@pnacht Thank you for the PR! I'll need to have another and hope to do that soon.

One quick question: have I asked for CLA yet? If not, I'd need this:

https://github.com/FasterXML/jackson/blob/master/contributor-agreement.pdf

before first merge (but only once, good for all future contributions, PRs etc).
The usual way is to print it, fill & sign, scan/photo, email to info at fasterxml dot com.

Looking forward to merging this!

Ok, thank you again @pnacht. Aside from CLA (which I'll need) things make sense.

There are 2 things, one smaller, one bigger that I am not sure about.

Both are related to publishing of Release Candidates (current version numbering scheme being "2.15.0-rc1" etc -- apparently many Maven tools do not recognize prX which I'd personally prefer -- and OSGi mandated "2.15.0.rc1" is apparently also problematic for other tools... so this is by process of elimination).

So: I do need to publish these too, but would the idea be that I would just use the old method of using Maven release plugin outside of SLSA workflow? That'd be fine for me but not sure if that makes sense or not: maybe provenance aspects are important for (pre-) Release Candidates too, if we are to get users to test them?

Aside from that I was wondering if tags to consider should be opt-in rather than opt-out?
Format for valid version numbers is [\d\.\d\d?\.\d\d?] but I guess there's the "jackson-core-" prefix that release plugin adds. Or maybe GH Action that does tagging uses just version number?
But basically it might be easier and more reliable to indicate what is a valid version number, instead of trying to rule out known "not a version to release" versions?

Ah, I hadn't noticed that the RCs are actually published to Maven! I thought they were only used to test deployment to the Sonatype Nexus Staging area.

As is, the workflow rejects RCs (tags: - "!*-rc*"), but that can be removed easily enough.

Provenance is as relevant for RCs as for regular releases, and as far as I'm aware, there's no reason not to add it to RCs once the infrastructure has been set up.

As for the tag names, I can certainly make the filter more specific and validate it (^jackson-core-\d+\.\d+\.\d+(-rc\d*)?$).

What do you think?

Also, what should I do about the server-id parameter? It's currently set to sonatype-nexus-snapshots, which I assume isn't the right place for actual releases.

@pnacht Right, release candidates are indeed pushed to MC as that makes it easier for developers to test them. Having to use, say, SNAPSHOT builds means very few developers help with pre-release candidates (based on my experience).
Improvement to tag name validation sounds good.

On server-id: this must be due to default main.yml only publishing -SNAPSHOT builds so sonatype-nexus-snapshot would indeed be the right target. For releases I think I have locally sonatype-nexus-staging which is where actual release go I think. Settings come via parent poms, ultimately from fom.fasterxml:oss-parent.

Gotcha.

One clarification for someone not fluent in Maven: will the parent pom (up to oss-parent) be fetched automatically? That is, can I simply set server-id: sonatype-nexus-staging and it'll figure it out? Or do I need to make some other changes to mimic your local setup in the CI?

Gotcha.

One clarification for someone not fluent in Maven: will the parent pom (up to oss-parent) be fetched automatically? That is, can I simply set server-id: sonatype-nexus-staging and it'll figure it out? Or do I need to make some other changes to mimic your local setup in the CI?

Sorry, missed this question. Yes, parent pom settings are inherited so you can just refer to that value.

Sorry for the delay, but I've just made the requested changes. The workflow now uses server-id: sonatype-nexus-staging and validates that the version tag follows the Release Plugin's "jackson-core-1.2.3(-rc1)?" format.

Ok great @pnacht !

Just one question: looks like this runs for all tags, but validation step will fail for non-compliant tags: is this correct?
If so that's perfect: we only want to stage releases with compliant version tags.

Aside from that all I need is the CLA as per my earlier note, and then I can merge this PR.

Just one question: looks like this runs for all tags, but validation step will fail for non-compliant tags: is this correct? If so that's perfect: we only want to stage releases with compliant version tags.

That's correct, the workflow only progresses past the first step if the tag name is compliant with the standard Release Plugin format.

And if a compliant tag is pushed but lacks the release.properties file (created by release:prepare and momentarily committed via the changes done in release.sh), then the release will fail at the release step, since release:perform requires it.

For examples, see these workflow runs on my fork:

• invalid tag jackson-core-2.99.a fails on the validation step: https://github.com/pnacht/jackson-core/actions/runs/4127674885/jobs/7131171912
• valid tag jackson-core-2.99.9-rc3 created incorrectly (without using release.sh) fails on the release step because it can't find the information found in release.properties: https://github.com/pnacht/jackson-core/actions/runs/4127666421/jobs/7131153253
• valid tag jackson-core-2.99.2 created correctly builds correctly and only fails because I don't have a GPG signature on my fork. I assume that if all the required secrets were set, it would succeed.

Aside from that all I need is the CLA as per my earlier note, and then I can merge this PR.

Slipped my mind! Just sent it over.