From d85333ccedbf9b891af3be45c5160bf98afa08c6 Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 13:35:29 +0530
Subject: [PATCH 1/8] chore: migrate publishing from OSSRH to Central Portal

Replace nexus-staging-maven-plugin with central-publishing-maven-plugin
to publish via central.sonatype.com. Add workflow_dispatch trigger for
manual publishing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 27 ++++++++++++++-------------
 pom.xml                  | 19 +++++++------------
 2 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 23d629f3..b04a02ee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,7 +8,8 @@ on:
   pull_request:
     branches:
       - master
-# Jobs
+  workflow_dispatch:
+
 jobs:
   test:
     name: Run tests and publish test coverage
@@ -22,41 +23,41 @@ jobs:
         with:
           java-version: 8
           distribution: 'adopt'
-             
+
       - name: Install dependencies
         run: mvn install -DskipTests=true -Dmaven.javadoc.skip=true -B -V -Dgpg.skip
-           
+
       - name: Run tests and collect coverage
-        run: mvn -B test 
+        run: mvn -B test
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v3
         with:
           fail_ci_if_error: false
           verbose: true
-          
+
   publish:
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
     needs: test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+
       - name: Set up Maven Central Repository
         uses: actions/setup-java@v2
         with:
           java-version: 8
           distribution: 'adopt'
-          server-id: ossrh
+          server-id: central
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
           gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
-        
+
       - name: Build with Maven
         run: mvn clean package -B
-        
+
       - name: Publish package
-        run: |
-            mvn deploy -Dgpg.passphrase=${{ secrets.MAVEN_GPG_PASSPHRASE }}
+        run: mvn deploy -Dgpg.passphrase=${{ secrets.MAVEN_GPG_PASSPHRASE }}
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN }}
diff --git a/pom.xml b/pom.xml
index a7b20c13..24914630 100644
--- a/pom.xml
+++ b/pom.xml
@@ -99,13 +99,9 @@
 
   <distributionManagement>
     <snapshotRepository>
-      <id>ossrh</id>
-      <url>https://oss.sonatype.org/content/repositories/releases/</url>
+      <id>central</id>
+      <url>https://central.sonatype.com/repository/maven-snapshots/</url>
     </snapshotRepository>
-    <repository>
-      <id>ossrh</id>
-      <url>https://oss.sonatype.org/service/local/repositories/releases/content/</url>
-    </repository>
   </distributionManagement>
 
   <build>
@@ -119,14 +115,13 @@
 
     <plugins>
       <plugin>
-        <groupId>org.sonatype.plugins</groupId>
-        <artifactId>nexus-staging-maven-plugin</artifactId>
-        <version>1.6.9</version>
+        <groupId>org.sonatype.central</groupId>
+        <artifactId>central-publishing-maven-plugin</artifactId>
+        <version>0.7.0</version>
         <extensions>true</extensions>
         <configuration>
-          <serverId>ossrh</serverId>
-          <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-          <autoReleaseAfterClose>true</autoReleaseAfterClose>
+          <publishingServerId>central</publishingServerId>
+          <autoPublish>true</autoPublish>
         </configuration>
       </plugin>
       <plugin>

From dea11b75d63093f792e4bc7c6ee235cb8361e5d1 Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 13:37:41 +0530
Subject: [PATCH 2/8] chore: add publish dry-run job to validate artifacts
 before deploy

Runs on every push/PR to verify:
- Main JAR, sources JAR, and javadoc JAR are generated
- pom.xml has all required Central Portal metadata
- Version is non-SNAPSHOT

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 42 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b04a02ee..e2cb3228 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,9 +36,49 @@ jobs:
           fail_ci_if_error: false
           verbose: true
 
+  publish-dry-run:
+    name: Publish dry run (validate artifacts)
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Java JDK
+        uses: actions/setup-java@v2
+        with:
+          java-version: 8
+          distribution: 'adopt'
+
+      - name: Build package with sources and javadoc
+        run: mvn clean package -B -Dgpg.skip
+
+      - name: Verify artifacts exist
+        run: |
+          echo "=== Checking generated artifacts ==="
+          ls -la target/*.jar
+          echo ""
+          echo "=== Verifying JAR ==="
+          test -f target/razorpay-java-*.jar && echo "✓ Main JAR found" || (echo "✗ Main JAR missing" && exit 1)
+          echo "=== Verifying Sources JAR ==="
+          test -f target/razorpay-java-*-sources.jar && echo "✓ Sources JAR found" || (echo "✗ Sources JAR missing" && exit 1)
+          echo "=== Verifying Javadoc JAR ==="
+          test -f target/razorpay-java-*-javadoc.jar && echo "✓ Javadoc JAR found" || (echo "✗ Javadoc JAR missing" && exit 1)
+
+      - name: Validate pom.xml metadata
+        run: |
+          echo "=== Validating pom.xml for Central Portal requirements ==="
+          mvn help:evaluate -Dexpression=project.groupId -q -DforceStdout | grep -q "com.razorpay" && echo "✓ groupId present" || (echo "✗ groupId missing" && exit 1)
+          mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout | grep -q "razorpay-java" && echo "✓ artifactId present" || (echo "✗ artifactId missing" && exit 1)
+          mvn help:evaluate -Dexpression=project.version -q -DforceStdout | grep -qv "SNAPSHOT" && echo "✓ version is release (non-SNAPSHOT)" || (echo "✗ version is SNAPSHOT" && exit 1)
+          mvn help:evaluate -Dexpression=project.name -q -DforceStdout | grep -q "." && echo "✓ name present" || (echo "✗ name missing" && exit 1)
+          mvn help:evaluate -Dexpression=project.description -q -DforceStdout | grep -q "." && echo "✓ description present" || (echo "✗ description missing" && exit 1)
+          mvn help:evaluate -Dexpression=project.url -q -DforceStdout | grep -q "http" && echo "✓ url present" || (echo "✗ url missing" && exit 1)
+          echo ""
+          echo "=== All Central Portal validations passed ==="
+
   publish:
     if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
-    needs: test
+    needs: publish-dry-run
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

From bbffe44272a5b4d8e79ddfeb810dd94b5157d783 Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 13:41:06 +0530
Subject: [PATCH 3/8] fix: use exact version in artifact verification to avoid
 glob expansion

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e2cb3228..a0446ba9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,12 +57,13 @@ jobs:
           echo "=== Checking generated artifacts ==="
           ls -la target/*.jar
           echo ""
+          VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
           echo "=== Verifying JAR ==="
-          test -f target/razorpay-java-*.jar && echo "✓ Main JAR found" || (echo "✗ Main JAR missing" && exit 1)
+          test -f "target/razorpay-java-${VERSION}.jar" && echo "✓ Main JAR found" || (echo "✗ Main JAR missing" && exit 1)
           echo "=== Verifying Sources JAR ==="
-          test -f target/razorpay-java-*-sources.jar && echo "✓ Sources JAR found" || (echo "✗ Sources JAR missing" && exit 1)
+          test -f "target/razorpay-java-${VERSION}-sources.jar" && echo "✓ Sources JAR found" || (echo "✗ Sources JAR missing" && exit 1)
           echo "=== Verifying Javadoc JAR ==="
-          test -f target/razorpay-java-*-javadoc.jar && echo "✓ Javadoc JAR found" || (echo "✗ Javadoc JAR missing" && exit 1)
+          test -f "target/razorpay-java-${VERSION}-javadoc.jar" && echo "✓ Javadoc JAR found" || (echo "✗ Javadoc JAR missing" && exit 1)
 
       - name: Validate pom.xml metadata
         run: |

From 9effd35df9d433014f5f13a4b9c4c32882a4679f Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 13:45:01 +0530
Subject: [PATCH 4/8] chore: add Central Portal credentials validation to
 dry-run

Calls the Central Portal API to verify CENTRAL_USERNAME and
CENTRAL_TOKEN secrets are valid before attempting a real publish.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a0446ba9..5dd99b90 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -77,6 +77,30 @@ jobs:
           echo ""
           echo "=== All Central Portal validations passed ==="
 
+      - name: Validate Central Portal credentials
+        env:
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
+          CENTRAL_TOKEN: ${{ secrets.CENTRAL_TOKEN }}
+        run: |
+          echo "=== Validating Central Portal credentials ==="
+          if [ -z "$CENTRAL_USERNAME" ] || [ -z "$CENTRAL_TOKEN" ]; then
+            echo "✗ CENTRAL_USERNAME or CENTRAL_TOKEN secrets are not set"
+            exit 1
+          fi
+          HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" -u "${CENTRAL_USERNAME}:${CENTRAL_TOKEN}" \
+            "https://central.sonatype.com/api/v1/publisher/published?namespace=com.razorpay&name=razorpay-java")
+          if [ "$HTTP_STATUS" -eq 200 ]; then
+            echo "✓ Central Portal credentials are valid (HTTP $HTTP_STATUS)"
+          elif [ "$HTTP_STATUS" -eq 401 ]; then
+            echo "✗ Central Portal credentials are invalid (HTTP 401 Unauthorized)"
+            exit 1
+          elif [ "$HTTP_STATUS" -eq 403 ]; then
+            echo "✗ Central Portal credentials lack permission (HTTP 403 Forbidden)"
+            exit 1
+          else
+            echo "⚠ Unexpected response from Central Portal (HTTP $HTTP_STATUS) — credentials may still be valid"
+          fi
+
   publish:
     if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
     needs: publish-dry-run

From 5b016ecb7381c926aa3ea3ec4ccaae2f50de8c3d Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 13:58:48 +0530
Subject: [PATCH 5/8] disable tag check

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5dd99b90..bd6fffeb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -102,7 +102,7 @@ jobs:
           fi
 
   publish:
-    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+#    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
     needs: publish-dry-run
     runs-on: ubuntu-latest
     steps:

From 07d50f86623e3ec7993c4f81335059a1bd9889f8 Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 14:16:58 +0530
Subject: [PATCH 6/8] fix: pass GPG passphrase via env var for maven-gpg-plugin

setup-java's gpg-passphrase parameter sets the env var name that
maven-gpg-plugin reads the passphrase from, fixing sign failures in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bd6fffeb..6124e850 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -117,12 +117,14 @@ jobs:
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
           gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
       - name: Build with Maven
         run: mvn clean package -B
 
       - name: Publish package
-        run: mvn deploy -Dgpg.passphrase=${{ secrets.MAVEN_GPG_PASSPHRASE }}
+        run: mvn deploy
         env:
           MAVEN_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}

From 54ca5fcab12d7bdda56f58049388c4fdc8d411b7 Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 14:20:03 +0530
Subject: [PATCH 7/8] fix: configure GPG agent for loopback pinentry in CI

Adds gpg-agent.conf setup and lists imported keys to debug
signing issues in the publish job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6124e850..032020fa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -119,6 +119,12 @@ jobs:
           gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
+      - name: Configure GPG
+        run: |
+          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
+          gpg-connect-agent reloadagent /bye
+          gpg --list-secret-keys
+
       - name: Build with Maven
         run: mvn clean package -B
 

From 994de8263206158e5669d7f781662ff39622314b Mon Sep 17 00:00:00 2001
From: ankitdas13 <ankit.das@razorpay.com>
Date: Tue, 9 Jun 2026 14:22:43 +0530
Subject: [PATCH 8/8] chore: re-enable publish job condition guard

Publish only on tag push (v*.*.*) or manual workflow_dispatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 032020fa..7883016b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -102,7 +102,7 @@ jobs:
           fi
 
   publish:
-#    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
     needs: publish-dry-run
     runs-on: ubuntu-latest
     steps: