Sonatype / Maven Central
Publishing to Maven Central via Sonatype. Includes GPG signing, staging, and release automation.
Setup
Prerequisites
- A Sonatype account at central.sonatype.com
- Publishing rights for your groupId (e.g.
io.github.yourname) - GPG for signing artifacts
- CI environment variables for credentials
Interactive setup
bleep publish setup
Select "Sonatype / Maven Central". The wizard will:
- Generate a GPG key pair
- Upload the public key to a keyserver
- Tell you exactly which CI environment variables to set
bleep.yaml
Maven Central requires POM metadata. Set it in a template:
templates:
template-oss:
publish:
groupId: com.mycompany
url: https://github.com/mycompany/mylib
description: My awesome library
organization: My Company
developers:
- id: dev1
name: Developer One
url: https://github.com/dev1
licenses:
- name: MIT
url: http://opensource.org/licenses/MIT
distribution: repo
projects:
mylib:
extends: template-oss
groupId, url, developers, and licenses are required by Sonatype.
Sonatype-specific fields
| Field | Default | Description |
|---|---|---|
sonatypeProfileName | Same as groupId | Sonatype staging profile name |
sonatypeCredentialHost | central.sonatype.com | Sonatype API endpoint |
You almost never need to set these.
Environment variables
| Variable | Description |
|---|---|
SONATYPE_USERNAME | Sonatype user token username |
SONATYPE_PASSWORD | Sonatype user token password |
PGP_SECRET | Base64-encoded GPG private key |
PGP_PASSPHRASE | GPG key passphrase |
Get Sonatype tokens: central.sonatype.com > username > View Account > Generate User Token. These are user tokens, not your account username/password.
Publishing
bleep publish sonatype
This will:
- Derive version from git tags (DynVer)
- Compile all publishable projects
- Package artifacts (JAR, POM, sources, javadoc)
- Sign with GPG
- Add checksums (MD5, SHA1)
- Upload to Sonatype staging
- Close and release the staging repository
Explicit version
bleep publish sonatype --version 1.0.0
Snapshots vs releases
- Clean git tag (e.g.
v1.0.0) → release - Anything else → snapshot (gets
-SNAPSHOTsuffix)
Release assertion
bleep publish sonatype --assert-release
Fails if the version would be a snapshot. Useful in CI.
CI/CD
Set the environment variables and run bleep publish sonatype. CI-agnostic — works with any CI.
Example trigger: push a git tag to start a release:
git tag v1.0.0
git push origin v1.0.0
SCM metadata in the POM is auto-detected from your git remote. No configuration needed.
Troubleshooting
401 Unauthorized
Verify SONATYPE_USERNAME and SONATYPE_PASSWORD are user tokens (not your account password). Regenerate at central.sonatype.com > View Account > Generate User Token.
GPG / PGP errors
Run bleep publish setup to regenerate keys. Ensure PGP_SECRET is base64-encoded as a single line.