Skip to content

ci: clean-deploy on tag, skip redundant verify (fixes signature failure)#11

Merged
4ment merged 1 commit into
4ment:masterfrom
alexeid:fix/ci-publish-clean
May 1, 2026
Merged

ci: clean-deploy on tag, skip redundant verify (fixes signature failure)#11
4ment merged 1 commit into
4ment:masterfrom
alexeid:fix/ci-publish-clean

Conversation

@alexeid
Copy link
Copy Markdown
Contributor

@alexeid alexeid commented May 1, 2026

Summary

The release workflow's two-step mvn verify then mvn deploy -Prelease -DskipTests leaves unsigned package outputs in target/ from step 1, then re-enters the lifecycle in step 2 without a clean. Some artifact bytes end up out of sync with the .asc files that gpg:sign produces, and Sonatype rejects the deployment.

Symptom on v1.3.0-beta1

Tag push run #25204059838 failed with:

Deployment d85e2a2e-42c1-4187-98e8-51dd2bbafeb8 failed
pkg:maven/io.github.4ment/flc@1.3.0-beta1:
 - Invalid signature for file: flc-1.3.0-beta1.zip.asc
 - Invalid signature for file: flc-1.3.0-beta1-javadoc.jar.asc
 - Invalid signature for file: flc-1.3.0-beta1-sources.jar.asc

The main flc-1.3.0-beta1.jar.asc and .pom.asc verified fine; only the assembly zip, sources jar, and javadoc jar failed.

Fix

  • Gate Build and test to non-tag pushes (the deploy step now runs the full lifecycle including tests).
  • Replace mvn deploy -Prelease -DskipTests with mvn -Prelease clean deploy so the release runs from a clean target/ in a single mvn invocation.

Verified

Applied the same change to CompEvol/morph-models and successfully published v1.3.0-beta3 to Maven Central — same workflow template, same plugin set (central-publishing-maven-plugin 0.6.0, maven-gpg-plugin 3.2.7).

Re-releasing v1.3.0-beta1

The Sonatype staging deployment was rejected so the version isn't consumed on Central. To re-release after this PR merges, either delete and re-push the existing v1.3.0-beta1 tag, or cut a v1.3.0-beta2.

Test plan

  • morph-models tag CI succeeded with the same fix
  • Both morph-models-1.3.0-beta3.pom and .zip are HTTP 200 on Maven Central
  • On merge, retag and confirm the FLC tag CI passes

@alexeid
ci: clean-deploy on tag and skip redundant verify
8876fe3 
The two-step 'mvn verify' then 'mvn deploy -Prelease -DskipTests' on tag
pushes leaves unsigned package outputs (assembly zip, sources jar) in
target/ from step 1. Step 2 then re-enters the lifecycle without a
clean, which can leave artifact bytes out of sync with the .asc files
produced by gpg:sign during the verify phase.

Symptom on v1.3.0-beta1: Sonatype Central rejected the deployment with
'Invalid signature' for flc-1.3.0-beta1.zip.asc,
flc-1.3.0-beta1-sources.jar.asc, and flc-1.3.0-beta1-javadoc.jar.asc,
while flc-1.3.0-beta1.jar.asc and flc-1.3.0-beta1.pom.asc verified.

Fix:
- Skip 'Build and test' on tag pushes (the deploy step now runs the
  full lifecycle including tests).
- Replace 'mvn deploy -Prelease -DskipTests' with 'mvn -Prelease clean
  deploy' so the release runs from a clean target/.

Verified by applying the same change to CompEvol/morph-models and
publishing v1.3.0-beta3 to Maven Central successfully.
@4ment 4ment merged commit 43218a5 into 4ment:master May 1, 2026
1 check passed
@alexeid alexeid deleted the fix/ci-publish-clean branch May 3, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexeid @4ment