fix: add GPG secrets to validation job for artifact signing

[camory]

Motivation

The release workflow is currently failing at the "Verify build" step with GPG signing errors:

gpg: no default secret key: No secret key
gpg: signing failed: No secret key

This prevents validation of the release build and blocks the release process.

Description

Root Cause

The ci-release Maven profile activates GPG signing via the maven-gpg-plugin during the verify phase:

./mvnw -B -ntp -Pci-release verify

The setup-java action requires environment variables to configure GPG signing:

- name: Set up Temurin JDK 17
  uses: actions/setup-java@v4
  with:
    gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
    gpg-passphrase: MAVEN_GPG_PASSPHRASE  # Looks for $MAVEN_GPG_PASSPHRASE environment variable
    server-username: MAVEN_USERNAME       # Looks for $MAVEN_USERNAME environment variable
    server-password: MAVEN_PASSWORD       # Looks for $MAVEN_PASSWORD environment variable

Previous State

The validate-modules job did not set these environment variables, so:

1. setup-java couldn't find MAVEN_GPG_PASSPHRASE in the environment
2. GPG signing failed with "No secret key" error
3. The verify step failed, blocking the release

The publish-modules job had these variables set at the step level, which is inefficient and error-prone.

Solution

Add environment variables at the job level in both jobs:

validate-modules Job

validate-modules:
  runs-on: ubuntu-latest
  needs: extract-version
  
  env:
    MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}

  steps:
    - name: Set up Temurin JDK 17
      uses: actions/setup-java@v4
      with:
        distribution: temurin
        java-version: '17'
        cache: maven
        gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
        gpg-passphrase: MAVEN_GPG_PASSPHRASE

    - name: Verify build
      run: ./mvnw -B -ntp -Pci-release verify

publish-modules Job

publish-modules:
  runs-on: ubuntu-latest
  needs: [extract-version, validate-modules]
  
  env:
    MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}
    MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
    MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}

  steps:
    - name: Set up Temurin JDK 17
      uses: actions/setup-java@v4
      with:
        distribution: temurin
        java-version: '17'
        cache: maven
        server-id: central
        server-username: MAVEN_USERNAME
        server-password: MAVEN_PASSWORD
        gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
        gpg-passphrase: MAVEN_GPG_PASSPHRASE

    - name: Deploy to Sonatype Central
      run: ./mvnw -B -ntp -Pci-release deploy -DskipTests

Changes Made

In validate-modules job:

• Added env: block at job level with MAVEN_GPG_PASSPHRASE
• Configured setup-java with gpg-private-key and gpg-passphrase
• Removed redundant env: block from verify step (uses job-level env)

In publish-modules job:

• Moved all environment variables from step level to job level
• Added MAVEN_GPG_PASSPHRASE, MAVEN_USERNAME, MAVEN_PASSWORD at job level
• Removed redundant env: blocks from individual steps

No changes to:

• Maven POM files - No profile changes needed
• Build or deployment logic
• Other jobs in the workflow

Testing

Expected CI Behavior

With this fix, the release workflow will:

• Pass GPG signing during validation with proper credentials
• Pass build verification with signed artifacts
• Sign artifacts during both validation and deployment
• Deploy signed artifacts to Maven Central
• Catch GPG configuration issues early in the validation phase

[aneojgurhem]

Suggested change

	env:
	MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}

[aneojgurhem]

Suggested change

	gpg-passphrase: MAVEN_GPG_PASSPHRASE
	gpg-passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }}