Skip to content

feat(kotlin): publish Kotlin SDK to Maven Central#281

Open
soamdesai-tfh wants to merge 2 commits into
worldcoin:mainfrom
soamdesai-tfh:claude/keen-bouman-c8d99d
Open

feat(kotlin): publish Kotlin SDK to Maven Central#281
soamdesai-tfh wants to merge 2 commits into
worldcoin:mainfrom
soamdesai-tfh:claude/keen-bouman-c8d99d

Conversation

@soamdesai-tfh

@soamdesai-tfh soamdesai-tfh commented Jun 15, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

What

Publishes the Kotlin SDK (com.worldcoin:idkit) to Maven Central, alongside the existing GitHub Packages publishing — so consumers can use implementation("com.worldcoin:idkit:<version>") with no authentication. The com.worldcoin namespace is already verified on the Sonatype Central Portal, so this is release-engineering wiring, not new infrastructure.

Changes

  • Adopt the com.vanniktech.maven.publish plugin (0.34.0) for the bindings module
  • Add a production-gated Maven Central publish step to publish-kotlin.yml; GitHub Packages publishing is unchanged
  • Sign publications only when a signing key is supplied, so dev releases keep working
  • verifyKotlinNativeLibraries fails any publish if an Android ABI's libidkit.so is missing or empty, preventing a broken AAR from reaching the (immutable) registry
  • CI validates the publication via publishToMavenLocal (artifact set, POM metadata, native libraries bundled for all four ABIs)
  • Add a relocation POM script for the renamed idkit-kotlin artifact
  • README leads with Maven Central; GitHub Packages documented for dev builds

Verification

  • Local: publishToMavenLocal produces a signed, complete publication (AAR + sources + javadoc + POM); the native-lib guard and PKG_VERSION override were confirmed
  • Against Sonatype: a throwaway version uploaded to the Central Portal reached VALIDATED, then dropped — confirming credentials, namespace rights, and signature validation

Note

Medium Risk
Touches production release pipelines, Maven Central credentials, and signing; mistakes could publish incomplete or wrong artifacts, though Central-first ordering and native-lib guards reduce blast radius.

Overview
Adds Maven Central as the primary distribution path for com.worldcoin:idkit, while dev builds still go only to GitHub Packages.

The bindings module now uses com.vanniktech.maven.publish (0.34.0) instead of hand-rolled maven-publish POM wiring: Central publication, sources/javadoc jars, POM metadata, and GPG signing only when signingInMemoryKey is set. A verifyKotlinNativeLibraries Gradle check blocks any publish if an ABI’s libidkit.so is missing or empty.

CI runs publishToMavenLocal in the Kotlin job and asserts the full artifact set, required POM elements, and all four JNI ABIs inside the AAR. The publish workflow uploads to Maven Central first on production (signed, with Central secrets), then publishes to GitHub Packages via publishAllPublicationsToGitHubPackagesRepository so dev releases don’t hit Central or require signing.

Docs now lead with Maven Central; scripts/publish-relocation-pom.sh is a one-time helper for a relocation POM from legacy idkit-kotlin coordinates.

Reviewed by Cursor Bugbot for commit cff5e0d. Bugbot is set up for automated code reviews on this repo. Configure here.

@soamdesai-tfh @claude
feat(kotlin): publish Kotlin SDK to Maven Central
d149815 
Publish com.worldcoin:idkit to Maven Central so consumers no longer
need GitHub Packages authentication tokens. GitHub Packages publishing
is retained for dev builds.

- Adopt the com.vanniktech.maven.publish plugin (0.34.0) for the
  bindings module, replacing the hand-rolled maven-publish config
- Add a production-gated Maven Central publish step to the Kotlin
  release workflow; keep the GitHub Packages step for dev + prod
- Sign publications only when a signing key is supplied, so dev
  releases remain unsigned
- Add a verifyKotlinNativeLibraries preflight that fails publishing
  if any Android ABI's native library is missing or empty
- Validate the publication in CI (publishToMavenLocal + artifact,
  POM, and bundled native-library checks)
- Add a relocation POM script for the renamed idkit-kotlin artifact
- Document Maven Central as the primary install path

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

@soamdesai-tfh is attempting to deploy a commit to the Worldcoin Team on Vercel.

A member of the Team first needs to authorize it.

@soamdesai-tfh @claude
fix(kotlin): declare maven-publish plugin version for sample app build
cff5e0d 
The sample app is a separate Gradle build that includes :bindings via a
project path. It must declare the com.vanniktech.maven.publish version
(apply false) so bindings resolves it, the same way it already does for
the Android and Kotlin plugins.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paolodamico paolodamico Awaiting requested review from paolodamico paolodamico is a code owner

@andy-t-wang andy-t-wang Awaiting requested review from andy-t-wang andy-t-wang is a code owner

@SeanROlszewski SeanROlszewski Awaiting requested review from SeanROlszewski SeanROlszewski is a code owner

@Guardiola31337 Guardiola31337 Awaiting requested review from Guardiola31337 Guardiola31337 is a code owner

@Takaros999 Takaros999 Awaiting requested review from Takaros999 Takaros999 is a code owner

@Gr1dlock Gr1dlock Awaiting requested review from Gr1dlock Gr1dlock is a code owner

@murph murph Awaiting requested review from murph murph is a code owner

@chipp chipp Awaiting requested review from chipp chipp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@soamdesai-tfh