Update pom.xml for release and add maven publishing workflow

[SanjulaGanepola]

Changes

• Add project info to pom.xml
• Add new plugins: maven-source-plugin, maven-javadoc-plugin, maven-gpg-plugin, nexus-staging-maven-plugin
• Add maven publishing workflow

TODO

• Setup on OSSRH
• Add the following repository secrets:
  • OSSRH_USERNAME
  • OSSRH_TOKEN
  • GPG_SECRET_KEY
  • GPG_PUBLIC_KEY
  • GPG_PASSPHRASE

@ThePrez The changes in this PR follow closely with what is done in the JTOpen repo. There were some slight differences based on what was explained on https://central.sonatype.org/publish/publish-guide

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 56706a7.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

pom.xml

Package	Version	License	Issue Type
org.sonatype.plugins:nexus-staging-maven-plugin	1.7.0	Null	Unknown License
org.apache.maven.plugins:maven-javadoc-plugin	3.8.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Packaging 🟢 10 packaging workflow detected Security-Policy 🟢 9 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/actions/setup-java	4.*.*	🟢 6.4	Details Check Score Reason Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/upload-release-asset	1.*.*	🟢 3.8	Details Check Score Reason Code-Review 🟢 4 Found 5/12 approved changesets -- score normalized to 4 Maintained ⚠️ 0 project is archived CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Security-Policy 🟢 9 security policy file detected Vulnerabilities ⚠️ 0 48 existing vulnerabilities detected
actions/bruceadams/get-release	1.3.2	⚠️ 2.3	Details Check Score Reason Code-Review ⚠️ 1 Found 4/21 approved changesets -- score normalized to 1 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ -1 No tokens found Pinned-Dependencies ⚠️ -1 no dependencies found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected
maven/org.apache.maven.plugins:maven-gpg-plugin	3.2.5	Unknown	Unknown
maven/org.apache.maven.plugins:maven-javadoc-plugin	3.8.0	Unknown	Unknown
maven/org.apache.maven.plugins:maven-source-plugin	3.3.1	Unknown	Unknown
maven/org.sonatype.plugins:nexus-staging-maven-plugin	1.7.0	🟢 4	Details Check Score Reason Code-Review ⚠️ 1 Found 3/25 approved changesets -- score normalized to 1 Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow ⚠️ -1 no workflows found License ⚠️ 0 license file not detected Pinned-Dependencies ⚠️ -1 no dependencies found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

.github/workflows/release.yml

• actions/checkout@4.*.*
• actions/setup-java@4.*.*
• actions/upload-release-asset@1.*.*
• bruceadams/get-release@1.3.2

pom.xml

• org.apache.maven.plugins:maven-gpg-plugin@3.2.5
• org.apache.maven.plugins:maven-javadoc-plugin@3.8.0
• org.apache.maven.plugins:maven-source-plugin@3.3.1
• org.sonatype.plugins:nexus-staging-maven-plugin@1.7.0