Folders and files

Sep 19, 2024
Jan 3, 2025
Mar 7, 2024
Sep 19, 2024
Mar 6, 2020
May 31, 2024
Jan 11, 2025
Jan 11, 2025
Oct 25, 2024
Feb 2, 2017
Jun 16, 2018
May 18, 2015
Jan 23, 2025
Jan 14, 2022
Jan 14, 2022
Mar 20, 2025
Sep 19, 2024

Build Status

PMD build tools

Artifact containing configuration data and scripts to build and release pmd/pmd from source.

Note: This project does not use semantic versioning.


Ubuntu Linux based, same as github actions runner, see Runner Images. It can be used to test the scripts and perform the builds without github actions.

Once build the docker container:

$ docker build \
    --tag pmd-build-env \

This is only needed once. This builds the image, from which new containers can be started. A new image needs to be created, if e.g. ubuntu is to be updated or any other program.

Then run the container, mounting in the pmd-build-tools repo as a volume:

$ docker run \
    --interactive \
    --tty \
    --name pmd-build-env \
    --mount type=bind,source="$(pwd)",target=/workspaces/pmd/build-tools \

You're now in a shell inside the container. You can start a second shell in the same container:

$ docker exec \
    --interactive \
    --tty pmd-build-env \
    /bin/bash --login

The container is stopped, if the first shell is exited. To start the same container again:

$ docker start \
    --interactive \

To list the running and stopped containers:

$ docker ps \
    --all \
    --filter name=pmd-build-env

If not needed anymore, you can destroy the container:

$ docker rm pmd-build-env



Scripts are stored in scripts subfolder. There are two types:

  1. Shell scripts to be executed as programs. The extension is ".sh".
  2. Library functions to be included by those scripts. The extension is ".bash" and they are located in scripts/inc.

All scripts are bash scripts.

The shell scripts might depend on one or more library scripts. They need to fetch their dependencies before doing any work. This is always done in the function "fetch_ci_scripts()". The global variable PMD_CI_SCRIPTS_URL is used as the base url to fetch the scripts.

Library functions may depend on other library functions as well.

Namespaces: Exported global variables use the prefix PMD_CI_. Functions of a library use the same common prefix starting with pmd_ci_ followed by the library name, followed by the actual function name.

Use shellcheck to verify the scripts.



Little helper script to download dependencies.

The only function is fetch_ci_scripts.

Use it in other scripts like this:

# shellcheck source=inc/fetch_ci_scripts.bash
source "$(dirname "$0")/inc/fetch_ci_scripts.bash" && fetch_ci_scripts

# other parts of your script

That's the only script, that needs to be copied and existing before. Only with this script, the other scripts can be fetched as needed.

Used global vars:


Namespace: pmd_ci_log


  • pmd_ci_log_error
  • pmd_ci_log_info
  • pmd_ci_log_success
  • pmd_ci_log_debug



Used global vars:

  • PMD_CI_DEBUG: true|false.


Namespace: pmd_ci_utils


  • pmd_ci_utils_get_os: returns one of "linux", "macos", "windows"
  • pmd_ci_utils_determine_build_env. Sets many variables, e.g. GITHUB_BASE_URL, PMD_CI_IS_FORK, ...
  • pmd_ci_utils_is_fork_or_pull_request
  • pmd_ci_utils_fetch_ci_file

Used global vars:

Test with: bash -c "source inc/utils.bash; pmd_ci_utils_get_os" $(pwd)/


Namespace: pmd_ci_openjdk


  • pmd_ci_openjdk_install_adoptium. Usage e.g. pmd_ci_openjdk_install_adoptium 11 Supports also EA builds, e.g. pmd_ci_openjdk_install_adoptium 16-ea
  • pmd_ci_openjdk_install_zuluopenjdk. Usage e.g. pmd_ci_openjdk_install_zuluopenjdk 7
  • pmd_ci_openjdk_setdefault. Usage e.g. pmd_ci_openjdk_setdefault 11

Test with: bash -c "source inc/openjdk.bash; pmd_ci_openjdk_install_adoptium 11" $(pwd)/


Namespace: pmd_ci_gh_releases


  • pmd_ci_gh_releases_createDraftRelease
  • pmd_ci_gh_releases_getLatestDraftRelease
  • pmd_ci_gh_releases_deleteRelease
  • pmd_ci_gh_releases_getIdFromData
  • pmd_ci_gh_releases_getTagNameFromData
  • pmd_ci_gh_releases_uploadAsset
  • pmd_ci_gh_releases_updateRelease
  • pmd_ci_gh_releases_publishRelease

Used global vars:

  • GITHUB_TOKEN - this is the default github actions token

Test with:

bash -c 'set -x ; \
         export GITHUB_TOKEN=.... ; \
         export GITHUB_BASE_URL= ; \
         export PMD_CI_DEBUG=false ; \
         source inc/github-releases-api.bash ; \
         pmd_ci_gh_releases_createDraftRelease "pmd_releases/6.30.0" "d2e4fb4ca370e7d5612dcc96fb74c29767a7671e" ; \
         sleep 1; \
         pmd_ci_gh_releases_getLatestDraftRelease ; \
         export therelease="$RESULT" ; \
         pmd_ci_gh_releases_uploadAsset "$therelease" "inc/github-releases-api.bash"
         export body='\''the body \
         line2'\'' ; \
         pmd_ci_gh_releases_updateRelease "$therelease" "test release" "$body" ; \
         #pmd_ci_gh_releases_deleteRelease "$therelease" ; \
         #pmd_ci_gh_releases_publishRelease "$therelease" ; \
         ' $(pwd)/


Namespace: pmd_ci_setup_secrets


  • pmd_ci_setup_secrets_private_env
  • pmd_ci_setup_secrets_gpg_key
  • pmd_ci_setup_secrets_ssh

Used global vars:

  • PMD_CI_SECRET_PASSPHRASE: This is provided as a github secret (PMD_CI_SECRET_PASSPHRASE: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}) in github actions workflow. It is used to decrypt further secrets used by other scripts (github releases api, ...)
  • PMD_CI_GPG_PRIVATE_KEY: The exported private key used for release signing, provided as a secret (PMD_CI_GPG_PRIVATE_KEY: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}) in github actions workflow.

Test with:

bash -c 'set -e; \
         export PMD_CI_SECRET_PASSPHRASE=.... ; \
         export PMD_CI_GPG_PRIVATE_KEY=.... ; \
         export PMD_CI_DEBUG=false ; \
         source inc/setup-secrets.bash ; \
         pmd_ci_setup_secrets_private_env ; \
         pmd_ci_setup_secrets_gpg_key ; \
         pmd_ci_setup_secrets_ssh ; \
         # env # warning: prints out the passwords in clear! ; \
         ' $(pwd)/


Namespace: pmd_ci_sourceforge


  • pmd_ci_sourceforge_uploadReleaseNotes
  • pmd_ci_sourceforge_uploadFile
  • pmd_ci_sourceforge_selectDefault
  • pmd_ci_sourceforge_rsyncSnapshotDocumentation
  • pmd_ci_sourceforge_createDraftBlogPost
  • pmd_ci_sourceforge_publishBlogPost

Used global vars:


Test with:

bash -c 'set -e; \
         export PMD_CI_SECRET_PASSPHRASE=.... ; \
         export PMD_CI_DEBUG=false ; \
         source inc/setup-secrets.bash ; \
         source inc/sourceforge-api.bash ; \
         pmd_ci_setup_secrets_private_env ; \
         #pmd_ci_setup_secrets_gpg_key ; \
         pmd_ci_setup_secrets_ssh ; \
         pmd_ci_sourceforge_uploadReleaseNotes "pmd/Release-Script-Test" "Testing release notes" ; \
         echo "test file" > "release-test-file.txt" ; \
         pmd_ci_sourceforge_uploadFile "pmd/Release-Script-Test" "release-test-file.txt" ; \
         rm "release-test-file.txt" ; \
         pmd_ci_sourceforge_selectDefault "Release-Script-Test" ; \
         mkdir -p "docs/pmd-doc-Release-Script-Test/" ; \
         echo "test-file" > "docs/pmd-doc-Release-Script-Test/release-test.txt" ; \
         pmd_ci_sourceforge_rsyncSnapshotDocumentation "Release-Script-Test" "test-Release-Script-Test" ; \
         rm "docs/pmd-doc-Release-Script-Test/release-test.txt"; rmdir "docs/pmd-doc-Release-Script-Test"; rmdir "docs" ; \
         pmd_ci_sourceforge_createDraftBlogPost "draft post 1" "text with labels" "label1,label2" ; \
         blog="${RESULT}" ; \
         echo "URL: ${blog}" ; \
         pmd_ci_sourceforge_createDraftBlogPost "draft post 2" "text without labels" ; \
         blog="${RESULT}" ; \
         echo "URL: ${blog}" ; \
         #pmd_ci_sourceforge_publishBlogPost "${blog}" ; \
         ' $(pwd)/

Note that "pmd_ci_sourceforge_selectDefault" won't be successful, because the file to be selected as default doesn't exist.

Don't forget to delete and after the test.

And also the created blog posts under


Namespace: pmd_ci_maven


  • pmd_ci_maven_setup_settings
  • pmd_ci_maven_get_project_version: exports PMD_CI_MAVEN_PROJECT_VERSION
  • pmd_ci_maven_get_project_name
  • pmd_ci_maven_verify_version
  • pmd_ci_maven_display_info_banner
  • pmd_ci_maven_isSnapshotBuild
  • pmd_ci_maven_isReleaseBuild

Used global vars:


Exported global vars:


Test with:

bash -c 'set -e; \
         export PMD_CI_SECRET_PASSPHRASE=.... ; \
         export PMD_CI_DEBUG=true ; \
         source inc/maven.bash ; \
         pmd_ci_maven_setup_settings ; \
         cd .. ; \
         pmd_ci_maven_get_project_version ; \
         echo "version: $RESULT" ; \
         pmd_ci_maven_get_project_name ; \
         echo "name: $RESULT" ; \
         PMD_CI_BRANCH="test-branch" ; \
         pmd_ci_maven_verify_version ; \
         unset PMD_CI_BRANCH ; \
         PMD_CI_TAG="test-tag" ; \
         PMD_CI_MAVEN_PROJECT_VERSION="1.2.3" ; \
         pmd_ci_maven_verify_version ; \
         pmd_ci_maven_display_info_banner ; \
         pmd_ci_maven_isReleaseBuild && echo "release build" ; \
         unset PMD_CI_TAG ; \
         PMD_CI_BRANCH="test-branch" ; \
         pmd_ci_maven_isSnapshotBuild && echo "snapshot build" ; \
         ' $(pwd)/


Namespace: pmd_ci_pmd_code


  • pmd_ci_pmd_code_uploadFile
  • pmd_ci_pmd_code_uploadZipAndExtract
  • pmd_ci_pmd_code_removeFolder
  • pmd_ci_pmd_code_createSymlink

Used global vars:

Test with:

bash -c 'set -e; \
         export PMD_CI_SECRET_PASSPHRASE=.... ; \
         export PMD_CI_DEBUG=true ; \
         source inc/setup-secrets.bash ; \
         source inc/pmd-code-api.bash ; \
         pmd_ci_setup_secrets_private_env ; \
         pmd_ci_setup_secrets_ssh ; \
         echo "test file" > "test-file-for-upload.txt" ; \
         zip "" "test-file-for-upload.txt" ; \
         pmd_ci_pmd_code_uploadFile "/httpdocs/test-folder" "test-file-for-upload.txt" ; \
         echo "test file" > "test-file-for-upload.txt" ; \
         pmd_ci_pmd_code_uploadZipAndExtract "/httpdocs/test-folder2" "" ; \
         rm "" "test-file-for-upload.txt" ; \
         pmd_ci_pmd_code_createSymlink "/httpdocs/test-folder" "/httpdocs/test-folder3" ; \
         pmd_ci_pmd_code_removeFolder "/httpdocs/test-folder" ; \
         pmd_ci_pmd_code_removeFolder "/httpdocs/test-folder2" ; \
         pmd_ci_pmd_code_removeFolder "/httpdocs/test-folder3" ; \
         ' $(pwd)/

Usage in github actions step:

- name: Setup Environment
  shell: bash
  run: |
    echo "LANG=en_US.UTF-8" >> $GITHUB_ENV
    echo "MAVEN_OPTS=-Dmaven.wagon.httpconnectionManager.ttlSeconds=180 -Dmaven.wagon.http.retryHandler.count=3" >> $GITHUB_ENV
- name: Check Environment
  shell: bash
  run: |; \
    mkdir -p .ci && \
    ( [ -e .ci/$f ] || curl -sSL "${PMD_CI_SCRIPTS_URL}/$f" > ".ci/$f" ) && \
    chmod 755 .ci/$f && \

The script exits with code 0, if everything is fine and with 1, if one or more problems have been detected. Thus it can fail the build.



This file contains the encrypted secrets used during the build, e.g. github tokens, passwords for sonatype, ...

It is encrypted with the password in PMD_CI_SECRET_PASSPHRASE.

Here's a template for the file:

# private-env
# encrypt:
# printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor --passphrase-fd 0 private-env
# decrypt:
# printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --decrypt --passphrase-fd 0 --output private-env private-env.asc


# CI_DEPLOY_USERNAME - the user which can upload net.sourceforge.pmd:* to

export PMD_SF_USER=...
export PMD_SF_APIKEY=...
# (blog, wiki, ...)

# The token can be configured here:
export SONAR_TOKEN=...

# when logged in, the token is display on that page

# for pmd-regression-tester
export GEM_HOST_API_KEY=...

# These are also in public-env:


Created with ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions to push to" -f pmd.github.io_deploy_key.


printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
  --passphrase-fd 0 \

The corresponding public key is here for convenience. It is configured as a deploy key for the repository with write access.

In order to use this key to push, you need to clone the repo with this url:


Created with ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions to push to pmd-eclipse-plugin-p2-site" -f pmd-eclipse-plugin-p2-site_deploy_key.


printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
  --passphrase-fd 0 \

The corresponding public key is here for convenience. It is configured as a deploy key for the repository pmd-eclipse-plugin-p2-site with write access.

In order to use this key to push, you need to clone the repo with this url:


Created with ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions push to" -f pmd-code.org_deploy_key.


printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
  --passphrase-fd 0 \

The corresponding public key is here for convenience. It is configured in ~/.ssh/authorized_keys on


Created with ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions push to" -f web.sourceforge.net_deploy_key.


printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
  --passphrase-fd 0 \

The corresponding public key is here for convenience. It is configured in for user "PMD_SF_USER" (see private-env) on sourceforge:

Note: The same key is used to push to "" as user "PMD_SF_USER".


It contains the credentials for uploading the artifacts to maven-central for the server ossrh. The actual configuration comes in via environment variables: CI_DEPLOY_USERNAME and CI_DEPLOY_PASSWORD.


To test a complete build (or run it manually), you can use the docker build-env. The script can simulate a Github Actions environment by setting up some specific environment variables. With these variables set, utils.bash/pmd_ci_utils_determine_build_env can figure out the needed information and utils.bash/pmd_ci_utils_is_fork_or_pull_request works.

Example session for a pull request:

pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ unset PMD_CI_SECRET_PASSPHRASE
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SCRIPTS_URL=
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ eval $(~/ pull_request adangel/build-tools gh-actions-scripts)
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ .ci/

Example session for a forked build (a build executing on a forked repository):

pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ unset PMD_CI_SECRET_PASSPHRASE
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SCRIPTS_URL=
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ eval $(~/ push adangel/build-tools gh-actions-scripts)
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ .ci/

Example session for a push build on the main repository:

pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SECRET_PASSPHRASE=...
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SCRIPTS_URL=
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ eval $(~/ push pmd/build-tools gh-actions-scripts)
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ .ci/

Example session for a release build on the main repository from tag "v1.0.0":

pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SECRET_PASSPHRASE=...
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ export PMD_CI_SCRIPTS_URL=
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ eval $(~/ push pmd/build-tools refs/tags/v1.0.0)
pmd-ci@6cc27446ef02:~/workspaces/pmd/build-tools$ .ci/

Note, that sets up MAVEN_OPTS with -DskipRemoteStaging=true, so that no maven artifacts are deployed automatically. You need to remove this, if you really want to perform a release. Also note, that the property autoReleaseAfterClose is not configured and the default is false, so that you would need to manually publish the staging repo. See also the section below about "Nexus Staging Maven Plugin".


Release Signing Keys

Creating a new key

In general, a key created once should be reused. However, if the key is (potentially) compromised, a new key needs to be generated. A gpg key consists of a master key and one or more subkeys. The master key defines the identity (fingerpringt, key ID) and subkeys can be used for actual signing. The master key is then only used to create new subkeys or renew subkeys. For a more safe operation, the master key should be kept offline and only the subkeys should be used for signing. A Release Signing Key also doesn't need a subkey for encryption. In case a signing key gets compromised, the subkey can be revoked and a new key can be generated. But the master key still is safe.

Creating such a key is not straightforward, hence this how to (there are a couple of guides in the internet about best practices):

$ gpg --expert --full-generate-key
Please select what kind of key you want:
> 8 (RSA (set your own capabilities)
> S (Toggle Sign)
> E (Toggle Encrypt)
> Q
Current allowed actions: Certify
What keysize do you want?
> 4096
Please specify how long the key should be valid.
> 2y
Real name:
> PMD Release Signing Key
Email address:
pub   rsa4096 2025-01-04 [C] [expires: 2027-01-04]
uid                      PMD Release Signing Key <>

Then we create a subkey for signing:

$ gpg --edit-key 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838
gpg> addkey
> 4 (RSA (sign only))
> 4096
> 2y
> save

Now let's publish the public key:

$ gpg --armor --export 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838 | curl -T -
Key successfully uploaded. Proceed with verification here:

Export the key to upload it to gpg --armor --export 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838 | wl-copy Also upload it to

Also export the (public) key into a file and add it to build-tools repo:

$ gpg --armor --export 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838 > scripts/files/release-signing-key-2EFA55D0785C31F956F2F87EA0B5CA1A4E086838-public.asc

Verify the uploaded key (and expiration date):

gpg --show-keys release-signing-key-2EFA55D0785C31F956F2F87EA0B5CA1A4E086838-public.asc
curl '' | gpg --show-keys
curl '' | gpg --show-keys
curl '' | gpg --show-keys

Current Key

  • Used since January 2025
  • Fingerprint 2EFA 55D0 785C 31F9 56F2 F87E A0B5 CA1A 4E08 6838
  • Used for signing artifacts in Maven Central
$ gpg --list-keys --fingerprint 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838
pub   rsa4096 2025-01-04 [C] [expires: 2027-01-04]
      2EFA 55D0 785C 31F9 56F2  F87E A0B5 CA1A 4E08 6838
uid           [ultimate] PMD Release Signing Key <>
sub   rsa4096 2025-01-04 [S] [expires: 2027-01-04]

The public key is available here:

Old keys

  • Fingerprint EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22

    • Used until December 2024
    • Replaced as the passphrase has been compromised and therefore the key is potentially compromised. Note - as until now (January 2025) we don't have any indication that the key actually has been misused.
    • Revoked 2025-01-04.
    • see file release-signing-key-D0BF1D737C9A1C22-public.asc.
  • Fingerprint 94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B

    • Old key used to sign PMD Designer
    • Revoked 2025-01-04.

Private key

In order for GitHub Action to automatically sign the artifacts for snapshot builds and release builds, we need to make the private key along with the passphrase available. This is done using multiple secrets. The secrets are configured on the organization level of PMD, so that the Release Signing key is available for all repositories.

To not expose the master key, we only export the subkeys we use for signing and store this in the secret PMD_CI_GPG_PRIVATE_KEY.

For setting up, export the secret key and copy-paste it into a new secret:

gpg --armor --export-secret-subkeys 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838 | wl-copy

(instead of wl-copy, use xclip or pbcopy, depending on your os).

This private key will be imported by the script setup-secrets.bash.

Note 1: We use option --export-secret-subkeys to only export the subkey and not the master key. That way, we don't need to transfer the master key.

Note 2: In order to use the key later on, the passphrase is needed. This is also setup as a secret: PMD_CI_GPG_PASSPHRASE. This secret is then exported as "MAVEN_GPG_PASSPHRASE" where needed (MAVEN_GPG_PASSPHRASE: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}) in github actions workflows. See also

Note 3: The private key is now only secured by the passphrase. It is stored as a GitHub Actions secret and available in an environment variable. It is not anymore committed in this build-tools repository and is therefore not encrypted with another key (e.g. PMD_CI_SECRET_PASSPHRASE).

Updating the key

From time to time the key needs to be renewed, passphrase needs to be changed or a whole (sub)key needs to be replaced.

For renewing or changing the passphrase, import the private master key and public key into your local gpg keystore (if you don't have it already in your keyring) and renew it. Make sure to renew all subkeys. Then export the public key again.

For replacing, generate a new (sub) key, just export it.

You can verify the expiration date with gpg --fingerprint --list-key 2EFA55D0785C31F956F2F87EA0B5CA1A4E086838:

pub   rsa4096 2025-01-04 [C] [expires: 2027-01-04]
      2EFA 55D0 785C 31F9 56F2  F87E A0B5 CA1A 4E08 6838
uid           [ultimate] PMD Release Signing Key <>
sub   rsa4096 2025-01-04 [S] [expires: 2027-01-04]

Upload the exported public key to

Verify the uploaded key expiration date:

gpg --show-keys release-signing-key-2EFA55D0785C31F956F2F87EA0B5CA1A4E086838-public.asc
curl '' | gpg --show-keys
curl '' | gpg --show-keys
curl '' | gpg --show-keys

Don't forget to update the secret PMD_CI_GPG_PRIVATE_KEY with the renewed private signing subkey.

Nexus Staging Maven Plugin


This plugin is used, to upload maven artifacts to and eventually to maven central using the open source workflow by sonatype, see OSSRH Guide.

The plugin can be configured, see for some options.

Most important here are these:

  • skipRemoteStaging=true: Used during test runs of releases. This makes sure, the artifacts are only staged locally and never uploaded to

    Property: skipRemoteStaging

  • autoReleaseAfterClose=true: After all modules have been uploaded to the staging repository it is automatically closed (this can be controlled through skipStagingRepositoryClose but is the default behavior). And with autoReleaseAfterClose, the closed staging repository will be automatically released and published to maven central. This allows for fully automated releases.

    This property is set via MAVEN_OPTS in the workflow (build.yml). It is not set in the pom.xml as a plugin configuration directly in order to allow to override this setting from command line if needed (e.g. during release tests).

    Property: autoReleaseAfterClose

  • stagingProgressTimeoutMinutes=30: This increases the default timeout of 5 minutes to 30 minutes for interaction with The main PMD repo has a lot of modules and depending on the load of, the release of the staging repo might take a while.

    Property: stagingProgressTimeoutMinutes

After the staging repository has been released, it is eventually synced to maven central. The release won't appear here immediately but usually within 2 hours. You can check the current publish latency at

Remote debugging

Debugging remotely is possible with

Just add the following step into the job:

      - name: Setup tmate session
        uses: mxschmitt/action-tmate@v3

The workflow troubleshooting in PMD can be started manually, which already contains the tmate action.

Note: This is dangerous for push/pull builds on repositories of pmd itself, because these have access to the secrets and the SSH session is not protected. Builds triggered by pull requests from forked repositories don't have access to the secrets.

See also

Intermittent connection resets or timeouts while downloading dependencies from maven central

Root issue seems to be SNAT Configs in Azure, which closes long running idle TCP connections after 4 minutes.

The workaround is described in actions/virtual-environments#1499 and WAGON-545 and WAGON-486:

The setting -Dmaven.wagon.httpconnectionManager.ttlSeconds=180 -Dmaven.wagon.http.retryHandler.count=3 makes sure, that Maven doesn't try to use pooled connections that have been unused for more than 180 seconds. These settings are placed as environment variable MAVEN_OPTS in the workflow, so that they are active for all Maven executions (including builds done by regression tester).

Alternatively, pooling could be disabled completely via -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false. This has the consequence, that for each dependency, that is being downloaded, a new https connection is established.

More information about configuring this can be found at wagon-http.

Update: Since Maven 3.9.0, the native transport instead of wagon is used:

The Maven Resolver transport has changed from Wagon to “native HTTP”, see Resolver Transport guide.

Therefore, the property to configure the timeouts changed to -Daether.connector.http.connectionMaxTtl=180. Retry count is by default 3 and can be omitted. See for all available properties.

Note: This system property only works with Maven 3.9.2 or later!