Add SNAPSHOT publishing to Maven Central

[guizmaii]

Summary

This PR adds automatic SNAPSHOT publishing to Maven Central's snapshots repository when commits are pushed to the main branch.

Key insight: Unlike release publishing, SNAPSHOT publishing does NOT require GPG signatures or validation (announced by Sonatype in January 2025). This makes the implementation much simpler - we can use standard mvn deploy:deploy-file instead of the bundle-based Central Publisher API.

Changes

1. scripts/jdbc_maven_deploy_snapshot.py - New script that uses Maven's deploy:deploy-file goal to upload pre-built JARs to https://central.sonatype.com/repository/maven-snapshots/

2. .github/workflows/Java.yml - Added maven-snapshot-deploy job that:

   • Runs only on pushes to main branch (not PRs, not tags)
   • Depends on all platform build jobs completing successfully
   • Uses existing MAVEN_USERNAME and MAVEN_PASSWORD secrets

How it works

• SNAPSHOT version includes the commit hash for traceability
  • e.g., v1.4.4.0 + commit abc1234 → 1.4.5.0-abc1234-SNAPSHOT
• Uses mvn deploy:deploy-file which handles:
  • Timestamped SNAPSHOT versioning
  • Checksum generation
  • Proper Maven metadata updates
• No GPG signing required (SNAPSHOTs skip validation)
• Artifacts are cleaned up after 90 days per Sonatype policy

Usage

Once published, users can consume SNAPSHOTs by adding:

Maven:

<repository>
  <id>central-snapshots</id>
  <url>https://central.sonatype.com/repository/maven-snapshots/</url>
  <snapshots><enabled>true</enabled></snapshots>
</repository>

<dependency>
  <groupId>org.duckdb</groupId>
  <artifactId>duckdb_jdbc</artifactId>
  <version>1.4.5.0-abc1234-SNAPSHOT</version>
</dependency>

sbt:

resolvers += "Central Snapshots" at "https://central.sonatype.com/repository/maven-snapshots/"

libraryDependencies += "org.duckdb" % "duckdb_jdbc" % "1.4.5.0-abc1234-SNAPSHOT"

Available Classifiers

In addition to the main JAR, several classifier variants are published:

Classifier	Description
(none)	Fat JAR with natives for Linux, macOS, Windows (amd64 + arm64)
nolib	Java classes only, no native libraries bundled
linux_amd64	Linux x86_64 only
linux_arm64	Linux ARM64 only
linux_amd64_musl	Linux x86_64 (Alpine/musl)
linux_arm64_musl	Linux ARM64 (Alpine/musl)
macos_universal	macOS (Intel + Apple Silicon)
windows_amd64	Windows x86_64
windows_arm64	Windows ARM64

When to use each:

• Main JAR (no classifier): Default choice, works on all major platforms
• Architecture-specific: Smaller size when deploying to a known platform
• nolib: Custom native library management, unsupported platforms, or when natives are provided at infrastructure level

Example using nolib:

<dependency>
  <groupId>org.duckdb</groupId>
  <artifactId>duckdb_jdbc</artifactId>
  <version>1.4.5.0-abc1234-SNAPSHOT</version>
  <classifier>nolib</classifier>
</dependency>

Example using architecture-specific (sbt):

libraryDependencies += "org.duckdb" % "duckdb_jdbc" % "1.4.5.0-abc1234-SNAPSHOT" classifier "linux_amd64"

Test plan

• Verify the script runs correctly with test artifacts
• Confirm SNAPSHOT appears in Maven Central snapshots repository after merge

Closes #338

References

• Sonatype SNAPSHOT Publishing Guide
• SNAPSHOT Publishing Announcement (Jan 2025)

[staticlibs]

Hi, thanks for the PR! We may want to have it sharing some logic with the main publishing in future, but for now I think it would be better to keep it completely separate. Going to merge it now, lets look how it works from main. If you see some changes needed after the merge - feel free to file follow-up PRs!

[staticlibs]

The deploy is failing on Maven push step. Credentials are definitely correct as they were used for release publishing yesterday.

If you would like to investigate this - Sonatype provides pre-verified Maven accounts when logging into Sonatype Portal with a Github account. Such account won't be different in any way (except the groupId) from the Maven account used by DuckDB Labs.

[guizmaii]

Hi @staticlibs!

Thanks for merging the PR!

I investigated the 403 Forbidden error and I suspect SNAPSHOT publishing might not be enabled yet for the org.duckdb namespace on the Sonatype Central Portal.

According to the Sonatype documentation, SNAPSHOT publishing requires explicit enablement per namespace, separate from regular release publishing.

Could you check if this is the case? Here's how to verify and enable it:

1. Go to https://central.sonatype.com/publishing/namespaces
2. Find org.duckdb in the list
3. If there's no "SNAPSHOTs enabled" badge on the namespace, click the dropdown menu (three dots) on the right side of the row
4. Select "Enable SNAPSHOTs"
5. Click "Confirm" in the popup dialog

Once enabled, the CI job should succeed on the next push to main.

Let me know if it turns out to be something else - happy to investigate further!

[staticlibs]

@guizmaii

Thanks for the details! I think you might be correct. While the snapshots were enabled there before, they well may have been auto-disabled when the publishing changes were applied by Sonatype back in August.

Unfortunately I don't have the direct access to the Sonatype account (only board members have), I raised this internally and will comment here when have an update on this.

[guizmaii]

@staticlibs Any chance to get it fixed today?

[staticlibs]

Any chance to get it fixed today?

No, I don't think so, I will comment here if I have new info.