ensure BOM is signed and SBOMs get published

bodewig · bodewig · commit 817678174999 · 2025-04-26T09:21:10.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -55,6 +55,7 @@
     <maven.shade.plugin.version>3.6.0</maven.shade.plugin.version>
     <maven.source.plugin.version>3.3.1</maven.source.plugin.version>
     <maven.surefire.plugin.version>2.22.2</maven.surefire.plugin.version>
+    <maven.central.publishing.plugin>0.7.0</maven.central.publishing.plugin>
 
     <!-- Dependencies: Test -->
     <hamcrest.version>1.3</hamcrest.version>
@@ -499,7 +500,7 @@
           <plugin>
             <groupId>org.sonatype.central</groupId>
             <artifactId>central-publishing-maven-plugin</artifactId>
-            <version>0.7.0</version>
+            <version>${maven.central.publishing.plugin}</version>
             <extensions>true</extensions>
             <configuration>
               <publishingServerId>sonatype-central</publishingServerId>
@@ -566,6 +567,7 @@
             <configuration>
               <outputFormat>all</outputFormat>
               <outputName>${project.artifactId}-${project.version}-cyclonedx</outputName>
+              <skipNotDeployed>false</skipNotDeployed>
             </configuration>
           </plugin>
         </plugins>
diff --git a/xmlunit-bom/pom.xml b/xmlunit-bom/pom.xml
@@ -23,6 +23,11 @@
   <description>Bill of Materials (BOM) for XMLUnit</description>
   <url>https://www.xmlunit.org/</url>
 
+  <properties>
+    <maven.gpg.plugin.version>3.2.7</maven.gpg.plugin.version>
+    <maven.central.publishing.plugin>0.7.0</maven.central.publishing.plugin>
+  </properties>
+
   <inceptionYear>2001</inceptionYear>
 
   <licenses>
@@ -116,12 +121,26 @@
           <plugin>
             <groupId>org.sonatype.central</groupId>
             <artifactId>central-publishing-maven-plugin</artifactId>
-            <version>0.7.0</version>
+            <version>${maven.central.publishing.plugin}</version>
             <extensions>true</extensions>
             <configuration>
               <publishingServerId>sonatype-central</publishingServerId>
             </configuration>
           </plugin>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>${maven.gpg.plugin.version}</version>
+            <executions>
+              <execution>
+                <id>sign-artifacts</id>
+                <phase>verify</phase>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
         </plugins>
       </build>
     </profile>
