Add maven-plugin to releases, update release instructions

.github/workflows/release-sigstore-java-from-tag.yaml

@@ -1,4 +1,4 @@
-name: Release sigstore-java to Maven Central
+name: Release sigstore-java and sigstore-maven-plugin to Maven Central
 on:
   workflow_dispatch:
   # user is expected to use a tag as the branch to run the action on
@@ -51,7 +51,7 @@ jobs:
 
       - name: Build, Sign and Release to Maven Central
         run: |
-          ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository -Prelease
+          ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository :sigstore-maven-plugin:publishMavenJavaPublicationToSonatypeRepository -Prelease
         env:
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }}
           ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}

RELEASING.md

@@ -1,46 +1,41 @@
 # Releasing
 
-At the moment, this release only the `sigstore-java` library
+Release is done on github. Do not release from your local machine.
 
-## Creating a release
-Use the action "Tag and Build Release" with the version (ex `0.5.3`) to create a new release on github. It will
-- tag `main` (or a branch) with `v0.5.3`
-- create a new release with name `v0.5.3` containing
-  - all `sigstore-java` artifacts
-  - a slsa attesation for the release build
+## Create a tag
 
-#### Reverting a failed release (Github only)
-If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up
-any tags or releases built during the action
-1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases)
-2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags)
-
-## Building a release bundle for maven central
+Tag the release at the version you wish (ex `v0.5.3`), this *MUST* match the project version (`0.5.3`). See version info in [gradle.properties](gradle.properties).
 
-The local release script requires you to have `cosign` and `gpg` installed. It
-- downloads the latest release from github (ex `v0.5.3`)
-- signs all artifacts (except slsa attestation) with cosign
-- signs *everything* with gpg to satisfy maven central
-- bundles all the files into `sigstore-java-0.5.3-bundle.jar`
+## Release `sigstore-java` and `sigstore-maven-plugin`
 
-```
-$ cd ./scripts
-$ ./sign_and_bundle_release.sh
-```
+- Use the "Release sigstore-java and sigstore-maven-plugin to Maven Central" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to Maven Central.
 
-## Releasing to maven central
+#### Complete the release on maven central
 
 Releasing to maven central is a **permanent** action, it cannot be reverted
 
-Upload the bundle:
-1. Log into [sonatype (s01)](https://s01.oss.sonatype.org)
-2. Click "Staging Upload" on the left navbar
-3. Set "Upload Mode" to "Artifact Bundle"
-4. Then select `sigstore-java-0.5.3-bundle.jar` that was generated by `sign_and_bundle_release.sh`
-5. Click "Upload Bundle"
-
 Release the bundle:
+1. Log into [sonatype (s01)](https://s01.oss.sonatype.org)
 1. Click "Staging Repositories" on the left navbar
-2. Select your artifact and ensure all checks have passed
-3. Click "release"
-4. If checks are failing, "drop" the bundle and fix the release process
+1. Select your artifact, "close" it to begin checks
+1. After all checks have passed, "release" it
+    1. If checks are failing, "drop" the bundle and fix the release process
+1. Releases show up on Maven Central roughly 1-2 hours after release
+
+## Release `sigstore-gradle-plugin` to Gradle Plugin Portal
+
+- Use the "Release sigstore gradle plugins to Gradle Plugin Portal" action against the tagged version `v0.5.3'. This action builds, signs and pushes the artifacts to the Gradle Plugin Portal
+- There is no follow up here, plugins are auto released on the plugin portal.## Reverting a failed release (Github only)
+
+If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up
+any tags or releases built during the action
+1. Delete the release from [Releases](https://github.com/sigstore/sigstore-java/releases)
+2. Delete the tag from [Tags](https://github.com/sigstore/sigstore-java/tags)
+
+### Maven Central
+
+You can try to contact support but typically releases are permanent.
+
+### Gradle Plugin Portal
+
+If you wish to revert a release, you must login to the portal using `sigstore-java-releasers` within 7 days to delete a release.

gradle.properties

@@ -3,7 +3,8 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 
 group=dev.sigstore
-# remember to also update 
+
+# remember to also update version in
 # - SigstoreSignExtension.kt
 # - build-logic/publishing/build.gradle.kts 
 version=0.11.0