From e2cc78c94a6cbd95e50ad239439b0bf13f9fa7b1 Mon Sep 17 00:00:00 2001
From: post-svejk <sven-jorgen.karlsen@posten.no>
Date: Fri, 8 Aug 2025 20:19:06 +0200
Subject: [PATCH] Upgrade deployment to Maven Central to use new plugin from
 Sonatype

Upgrade most plugins to latest release.  Rewrite the publishing job to deploy directly to Maven Central (was: using obsolete GitHub action) with new plugin configured in the  parent POM and using more recent support in setup-java for deployment settings in Maven.
---
 .github/workflows/build.yml | 76 +++++++++++++++++--------------------
 .gitignore                  |  1 +
 bom/pom.xml                 |  4 +-
 lib/pom.xml                 |  8 ++--
 pom.xml                     |  4 +-
 5 files changed, 43 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 39f16852..29d5634d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,9 +11,9 @@ jobs:
 
     name: build java ${{ matrix.java }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up java
-        uses: actions/setup-java@v3.6.0
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           java-version: ${{ matrix.java }}
           distribution: temurin
@@ -21,49 +21,41 @@ jobs:
       - name: Build with Maven
         run: mvn --settings .mvn/settings.xml -B verify -U --no-transfer-progress
 
-  makeversion:
-    if: github.ref != 'refs/heads/main'
+  publish:
     needs: build
+    name: Publish ${{ github.ref_name }}
     runs-on: ubuntu-latest
-    name: Create version
-    outputs:
-      version: ${{ steps.version.outputs.version }}
     steps:
-      - name: Decide on build version
-        id: version
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up Java
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          distribution: temurin
+          java-version: '8'
+          cache: "maven"
+          gpg-private-key: ${{ secrets.MAVEN_CENTRAL_SIGNING_KEY_PRIVATE }}
+          server-id: central
+          server-username: MAVEN_CENTRAL_TOKEN_USERNAME
+          server-password: MAVEN_CENTRAL_TOKEN_PASSWORD
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+      - name: Activate Artifact Signing and Version Suffix
         run: |
-          if [[ $GITHUB_REF == *"tags"* ]]; then
-            TAG=${GITHUB_REF#refs/tags/}
+          profiles="build-sources-and-javadoc,deploy-to-maven-central"
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            profiles="$profiles,sign-artifacts"
+            version_suffix=""
           else
-            TAG=${GITHUB_REF#refs/heads/}-SNAPSHOT
+            version_suffix="-SNAPSHOT"         
           fi
-          echo "version=${TAG//\//-}" >> $GITHUB_OUTPUT
-
-  deploy_snapshot:
-    if: startsWith(github.ref, 'refs/heads/')
-    needs: makeversion
-    runs-on: ubuntu-latest
-
-    name: Deploy snapshot
-    steps:
-      - uses: actions/checkout@v3
-      - uses: digipost/action-maven-publish@1.3.2
-        with:
-          sonatype_secrets: ${{ secrets.sonatype_secrets }}
-          release_version: ${{ needs.makeversion.outputs.version }}
-          perform_release: false
-
-  release:
-    if: startsWith(github.ref, 'refs/tags/')
-    runs-on: ubuntu-latest
-    needs: makeversion
-    name: Release to Sonatype
-    steps:
-      - name: Check out Git repository
-        uses: actions/checkout@v3
-      - name: Release to Central Repository
-        uses: digipost/action-maven-publish@1.3.2
-        with:
-          sonatype_secrets: ${{ secrets.sonatype_secrets }}
-          release_version: ${{ needs.makeversion.outputs.version }}
-          perform_release: true
+          echo "MAVEN_PROFILES=$profiles" >> $GITHUB_ENV
+          version="${GITHUB_REF_NAME}${version_suffix}"
+          echo "VERSION=$version" >> $GITHUB_ENV
+      - name: Set Maven version
+        run: mvn --batch-mode --no-transfer-progress versions:set -DnewVersion=${VERSION}
+      - name: Build and deploy to Maven Central
+        run: |
+          mvn --batch-mode --no-transfer-progress --activate-profiles ${MAVEN_PROFILES} deploy
+        env:
+          MAVEN_CENTRAL_TOKEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_TOKEN_USERNAME }}
+          MAVEN_CENTRAL_TOKEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_TOKEN_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_CENTRAL_SIGNING_KEY_PASSPHRASE }}
diff --git a/.gitignore b/.gitignore
index 91a8ec3a..4d9fbb55 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ target
 .classpath
 
 dependency-reduced-pom.xml
+.vscode/settings.json
diff --git a/bom/pom.xml b/bom/pom.xml
index 8c037f46..e745d465 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -30,7 +30,7 @@
     <name>Posten signering - Java API Client BOM</name>
 
     <properties>
-        <signature.api.version>3.1.0</signature.api.version>
+        <signature.api.version>3.1.1</signature.api.version>
     </properties>
 
     <dependencyManagement>
@@ -38,7 +38,7 @@
             <dependency>
                 <groupId>no.digipost</groupId>
                 <artifactId>jaxb-resolver-com.sun.xml.bind-bom</artifactId>
-                <version>1.0</version>
+                <version>1.0.1</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
diff --git a/lib/pom.xml b/lib/pom.xml
index 31598292..8e4bb987 100644
--- a/lib/pom.xml
+++ b/lib/pom.xml
@@ -62,7 +62,7 @@
         <dependency>
             <groupId>no.digipost</groupId>
             <artifactId>certificate-validator</artifactId>
-            <version>3.0.5</version>
+            <version>3.0.6</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.bouncycastle</groupId>
@@ -148,7 +148,7 @@
         <dependency>
             <groupId>no.digipost</groupId>
             <artifactId>digg</artifactId>
-            <version>0.37</version>
+            <version>0.38</version>
             <scope>test</scope>
         </dependency>
 
@@ -167,7 +167,7 @@
         <dependency>
             <groupId>no.digipost</groupId>
             <artifactId>jul-to-slf4j-junit-extension</artifactId>
-            <version>1.0.1</version>
+            <version>1.0.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -244,7 +244,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-enforcer-plugin</artifactId>
-                    <version>3.5.0</version>
+                    <version>3.6.1</version>
                     <configuration>
                         <rules>
                             <bannedDependencies>
diff --git a/pom.xml b/pom.xml
index a7d204d8..6950dc70 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@
     <parent>
         <groupId>no.digipost</groupId>
         <artifactId>digipost-open-super-pom</artifactId>
-        <version>13</version>
+        <version>14</version>
     </parent>
 
     <groupId>no.digipost.signature</groupId>
@@ -54,7 +54,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.4.1</version>
+                    <version>3.5.0</version>
                     <configuration>
                         <filesets>
                             <fileset>