Publish JARs to JBoss or Maven Central

[robpblake]

Hi,

We have the following dependency in our Java project:

<dependency>
          <groupId>cloud.redhat.com</groupId>
          <artifactId>kafka-management-sdk</artifactId>
          <version>0.2.0</version>
</dependency>

For Maven to access this dependency, we need to use a Personal Access Token (PAT) from Github. This causes a bit of a headache when it comes to CI builds on GitHub Actions. For the CI build on GitHub Actions, we have to pass the PAT using Secrets as CLI params to mvn e.g:

mvn package -Dgithub.packages.user=${{ secrets.GH_PACKAGES_USER }} -Dgithub.packages.password=${{ secrets.GH_PACKAGES_PASSWORD }}

and then in settings.xml:

<servers>
    <server>
      <id>redhat-developer</id>
      <username>${github.packages.user}</username>
      <password>${github.packages.password}</password>
    </server>
  </servers>

This becomes a problem when we want to run CI on PRs from forked repositories as we have to use the pull_request_target event to expose the secret to the CI pipeline rather than just the pull_request event. So essentially we have to use elevated privileges on our CI pipelines just to read the package from GitHub packages. We of course give the PAT minimal permissions (i.e read:packages only), but the rest of our repository secrets are now less secure than they were.

This could be solved by publishing the JARs to a Maven repository that does not require authentication e.g repository.jboss.org

[wtrocki]

Github is only temporary solution. We will have maven central artifacts soon.

FYI @secondsun

[secondsun]

We got our Sonatype account configured last week and are in the progress of publishing to Maven Central. Watch this space.

[secondsun]

Jars are published and hosted on Maven Central now.

See this PR with an example of the new coordinates : redhat-developer/app-services-operator#239