Releasing artifacts to Maven Central requires publishers to sign all of the assets with GPG. Publishers most commonly deal with this by utilizing maven-gpg-plugin.

This is a bit of a headache right now in GitHub actions as you have to create a step in your workflow that:

1. takes a GitHub secret containing your private key and writes it to a file:
   echo $GPG_PRIVATE_KEY > private.asc
2. imports the gpg key:
   gpg --import --batch private.asc

And to utilize the GPG key, you then have to pass it in as a maven argument:
-Dgpg.passphrase=$GPG_PASSPHRASE

This is definitely workable (see link for an example workflow) but it's more tedious than needed. It's also not ideal to pass passwords around using the command line even though GitHub Actions sanitizes them. Since setup-java already creates a settings.xml file that is preconfigured to publish to Maven Central, it would be nice if gpg could also be added to the settings.xml file.

The usage would look something like the following:

- name: Set up Apache Maven Central
  uses: actions/setup-java@v1
  with: # running setup-java again overwrites the settings.xml
     java-version: 1.8
     server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
     server-username: MAVEN_USERNAME # env variable for username in deploy
     server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
     gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} # gpg private key to import
     gpg-passphrase: GPG_PASSPHRASE # env variable for gpg signing in deploy
- name: Publish to Apache Maven Central
  run: mvn deploy 
  env:
    MAVEN_USERNAME: maven_username123
    MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
    GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

And the generated settings.xml would look something like:

<servers>
    <server>
      <id>maven</id>
      <username>${env.MAVEN_USERNAME}</username>
      <password>${env.MAVEN_CENTRAL_TOKEN}</password>
    </server>
    <profiles>
      <profile>
        <activation>
          <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
          <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
        </properties>
      </profile>
    <profiles>
</servers>

Since gpg is not supported by setup-java, other developers have had to step in to fill the void. samuelmeuli/action-maven-publish was created specifically to fill this gap but it overrides the settings.xml file to do so. It would better if the official setup-java action supported this, especially as some developers/organizations are uncomfortable with third-party actions.