTests=true
 
       - name: Merge staging repositories
-        run: bash ./.github/scripts/merge_local_staging.sh ~/local-staging ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging ~/uber-local-staging
+        run: bash ./.github/scripts/local_staging_merge_snapshot.sh ~/local-staging ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging ~/uber-local-staging
 
       - name: Deploy local staged artifacts
-        run: ./mvnw -B --file pom.xml org.sonatype.plugins:nexus-staging-maven-plugin:deploy-staged -DaltStagingDirectory=$LOCAL_STAGING_DIR
+        run: ./mvnw -B --file pom.xml org.sonatype.plugins:nexus-staging-maven-plugin:deploy-staged -DaltStagingDirectory=$HOME/local-staging

.github/workflows/ci-deploy.yml

@@ -124,9 +124,9 @@ jobs:
         with:
           servers: |
             [{
-              "id": "sonatype-nexus-staging",
-              "username": "${{ secrets.SONATYPE_USERNAME }}",
-              "password": "${{ secrets.SONATYPE_PASSWORD }}"
+              "id": "central",
+              "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+              "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
             }]
 
       - name: Create local staging directory
@@ -148,7 +148,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.setup }}-local-staging
-          path: ~/local-staging
+          path: ./prepare-release-workspace/target/central-staging
           if-no-files-found: error
           include-hidden-files: true
 
@@ -221,20 +221,20 @@ jobs:
         with:
           servers: |
             [{
-              "id": "sonatype-nexus-staging",
-              "username": "${{ secrets.SONATYPE_USERNAME }}",
-              "password": "${{ secrets.SONATYPE_PASSWORD }}"
+              "id": "central",
+              "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+              "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
             }]
 
       - name: Stage release to local staging directory
         working-directory: prepare-release-workspace
-        run: ./mvnw --file pom.xml -Pstage -am -pl boringssl-static clean javadoc:jar package gpg:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DnexusUrl=https://oss.sonatype.org -DserverId=sonatype-nexus-staging -DaltStagingDirectory=local-staging -DskipRemoteStaging=true -DskipTests=true -D'checkstyle.skip=true'
+        run: ./mvnw --file pom.xml -Pstage -am -pl boringssl-static clean javadoc:jar package gpg:sign org.sonatype.central:central-publishing-maven-plugin:publish -DskipTests=true -D'checkstyle.skip=true'
 
       - name: Upload local staging directory
         uses: actions/upload-artifact@v4
         with:
           name: windows-x86_64-local-staging
-          path: prepare-release-workspace/boringssl-static/local-staging
+          path: ./prepare-release-workspace/target/central-staging
           if-no-files-found: error
           include-hidden-files: true
 
@@ -298,9 +298,9 @@ jobs:
         with:
           servers: |
             [{
-              "id": "sonatype-nexus-staging",
-              "username": "${{ secrets.SONATYPE_USERNAME }}",
-              "password": "${{ secrets.SONATYPE_PASSWORD }}"
+              "id": "central",
+              "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+              "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
             }]
 
       # Cache .m2/repository
@@ -322,21 +322,21 @@ jobs:
 
       - name: Stage snapshots to local staging directory
         working-directory: ./prepare-release-workspace/
-        run: ./mvnw -B -ntp -am -pl openssl-dynamic,boringssl-static clean javadoc:jar package gpg:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DnexusUrl=https://oss.sonatype.org -DserverId=sonatype-nexus-staging -DaltStagingDirectory=$HOME/local-staging -DskipRemoteStaging=true -DskipTests=true -Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }} -Dgpg.keyname=${{ secrets.GPG_KEYNAME }}
+        run: ./mvnw -B -ntp -am -pl openssl-dynamic,boringssl-static clean javadoc:jar package gpg:sign org.sonatype.central:central-publishing-maven-plugin:publish -DskipTests=true
 
       - name: Upload local staging directory
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.setup }}-local-staging
-          path: ~/local-staging
+          path: ./prepare-release-workspace/target/central-staging
           if-no-files-found: error
           include-hidden-files: true
 
       - name: Rollback release on failure
         working-directory: ./prepare-release-workspace/
         if: ${{ failure() }}
         # Rollback the release in case of an failure
-        run: ./.github/scripts/release_rollback.ps1 release.properties netty/netty-tcnative main
+        run: bash ./.github/scripts/release_rollback.sh release.properties netty/netty-tcnative main
 
   deploy-staged-release:
     runs-on: ubuntu-latest
@@ -391,9 +391,9 @@ jobs:
         with:
           servers: |
             [{
-              "id": "sonatype-nexus-staging",
-              "username": "${{ secrets.SONATYPE_USERNAME }}",
-              "password": "${{ secrets.SONATYPE_PASSWORD }}"
+              "id": "central",
+              "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+              "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
             }]
 
       # Hardcode the staging artifacts that need to be downloaded.
@@ -436,24 +436,27 @@ jobs:
 
       - name: Copy previous build artifacts to local maven repository
         working-directory: ./prepare-release-workspace/
-        run: bash ./.github/scripts/install_local_staging.sh ~/.m2/repository ~/windows-x86_64-local-staging/staging ~/macos-aarch64-local-staging/staging ~/macos-x86_64-local-staging/staging ~/centos7-aarch64-local-staging/staging ~/debian7-x86_64-local-staging/staging ~/centos6-x86_64-local-staging/staging
+        run: bash ./.github/scripts/local_staging_install_release.sh ~/.m2/repository ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging
 
       - name: Generate uber jar and deploy to local staging.
         working-directory: ./prepare-release-workspace/
         run: |
           mkdir -p ~/uber-local-staging
-          ./mvnw -B --file pom.xml -Puber-snapshot -pl boringssl-static clean package gpg:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DnexusUrl=https://oss.sonatype.org -DserverId=sonatype-nexus-staging -DaltStagingDirectory=$HOME/uber-local-staging -DskipRemoteStaging=true -DskipTests=true
+          ./mvnw -B --file pom.xml -Puber-staging -pl boringssl-static clean package gpg:sign org.sonatype.central:central-publishing-maven-plugin:publish -DskipTests=true
 
       # This step takes care of merging all the previous staged repositories in a way that will allow us to deploy
       # all together with one maven command.
       - name: Merge staging repositories
         working-directory: ./prepare-release-workspace/
-        run: bash ./.github/scripts/merge_local_staging.sh /home/runner/local-staging/staging ~/windows-x86_64-local-staging/staging ~/macos-aarch64-local-staging/staging ~/macos-x86_64-local-staging/staging ~/centos7-aarch64-local-staging/staging ~/debian7-x86_64-local-staging/staging ~/centos6-x86_64-local-staging/staging ~/uber-local-staging/staging
+        run: bash ./.github/scripts/local_staging_merge_release.sh ~/local-staging ~/windows-x86_64-local-staging ~/macos-aarch64-local-staging ~/macos-x86_64-local-staging ~/centos7-aarch64-local-staging ~/debian7-x86_64-local-staging ~/centos6-x86_64-local-staging ~/uber-local-staging
+
+      - name: Create bundle
+        working-directory: ./prepare-release-workspace/
+        run: bash ./.github/scripts/bundle_create.sh ~/central-bundle.zip ~/local-staging/
 
-      - name: Deploy local staged artifacts
+      - name: Upload bundle to maven central
         working-directory: ./prepare-release-workspace/
-        # If we don't want to close the repository we can add -DskipStagingRepositoryClose=true
-        run: ./mvnw -B --file pom.xml org.sonatype.plugins:nexus-staging-maven-plugin:deploy-staged -DnexusUrl=https://oss.sonatype.org -DserverId=sonatype-nexus-staging -DaltStagingDirectory=$HOME/local-staging -DskipStagingRepositoryClose=true
+        run: bash ./.github/scripts/bundle_upload.sh ~/central-bundle.zip ${{ secrets.MAVEN_CENTRAL_USERNAME }} ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
 
       - name: Rollback release on failure
         working-directory: ./prepare-release-workspace/

.github/workflows/ci-release.yml

@@ -1051,14 +1051,6 @@
         <compileLibrary>false</compileLibrary>
       </properties>
 
-      <repositories>
-        <repository>
-          <id>staged-releases</id>
-          <name>Staged Releases</name>
-          <url>https://oss.sonatype.org/service/local/repositories/${stagingRepositoryId}/content/</url>
-        </repository>
-      </repositories>
-
       <dependencies>
         <dependency>
           <groupId>io.netty</groupId>

boringssl-static/pom.xml

@@ -2,7 +2,7 @@ FROM --platform=linux/amd64 centos:7.6.1810
 
 ARG gcc_version=10.2-2020.11
 ARG openssl_version=1_1_1d
-ARG apr_version=1.7.5
+ARG apr_version=1.7.6
 ENV SOURCE_DIR /root/source
 ENV GCC_VERSION $gcc_version
 ENV OPENSSL_VERSION $openssl_version

docker/Dockerfile.cross_compile_aarch64

@@ -39,7 +39,7 @@ services:
       - ~/.m2/repository:/root/.m2/repository
       - ~/local-staging:/root/local-staging
       - ..:/code
-    command: /bin/bash -cl "./mvnw -Pstage -am -pl openssl-dynamic,boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=/root/local-staging -DskipRemoteStaging=true -DskipTests=true"
+    command: /bin/bash -cl "./mvnw -Pstage -am -pl openssl-dynamic,boringssl-static clean package org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DaltStagingDirectory=/root/local-staging -DskipTests=true"
 
   stage-release:
     <<: *common
@@ -49,7 +49,7 @@ services:
       - ~/.m2/settings.xml:/root/.m2/settings.xml
       - ~/local-staging:/root/local-staging
       - ..:/code
-    command: /bin/bash -cl "cat <(echo -e \"${GPG_PRIVATE_KEY}\") | gpg --batch --import && ./mvnw -B -Pstage -am -pl openssl-dynamic,boringssl-static clean javadoc:jar package gpg:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy -DnexusUrl=https://oss.sonatype.org -DserverId=sonatype-nexus-staging -DaltStagingDirectory=/root/local-staging -DskipRemoteStaging=true -DskipTests=true -Dgpg.passphrase=${GPG_PASSPHRASE} -Dgpg.keyname=${GPG_KEYNAME}"
+    command: /bin/bash -cl "cat <(echo -e \"${GPG_PRIVATE_KEY}\") | gpg --batch --import && ./mvnw -B -Pstage -am -pl openssl-dynamic,boringssl-static clean javadoc:jar package gpg:sign org.sonatype.central:central-publishing-maven-plugin:publish -DskipTests=true -Dgpg.passphrase=${GPG_PASSPHRASE} -Dgpg.keyname=${GPG_KEYNAME}"
 
   deploy:
     <<: *common