Sign the artifact before deploying

justinabrahms · justinabrahms · commit 99d43eb6db24 · 2022-08-29T11:40:07.000-07:00
I believe that the pom change makes it come after the actual push-to-sonatype step
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -54,7 +54,7 @@ jobs:
         mvn -P gpg_verify \
           --no-transfer-progress \
           --batch-mode \
-          --file pom.xml -s release/m2-settings.xml verify deploy -Dversion.modifier=''
+          --file pom.xml -s release/m2-settings.xml verify sign deploy -Dversion.modifier=''
       env:
         OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
         OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
diff --git a/pom.xml b/pom.xml
@@ -289,15 +289,6 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-gpg-plugin</artifactId>
         <version>1.5</version>
-        <executions>
-          <execution>
-            <id>sign-artifacts</id>
-            <!-- we only need to sign if we are deploying (publishing) -->
-            <phase>deploy</phase>
-            <goals>
-              <goal>sign</goal>
-            </goals>
-          </execution>
         </executions>
       </plugin>
       <!-- end sign -->
