Can someone confirm to me that we cannot publish to maven central from a private GitHub repository? I have a use case at work where I'd like to do that, but all I read talks about public GitHub repositories 🤔

if what you mean by "publishing from a private Github repository" is to publish from github actions from a private github repository, the answer is , "You can publish to maven central from that repository"

I wasn't necessarily thinking of github actions, the question was because the sonatype account and request for a new project, asks for a git url. Also even the usual ticket we create there is "_Community Support - Open Source Project Repository Hosting" -_ emphasis on "Open Source", and my library would not be "open source".

Ooooh, that I don't really know for sure. But it seems kind of inconvenient publishing a private library to a public maven repository.

tbh, we might just open source it.. I was kind of wondering if we could avoid it, but I don't see an issue with it. At that point though, if we open source it, GitHub packages is also an option that allows everyone to use the library, right? That is another question sorry, but just in case you know it 😄 Be basically just want to provide a small library to everyone who wants to use it. We have atm a private github repo (but we could make it public) and we are already using GH packages for other internal teams to use (so GH packages would be more convenient, if we could make them work for everyone and not just internal teams).

I'm 99% sure you can publish closed source to mavenCentral by shipping empty sources and javadoc jars. It's against the spirit of the repo but I don't think anyone is going to complain if you're doing it

Please don't publish ONLY to gh packages. They still don't support anonymous access and setting those repos and credentials up for each project is a pain.

thanks @mbonnin, I'll take a look at repsy. And thanks for letting me know that it should work to maven central as well

I meant exactly that

@Big Chungus I see.. in our specific case, that wouldn't be a huge issue since the expectation is that only very specific teams will want to use this library. The reason I'm considering it is because for maven central (afaik) there is a single authentication process, i.e, we only have one email/gpg key/password. But in the context of a team, we would need to share these to at least a couple of devs so that we can go there and close/publish. But then what happens if someone leaves the team? We need to change all keys, and passwords. Or is there a way to have different credentials to access the same maven central account and we could just drop some individually? Do you know?

You can have different logins have access to the same groupId with MavenCentral. You'll just need to file a Jira ticket and let Joel Orlina do his magic 😄

Why would you need any credentials to pull from maven central?

Ah, I was thinking for pushing

I mean publishing

Yea, pulling is all public

Publishing secrets should not be shared with people and instead stored on CI

For publishing, here is an example of adding members to a groupId

That's the standard practice

But yea, agree with @Big Chungus there, you shouldn't need too much of that

Ofc Martynas, but what about credentials to login into maven where we do the closing and publishing. Those might not be part of the CI workflow

You can make it part of the CI workflow

You can do that from ci too

And still, if I am setting up those keys and passwords, what if I leave the company? 😄

Then you only have one set of credentials to hand over and change

Use a generic id (vendor@company.com) instead of your own

hmm yeah.. I guess that's not to bad.

Oh yea, definitely ok if you don't mind

A lot of kmp libs have been pushing empty -javadoc.jar for years now with no issues