duncdrum
diff --git a/‎.github/actions/install-mvnd/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/install-mvnd/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/maven-github-settings/action.yml‎
Lines changed: 27 additions & 3 deletions b/‎.github/actions/maven-github-settings/action.yml‎
Lines changed: 27 additions & 3 deletions
diff --git a/‎.github/workflows/ci-container.yml‎
Lines changed: 38 additions & 10 deletions b/‎.github/workflows/ci-container.yml‎
Lines changed: 38 additions & 10 deletions
diff --git a/‎.github/workflows/ci-release-prepare.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/ci-release-prepare.yml‎
Lines changed: 63 additions & 0 deletions
@@ -4,7 +4,7 @@ inputs:
   version:
     description: 'The version of the Maven Daemon to install'
     required: true
-    default: '1.0.3'
+    default: '1.0.6'
   file-version-suffix:
     description: 'A suffix to append to the version of the download file of Maven Daemon to install'
     required: false
 
@@ -1,19 +1,43 @@
-# Creates Maven settings.xml with auth for the eXist-db org's GitHub Packages repos.
+# Creates Maven settings.xml with auth for the eXist-db org's GitHub Packages repos
+# and optionally for Sonatype Central Portal publishing.
 # Required for resolving artifacts from maven.pkg.github.com/eXist-db/{exist, exist-xqts-runner, jackrabbit-webdav-jakarta}.
 name: Maven GitHub Packages settings
-description: Create settings.xml with github, github-xqts-runner, and github-jackrabbit-webdav-jakarta servers
+description: Create settings.xml with GitHub Packages and (optionally) Sonatype Central Portal servers
 inputs:
   token:
     description: 'GitHub token for package authentication'
     required: true
+  central-token-username:
+    description: 'Sonatype Central Portal user token username (release jobs only)'
+    required: false
+    default: ''
+  central-token-password:
+    description: 'Sonatype Central Portal user token password (release jobs only)'
+    required: false
+    default: ''
 runs:
   using: 'composite'
   steps:
     - name: Create Maven settings for GitHub Packages
       shell: bash
+      env:
+        CENTRAL_TOKEN_USERNAME: ${{ inputs.central-token-username }}
+        CENTRAL_TOKEN_PASSWORD: ${{ inputs.central-token-password }}
       run: |
         mkdir -p ~/.m2
         OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+
+        # Build optional Central Portal server block
+        CENTRAL_SERVER=""
+        if [ -n "$CENTRAL_TOKEN_USERNAME" ]; then
+          CENTRAL_SERVER="
+            <server>
+              <id>central</id>
+              <username>${CENTRAL_TOKEN_USERNAME}</username>
+              <password>${CENTRAL_TOKEN_PASSWORD}</password>
+            </server>"
+        fi
+
         cat > ~/.m2/settings.xml << EOF
         <settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">
           <servers>
@@ -31,7 +55,7 @@ runs:
               <id>github-jackrabbit-webdav-jakarta</id>
               <username>${OWNER}</username>
               <password>${{ inputs.token }}</password>
-            </server>
+            </server>${CENTRAL_SERVER}
           </servers>
         </settings>
         EOF
@@ -1,6 +1,11 @@
 name: Publish Container
 on:
   push:
+    branches:
+      - develop
+      - master
+    tags:
+      - 'eXist-*'
   pull_request:
   schedule:
       - cron: "0 6 * * *"
@@ -11,8 +16,13 @@ jobs:
     name: Test and Publish Container Images
     runs-on: ubuntu-latest
     timeout-minutes: 60
-    # NOTE (DP): Publish on develop and master, test on PRs against these
-    if: github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || github.base_ref ==  'develop' || github.base_ref ==  'master'
+    # Publish on develop (latest) and eXist-* tags (versioned + release); test on PRs against these branches.
+    if: >
+      github.ref == 'refs/heads/develop' ||
+      github.ref == 'refs/heads/master' ||
+      startsWith(github.ref, 'refs/tags/eXist-') ||
+      github.base_ref == 'develop' ||
+      github.base_ref == 'master'
     steps:
       - uses: actions/checkout@v6
         with:
@@ -23,11 +33,11 @@ jobs:
           distribution: temurin
           java-version: '21'
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3  # v4
         with:
           platforms: linux/amd64,linux/arm64
       - name: Make buildkit default
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4
         id: buildx
       - uses: ./.github/actions/maven-cache
       - uses: ./.github/actions/maven-github-settings
@@ -43,7 +53,17 @@ jobs:
         timeout-minutes: 35
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: mvn -V -B --no-transfer-progress -q -Pdocker -DskipTests -Ddependency-check.skip=true -P !mac-dmg-on-unix,!installer,!concurrency-stress-tests,!micro-benchmarks,skip-build-dist-archives clean package
+        run: |
+          REVISION_ARG=""
+          if [[ "${{ github.ref }}" == refs/tags/eXist-* ]]; then
+            VERSION="${{ github.ref_name }}"
+            REVISION_ARG="-Drevision=${VERSION#eXist-}"
+          fi
+          mvn -V -B --no-transfer-progress -q \
+            -Pdocker,skip-build-dist-archives \
+            -DskipTests -Ddependency-check.skip=true \
+            $REVISION_ARG \
+            clean package
       - name: Check local images
         run: docker image ls
       - name: Check license headers
@@ -73,8 +93,6 @@ jobs:
           name: exist-core-failed-log
           path: exist.log
 
-      # NOTE (DP): When on master push release, when on develop push latest: Version is included automatically
-      # TODO (DP): Confirm that releases triggered from maven publish images with the non SNAPSHOT version
       - name: Publish latest images
         if: github.repository == 'eXist-db/exist' && github.ref == 'refs/heads/develop'
         env:
@@ -83,14 +101,24 @@ jobs:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
         run: mvn --no-transfer-progress -q -Ddocker.tag=latest -Ddocker.username=$DOCKER_USERNAME -Ddocker.password=$DOCKER_PASSWORD docker:build docker:push
         working-directory: ./exist-docker
-      - name: Publish release images
-        if: github.repository == 'eXist-db/exist' && github.ref == 'refs/heads/master'
+
+      - name: Publish versioned release images
+        if: github.repository == 'eXist-db/exist' && startsWith(github.ref, 'refs/tags/eXist-')
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: mvn --no-transfer-progress -q -Ddocker.tag=release -Ddocker.username=$DOCKER_USERNAME -Ddocker.password=$DOCKER_PASSWORD docker:build docker:push
+        run: |
+          VERSION="${{ github.ref_name }}"
+          VERSION="${VERSION#eXist-}"
+          mvn --no-transfer-progress -q \
+            -Drevision="$VERSION" \
+            -Ddocker.tag=release \
+            -Ddocker.username=$DOCKER_USERNAME \
+            -Ddocker.password=$DOCKER_PASSWORD \
+            docker:build docker:push
         working-directory: ./exist-docker
+
       # NOTE (DP): This is for debugging, publishes an experimental image from inside PRs against develop
       # - name: Publish experimental images
       #   if: github.base_ref == 'develop'
 
@@ -0,0 +1,63 @@
+name: Prepare Release
+
+# Replaces mvn release:prepare. Updates CITATION.cff, commits, creates the
+# annotated tag, and pushes — which then triggers ci-release.yml.
+#
+# Requires a fine-grained PAT (RELEASE_PAT) with contents:write on this repo.
+# GITHUB_TOKEN pushes do not trigger downstream tag workflows.
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g. 7.0.0)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  prepare:
+    name: Prepare eXist-${{ inputs.version }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          # PAT required so the tag push triggers ci-release.yml.
+          # GITHUB_TOKEN pushes are intentionally blocked from triggering workflows.
+          token: ${{ secrets.RELEASE_PAT }}
+
+      - uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: '21'
+
+      - uses: ./.github/actions/maven-cache
+
+      - uses: ./.github/actions/maven-github-settings
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update CITATION.cff
+        run: |
+          mvn -B --no-transfer-progress \
+            -Pcitation-release-metadata \
+            -DupdateCff=true \
+            -Drevision=${{ inputs.version }} \
+            validate
+
+      - name: Commit and tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add CITATION.cff
+          # Only commit if CITATION.cff actually changed
+          git diff --staged --quiet || \
+            git commit -m "[release] Prepare eXist-${{ inputs.version }}"
+          git tag -a "eXist-${{ inputs.version }}" \
+            -m "eXist-db ${{ inputs.version }}"
+          git push origin HEAD
+          git push origin "eXist-${{ inputs.version }}"