Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add recommendations on Publishing libraries to Maven Central #180

Merged
merged 1 commit into from
Nov 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,9 @@ This repository document [principles](#principles), standards and [guidelines](#
- [GitHub](github.md)
- [Github Actions](github-actions.md)
- [Logging](logging.md)
- [NPM packages](npm-packages.md)
- Publishing software libraries
- [NPM packages](npm-packages.md)
- [Maven Central for Scala, Kotlin & other JVM-based languages](publishing-libraries-to-maven-central.md)
- [Production Services, Ownership and Maintenance](ownership.md)
- [Pull requests](pull-requests.md)
- [Resiliency and Robustness](resiliency.md)
Expand Down
36 changes: 36 additions & 0 deletions publishing-libraries-to-maven-central.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Publishing libraries to Maven Central

[Maven Central](https://central.sonatype.com/), administered by [Sonatype](https://www.sonatype.com/),
is the de-facto artifact repository for JVM-based languages like Scala & Kotlin - for Typescript/JavaScript,
the equivalent would be the [npm Registry](npm-packages.md).

At the Guardian we publish many libraries to Maven Central, and are standardising on reusable automated
GitHub Action release workflows with these aims:

* **achieve zero-onboarding for new developers**: Any developer who has `write` access to a repo should be able
to publish a release of the library, at the click of a button.
* **securely handle release credentials** - only allow access to release credentials for parts of the release process
that [_need_](https://github.com/guardian/gha-scala-library-release-workflow/blob/main/docs/security-design.md) them.
* **automated version compatibility checking** - to avoid [binary-incompatibility causing runtime errors](https://github.com/guardian/facia-scala-client/issues/301).
* **reduce per-repo config** - adding library-publishing to a repo should add _minimal_ boilerplate.

## Admin access

As our automated GitHub Action workflows provide all the access that most users need, we have
[very few user accounts](https://docs.google.com/spreadsheets/d/1B_XYsuxNwBuvJ9o72iqgerSeql97bEJw5pT9P5i9A5E/edit?usp=sharing)
with direct admin access to Maven Central/Sonatype. If necessary, see the [docs](https://docs.google.com/document/d/1zA8CHa1a8faemorWokUlbkdexYzpilalqcPFwkRu92M/edit?usp=sharing)
on credential rotation & account recovery.

# Scala libraries

Scala is our most common language for JVM-language artifacts. Any Guardian repo publishing a library
should use [`gha-scala-library-release-workflow`](https://github.com/guardian/gha-scala-library-release-workflow),
which provides many lovely [benefits & features](https://github.com/guardian/gha-scala-library-release-workflow/blob/main/docs/benefits.md).

See [how to configure a repo to use the workflow](https://github.com/guardian/gha-scala-library-release-workflow/blob/main/docs/configuration.md).

# Kotlin libraries

We're working on adopting a similar approach for our Android/Kotlin libraries, see eg:

* https://github.com/guardian/source-apps/pull/10