Problem
The Maven Central release workflow imports MAVEN_GPG_PRIVATE_KEY and lists secret keys, but it does not explicitly
assert that a secret key was imported. GitHub Copilot flagged this on PR #71, and the finding still applies to the
current release workflow.
Intended outcome
- Keep the existing
MAVEN_ secret names.
- Fail early when
MAVEN_GPG_PRIVATE_KEY imports no secret key.
- Keep GPG diagnostics limited to public key metadata and avoid printing private material.
- Reply to the original Copilot thread with the fix evidence and resolve it when GitHub permits resolution.
Validation
- Verify the preflight fails for public-key-only input.
- Verify the preflight passes for a generated test secret key.
- Run the normal PR CI.
Problem
The Maven Central release workflow imports
MAVEN_GPG_PRIVATE_KEYand lists secret keys, but it does not explicitlyassert that a secret key was imported. GitHub Copilot flagged this on PR #71, and the finding still applies to the
current release workflow.
Intended outcome
MAVEN_secret names.MAVEN_GPG_PRIVATE_KEYimports no secret key.Validation