From fb0a63688d5f27ea93485ab618024f2b32736c6d Mon Sep 17 00:00:00 2001
From: Charles Hudson <charles.hudson@contentful.com>
Date: Fri, 5 Jun 2026 12:46:51 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20ci(publish):=20Attempting=20to?=
 =?UTF-8?q?=20fix=20NPM=20and=20Maven=20publishing=20issues?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[[NT-3351](https://contentful.atlassian.net/browse/NT-3351)]
---
 .github/workflows/publish-android.yaml        | 35 +++++++++++++++++++
 .github/workflows/publish-npm.yaml            | 19 +++++++---
 package.json                                  |  2 +-
 .../ContentfulOptimization/build.gradle.kts   |  5 ++-
 .../optimization-js-bridge/package.json       |  6 ++++
 5 files changed, 58 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-android.yaml b/.github/workflows/publish-android.yaml
index 71af4041..46cb657e 100644
--- a/.github/workflows/publish-android.yaml
+++ b/.github/workflows/publish-android.yaml
@@ -55,6 +55,41 @@ jobs:
 
       - uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
 
+      - name: Verify Maven Central credentials
+        if: github.event_name == 'release' || inputs.publish
+        env:
+          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "$MAVEN_CENTRAL_USERNAME" ] || [ -z "$MAVEN_CENTRAL_PASSWORD" ]; then
+            echo "MAVEN_CENTRAL_USERNAME and MAVEN_CENTRAL_PASSWORD secrets must be set."
+            exit 1
+          fi
+
+          TOKEN="$(printf '%s:%s' "$MAVEN_CENTRAL_USERNAME" "$MAVEN_CENTRAL_PASSWORD" | base64 | tr -d '\n')"
+          CODE="$(curl -sS -o /dev/null -w '%{http_code}' \
+            -H "Authorization: Bearer $TOKEN" \
+            "https://central.sonatype.com/api/v1/publisher/published?namespace=com.contentful.java&name=optimization-android&version=0.0.0-probe" || printf '000')"
+
+          case "$CODE" in
+            2*|404)
+              ;;
+            401|403)
+              echo "Central Portal rejected the Maven Central token for namespace com.contentful.java (HTTP $CODE)."
+              echo "Regenerate a Central Portal user token from an account with publisher access to com.contentful.java and update the GitHub Actions secrets."
+              exit 1
+              ;;
+            000)
+              echo "Could not reach the Central Portal API."
+              exit 1
+              ;;
+            *)
+              echo "Central Portal credential preflight returned HTTP $CODE; continuing because the token was not explicitly rejected."
+              ;;
+          esac
+
       - name: Verify Maven publishing assembles
         if: github.event_name == 'workflow_dispatch' && !inputs.publish
         working-directory: packages/android/ContentfulOptimization
diff --git a/.github/workflows/publish-npm.yaml b/.github/workflows/publish-npm.yaml
index 1d62ef99..432e3d5b 100644
--- a/.github/workflows/publish-npm.yaml
+++ b/.github/workflows/publish-npm.yaml
@@ -60,7 +60,8 @@ jobs:
 
       - name: Bump package.json versions
         run: |
-          pnpm -r --filter "@contentful/optimization-*" exec \
+          pnpm -r --filter "@contentful/optimization-*" \
+            --filter "!@contentful/optimization-js-bridge" exec \
             npm --no-git-tag-version --force version "$RELEASE_VERSION"
         env:
           RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
@@ -71,12 +72,16 @@ jobs:
           RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
 
       - name: Prepare package READMEs for publish
-        run: pnpm -r --filter "@contentful/optimization-*" exec build-tools rewrite-readme prepare
+        run: |
+          pnpm -r --filter "@contentful/optimization-*" \
+            --filter "!@contentful/optimization-js-bridge" exec build-tools rewrite-readme prepare
         env:
           RELEASE_TAG: ${{ env.RELEASE_TAG }}
 
       - name: Create packages for troubleshooting
-        run: pnpm pack --filter "@contentful/optimization-*" --pack-destination pkgs
+        run: |
+          pnpm pack --filter "@contentful/optimization-*" \
+            --filter "!@contentful/optimization-js-bridge" --pack-destination pkgs
 
       - name: Upload packages for troubleshooting
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -96,10 +101,14 @@ jobs:
 
       - name: Publish
         if: github.event_name == 'release' || inputs.publish
-        run: pnpm -r --filter "@contentful/optimization-*" publish --access public --no-git-checks
+        run: |
+          pnpm -r --filter "@contentful/optimization-*" \
+            --filter "!@contentful/optimization-js-bridge" publish --access public --no-git-checks
         env:
           NODE_AUTH_TOKEN: ${{ steps.vault.outputs.GITHUB_PACKAGES_WRITE_TOKEN }}
 
       - name: Restore package READMEs after publish
         if: always()
-        run: pnpm -r --filter "@contentful/optimization-*" exec build-tools rewrite-readme restore
+        run: |
+          pnpm -r --filter "@contentful/optimization-*" \
+            --filter "!@contentful/optimization-js-bridge" exec build-tools rewrite-readme restore
diff --git a/package.json b/package.json
index 184fdb1c..2919dace 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     "lint": "eslint lib packages",
     "lint:fix": "eslint lib packages --fix",
     "notices:generate": "pnpm --filter \"@contentful/*\" licenses list --prod --json | pnpm dlx @quantco/pnpm-licenses generate-disclaimer --json-input --output-file THIRD_PARTY_NOTICES.txt",
-    "pack:pkgs": "pnpm pack --filter @contentful/* --pack-destination pkgs",
+    "pack:pkgs": "pnpm pack --filter @contentful/* --filter '!@contentful/optimization-js-bridge' --pack-destination pkgs",
     "playwright:install": "pnpm run implementation:run -- --all -- implementation:playwright:install",
     "playwright:install-deps": "pnpm run implementation:run -- --all -- implementation:playwright:install-deps",
     "pm2:delete:all": "pm2 delete all",
diff --git a/packages/android/ContentfulOptimization/build.gradle.kts b/packages/android/ContentfulOptimization/build.gradle.kts
index baa43047..543033fd 100644
--- a/packages/android/ContentfulOptimization/build.gradle.kts
+++ b/packages/android/ContentfulOptimization/build.gradle.kts
@@ -1,12 +1,11 @@
 import com.vanniktech.maven.publish.AndroidSingleVariantLibrary
-import com.vanniktech.maven.publish.SonatypeHost
 
 plugins {
     id("com.android.library")
     id("org.jetbrains.kotlin.android")
     id("org.jetbrains.kotlin.plugin.compose")
     // Version inline so the module builds when included as a subproject (parent builds don't pin it).
-    id("com.vanniktech.maven.publish") version "0.30.0"
+    id("com.vanniktech.maven.publish") version "0.34.0"
 }
 
 // Published coordinate: com.contentful.java:optimization-android. We reuse Contentful's existing,
@@ -97,7 +96,7 @@ mavenPublishing {
         )
     )
 
-    publishToMavenCentral(SonatypeHost.CENTRAL_PORTAL, automaticRelease = true)
+    publishToMavenCentral(automaticRelease = true)
 
     // Sign with the in-memory GPG key supplied by CI (ORG_GRADLE_PROJECT_signingInMemoryKey*).
     // Skipped automatically when no key is configured (e.g. local publishToMavenLocal smoke tests),
diff --git a/packages/universal/optimization-js-bridge/package.json b/packages/universal/optimization-js-bridge/package.json
index d697da4b..ff2d9599 100644
--- a/packages/universal/optimization-js-bridge/package.json
+++ b/packages/universal/optimization-js-bridge/package.json
@@ -1,7 +1,13 @@
 {
+  "private": true,
   "name": "@contentful/optimization-js-bridge",
   "version": "0.0.0",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/contentful/optimization.git",
+    "directory": "packages/universal/optimization-js-bridge"
+  },
   "type": "module",
   "main": "./dist/optimization-ios-bridge.umd.js",
   "files": [