Secrets

To publish to Sonatype/Maven Central you must obtain and install the following secrets on your repository:

Note that PGP_PASSPHRASE is not required for publishing with sbt-typelevel, although it is supported if you already have a passphrase-protected key.

The instructions provided here are adapted from sbt/sbt-ci-release and @SystemFw/base.g8 .

Sonatype Credentials

If this is your first time publishing, first follow the Initial Setup directions in Sonatype's Publishing Guide to create an account and request publishing rights for your domain name. If you do not have a domain, you may use io.github.your_gh_handle as your Group Id.

After you've been granted publishing rights for your domain, log in to either:

Then:

  1. Click your username in the top right, then click Profile
  2. In the drop-down menu in the top left, select User Token
  3. Click the Access User Token button to obtain your Sonatype credentials
  4. Set these as the SONATYPE_USERNAME and SONATYPE_PASSWORD secrets on your repository

PGP Key

Sonatype requires that all artifacts published to Central are cryptographically signed. sbt-typelevel automatically signs your artifacts in CI during publishing but you must provide a secret key.

Option 1: Generate a key pair in your browser

You can use the following form to easily generate a key pair locally in your browser with OpenPGP.js.





Public key

Copy-paste and submit your public key to the Ubuntu key server.

Private key

Copy-paste and set your private key as the PGP_SECRET in your repository secrets.

That's it!

Option 2: Generate a key pair using GPG

First, follow the directions provided by Sonatype to generate a key pair and submit the public key to a key server.

Then, export your secret key with the following command and set it as the PGP_SECRET repository secret.

gpg --armor --export-secret-keys $LONG_ID | base64

If your key is passphrase-protected, you should also set the PGP_PASSPHRASE secret.

Scripted Setup

If you'd rather use 1Password to store your keys, instead of a GPG keyring, Brian Holt has written a script that will generate a GPG keypair and write the necessary secrets to your GitHub repository. After installing the 1Password and GitHub CLIs, download the script and modify the bash variables within to reflect your configuration.

In order for the script to pull your Sonatype access token from 1Password, add a new 1Password entry for the Sonatype user. (The name of this 1Password entry goes in the PUBLISHING_USER environment variable in the script.) In this entry, add a new section named "User Token" with username and password fields populated with the values from Sonatype's Access User Token.