The "Reproducible build" workflow checks that fresh builds from source match the release signatures from Maven Central and the GitHub release. Because there's a bit of delay before artifacts become available on Maven Central, the developer needs to wait for that before publishing a GitHub release.
This change makes the workflow wait for the files to become available on Maven Central, and upload the signature files to the GitHub release instead of downloading them from there. The developer no longer needs to manually attach the signature files and does not need to wait before publishing the release.
Ping @Yubico/prodsec for visibility, you're welcome to review if you want to. :slightly_smiling_face:
The "Reproducible build" workflow checks that fresh builds from source match the release signatures from Maven Central and the GitHub release. Because there's a bit of delay before artifacts become available on Maven Central, the developer needs to wait for that before publishing a GitHub release.
This change makes the workflow wait for the files to become available on Maven Central, and upload the signature files to the GitHub release instead of downloading them from there. The developer no longer needs to manually attach the signature files and does not need to wait before publishing the release.
Ping @Yubico/prodsec for visibility, you're welcome to review if you want to. :slightly_smiling_face: