xh · jskupsik · Feb 2, 2026 · Feb 2, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/.github/workflows/deployRelease.yml b/.github/workflows/deployRelease.yml
@@ -0,0 +1,62 @@
+name: Deploy Release
+
+on:
+    workflow_dispatch:
+        inputs:
+            xhReleaseVersion:
+                description: 'Release version - set as the xhReleaseVersion'
+                required: true
+                type: string
+
+jobs:
+    deployRelease:
+
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+
+        steps:
+        - name: Checkout branch ${{ github.ref_name }}
+          uses: actions/checkout@v6
+          with:
+              ref: ${{ github.ref }}
+
+        - name: Validate tag v${{ inputs.xhReleaseVersion }} does not exist
+          run: |
+              if git tag --list | grep -q "^v${{ inputs.xhReleaseVersion }}$"; then
+                echo "Release tag 'v${{ inputs.xhReleaseVersion }}' already exists. Aborting."
+                exit 1
+              fi
+
+        - name: Set up JDK 17
+          uses: actions/setup-java@v5
+          with:
+              java-version: '17'
+              distribution: 'zulu'
+
+        - name: Setup Gradle
+          uses: gradle/actions/setup-gradle@v5
+
+        - name: Build and publish release to Sonatype
+          env:
+              SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+              SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+              SIGNING_KEY_ID: ${{secrets.SIGNING_KEY_ID}}
+              SIGNING_PASSWORD: ${{secrets.SIGNING_PASSWORD}}
+              SECRING_FILE: ${{ secrets.SECRING_FILE }}
+              XH_RELEASE_VERSION: ${{ inputs.xhReleaseVersion }}
+          run: |
+              echo $SECRING_FILE | base64 -d > secring.gpg
+              (set -x; ./gradlew -Psigning.secretKeyRingFile="${GITHUB_WORKSPACE}/secring.gpg" -PxhReleaseVersion="$XH_RELEASE_VERSION" publishToSonatype closeSonatypeStagingRepository --no-daemon)
+
+        - name: Create release tag v${{ inputs.xhReleaseVersion }}
+          run: |
+              git tag "v${{ inputs.xhReleaseVersion }}"
+              git push origin "v${{ inputs.xhReleaseVersion }}"
+
+        - name: Create GitHub Release
+          env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              XH_RELEASE_VERSION: ${{ inputs.xhReleaseVersion }}
+          run: gh release create "v$XH_RELEASE_VERSION" --title "v$XH_RELEASE_VERSION" --generate-notes
+
diff --git a/.github/workflows/deploySnapshot.yml b/.github/workflows/deploySnapshot.yml
@@ -0,0 +1,57 @@
+name: Deploy Snapshot
+
+on:
+    workflow_dispatch:
+        inputs:
+            xhReleaseVersionOverride:
+                description: '(Optional) Manual override to xhReleaseVersion'
+                type: string
+    push:
+        branches: [ "develop" ]
+
+jobs:
+    deploySnapshot:
+
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+
+        steps:
+        - name: Checkout branch ${{ github.ref_name }}
+          uses: actions/checkout@v6
+          with:
+              ref: ${{ github.ref }}
+        - name: Set up JDK 17
+          uses: actions/setup-java@v5
+          with:
+              java-version: '17'
+              distribution: 'zulu'
+
+        - name: Setup Gradle
+          uses: gradle/actions/setup-gradle@v5
+
+        - name: Write xhReleaseVersion override to gradle.properties
+          if: inputs.xhReleaseVersionOverride != ''
+          run: |
+              VERSION="${{ inputs.xhReleaseVersionOverride }}"
+              if [[ ! "$VERSION" == *-SNAPSHOT ]]; then
+                VERSION="$VERSION-SNAPSHOT"
+              fi
+              sed -i "s/^xhReleaseVersion=.*/xhReleaseVersion=$VERSION/" gradle.properties
+              echo "Updated xhReleaseVersion to SNAPSHOT version: $VERSION"
+
+        - name: Validate version
+          run: |
+              VERSION=$(./gradlew properties -q | grep "^version:" | awk '{print $2}')
+              if [[ ! "$VERSION" == *-SNAPSHOT ]]; then
+                echo "'$VERSION' is not a SNAPSHOT version. Aborting."
+                exit 1
+              fi
+              echo "Validated snapshot version: $VERSION"
+
+        - name: Build and publish snapshot to Sonatype
+          env:
+              SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+              SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          run: |
+              (set -x; ./gradlew publishToSonatype closeSonatypeStagingRepository --no-daemon)
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -21,17 +21,17 @@ jobs:
       contents: read
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '17'
         distribution: 'zulu'
 
     # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
     # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+      uses: gradle/actions/setup-gradle@v5
 
     - name: Build with Gradle Wrapper
       run: ./gradlew build
@@ -40,7 +40,7 @@ jobs:
     # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
     #
     # - name: Setup Gradle
-    #   uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+    #   uses: gradle/actions/setup-gradle@v5
     #   with:
     #     gradle-version: '8.5'
     #
@@ -54,14 +54,14 @@ jobs:
       contents: write
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '17'
         distribution: 'zulu'
 
     # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
     # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+      uses: gradle/actions/dependency-submission@v5
diff --git a/build.gradle b/build.gradle
@@ -16,6 +16,9 @@ plugins {
     id "war"
     id "idea"
     id "java-library"
+    id 'maven-publish'
+    id 'signing'
+    id "io.github.gradle-nexus.publish-plugin" version "2.0.0"
 }
 // Not Published to Gradle Plugin Portal
 apply plugin: "org.apache.grails.gradle.grails-web"
@@ -111,80 +114,109 @@ tasks.withType(JavaCompile) {
 
 
 //------------------------
-// Maven publishing
-// This is a modified version of the gradle configs setup by the Grails plugin publishing plugin
-// https://github.com/grails/grails-core/blob/master/grails-gradle-plugin/src/main/groovy/org/grails/gradle/plugin/publishing/GrailsCentralPublishGradlePlugin.groovy
-// The default behavior assumes publishing of non-snapshot builds only to the paid (if private) Bintray system
+// Maven Central publishing
+// This was written using the "How to Publish a Grails Plugin to the Maven Central Repository" guide
+// https://grails.apache.org/blog/2021-04-07-publish-grails-plugin-to-maven-central.html
+// See also "A sample Grails plugin configured to publish to Maven Central"
+// https://github.com/puneetbehl/myplugin/blob/main/build.gradle
 //------------------------
-apply plugin:'maven-publish'
+
+// Signing artifacts
+ext.isReleaseVersion = !version.endsWith('-SNAPSHOT')
+ext.'signing.keyId' = project.hasProperty("signing.keyId") ? project.getProperty('signing.keyId') : System.getenv('SIGNING_KEY_ID')
+ext.'signing.secretKeyRingFile' = (project.hasProperty("signing.secretKeyRingFile") ? project.getProperty('signing.secretKeyRingFile') : System.getenv('SIGNING_SECRET_KEY_RING_FILE')) ?: "${System.properties['user.home']}${File.separator}.gnupg${File.separator}secring.gpg"
+ext.'signing.password' = project.hasProperty("signing.password") ? project.getProperty('signing.password') : System.getenv('SIGNING_PASSWORD')
+
+// Define the hoist core build
 publishing {
     publications {
         hoistCore(MavenPublication) {
+            groupId = 'io.xh'
             artifactId = 'hoist-core'
+            version = xhReleaseVersion
 
-            pom.withXml {
-                Node pomNode = asNode()
-                if (pomNode.dependencyManagement) {
-                    pomNode.dependencyManagement[0].replaceNode {}
-                }
+            from components.java
 
-                pomNode.children().last() + {
-                    delegate.name 'hoist-core'
-                    delegate.description "Extremely Heavy Industry's toolkit for enterprise web applications."
-                    delegate.url 'https://xh.io'
-                    delegate.organization {
-                        delegate.name 'Extremely Heavy Industries'
-                        delegate.url 'https://xh.io'
-                    }
-                    delegate.scm {
-                        delegate.url "https://github.com/xh/hoist-core"
-                        delegate.connection "scm:git@github.com:xh/hoist-core.git"
-                        delegate.developerConnection "scm:git@github.com:xh/hoist-core.git"
-                    }
-                    delegate.issueManagement {
-                        delegate.system "GitHub"
-                        delegate.url "https://github.com/xh/hoist-core/issues"
-                    }
-                    delegate.developers {
-                        delegate.developer {
-                            delegate.id 'xh'
-                            delegate.name 'Extremely Heavy Industries'
-                            delegate.email 'info@xh.io'
-                        }
+            pom {
+                name = 'hoist-core'
+                description = "Extremely Heavy Industry's toolkit for enterprise web applications."
+                url = 'https://xh.io'
+                licenses {
+                    license {
+                        name = 'The Apache License, Version 2.0'
+                        url = 'https://www.apache.org/licenses/LICENSE-2.0.txt'
                     }
                 }
-
-                pomNode.dependencies.dependency.findAll {
-                    it.version.text().isEmpty()
-                }.each {
-                    it.replaceNode {}
+                organization {
+                    name = 'Extremely Heavy Industries'
+                    url = 'https://xh.io'
+                }
+                scm {
+                    url = "https://github.com/xh/hoist-core"
+                    connection = "scm:git@github.com:xh/hoist-core.git"
+                    developerConnection = "scm:git@github.com:xh/hoist-core.git"
+                }
+                issueManagement {
+                    system = "GitHub"
+                    url = "https://github.com/xh/hoist-core/issues"
+                }
+                developers {
+                    developer {
+                        id = 'xh'
+                        name = 'Extremely Heavy Industries'
+                        email = 'info@xh.io'
+                    }
                 }
             }
 
-            from components.java
-
-            def groovyOutputDir = sourceSets.main.output.classesDirs.files.find{it.path.contains('/groovy/')}
+            def groovyOutputDir = sourceSets.main.output.classesDirs.files.find { it.path.contains('/groovy/') }
             artifact source: "${groovyOutputDir}/META-INF/grails-plugin.xml",
                 classifier: 'plugin',
                 extension: 'xml'
         }
     }
+
+    // Defines the old xh repo (using the built-in publish plugin).
     repositories {
         maven {
             name = 'xhRepo'
-            def repoEndpoint = version.endsWith('-SNAPSHOT') ? 'snapshots' : 'releases'
+            def repoEndpoint = !isReleaseVersion ? 'snapshots' : 'releases'
             url = "https://repo.xh.io/content/repositories/$repoEndpoint/"
             credentials {
                 username = project.findProperty('xhRepoDeployUser')
                 password = project.findProperty('xhRepoDeployPassword')
             }
         }
     }
+
+    // Defines the maven central repository (using the gradle-nexus.publish-plugin).
+    nexusPublishing {
+        repositories {
+            sonatype {
+                // see https://central.sonatype.org/publish/publish-portal-ossrh-staging-api/#configuration
+                nexusUrl = uri "https://ossrh-staging-api.central.sonatype.com/service/local/"
+                snapshotRepositoryUrl = uri "https://central.sonatype.com/repository/maven-snapshots/"
+                username = project.hasProperty('sonatypeUsername') ? project.getProperty('sonatypeUsername') : System.getenv('SONATYPE_USERNAME')
+                password = project.hasProperty('sonatypePassword') ? project.getProperty('sonatypePassword') : System.getenv('SONATYPE_PASSWORD')
+            }
+        }
+    }
+
+    // Skip signing for SNAPSHOT releases as there is no need for them to be signed.
+    afterEvaluate {
+        signing {
+            required { isReleaseVersion }
+            sign publishing.publications.hoistCore
+        }
+    }
+    tasks.withType(Sign) {
+        onlyIf { isReleaseVersion }
+    }
 }
 
 task publishHoistCore(dependsOn: 'publishHoistCorePublicationToXhRepoRepository') {
     group = 'xhio'
-    description = 'Publishes a build to repo.xh.io.'
+    description = 'Old process used to publish a build to repo.xh.io.'
     doLast {
         println "Hoist $version published to repo.xh.io!"
     }

diff --git a/settings.gradle b/settings.gradle
@@ -0,0 +1 @@
+rootProject.name = 'hoist-core'