Add Sonatype Maven Central publishing support (#9)

* Address pre-release security audit findings (all Critical + High)

Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3
Low findings from the pre-release security audit.

Critical:
- [#1] State validation is now unconditional; missing state throws
  StateMismatch, closing the CSRF / authorization code injection vector
- [#2] Public IDmeAuth constructor now requires Context and defaults to
  EncryptedCredentialStore; CredentialStore demoted to internal
- [#3] JWKSClient cache fields are @volatile and all access is serialised
  through a Mutex, eliminating the race condition
- [#4] policies() sends credentials via HTTP Basic Auth header instead of
  GET query parameter, keeping the client secret out of server logs

High:
- [#5] Demo network_security_config.xml removes user-cert trust and sets
  cleartextTrafficPermitted=false
- [#6] iss and aud JWT claims are now mandatory; tokens that omit either
  throw JWTClaimInvalid instead of silently passing
- [#7] JWTValidator validates nbf with 30-second clock skew tolerance and
  applies the same skew window to exp
- [#8] IDmeAuthManager replaces the single CompletableDeferred with a
  ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId
  so callbacks cannot be routed to the wrong flow
- [#9] extractJSON is now suspend and calls JWTValidator before decoding,
  ensuring userinfo JWT signatures are verified before claims are exposed

Medium:
- [#10] Log.isEnabled flag (default false) gates all SDK log output to
  prevent credential leakage in release builds
- [#11] Redirect URI validation rejects http/https/javascript/file/data
  schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest
- [#12] clearSync() cancels the refresh deferred before nulling state,
  reducing the window for concurrent-write races
- [#13] expiresIn is coerced to [0, 86400] seconds before multiplication,
  preventing integer-overflow-induced negative expiry timestamps
- [#14] AuthViewModel extends AndroidViewModel (provides Context to
  IDmeAuth); clientSecret is only forwarded in OAUTH mode

Low:
- [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead
  of mutable @master ref
- [#17] Demo release build enables minification
- [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure
  instead of returning null; JWTDecoder call sites cleaned up accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add GitHub Packages Maven publishing workflow

- Apply maven-publish plugin to :sdk with release publication (com.idme:idme-auth-sdk)
- Configure GitHubPackages repository using GITHUB_TOKEN
- Add GROUP and VERSION_NAME to gradle.properties
- Add publish.yml workflow triggered on GitHub Release or workflow_dispatch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Rename artifactId to android-auth-sample-code

Aligns Maven coordinates with the repository name:
me.id.auth:android-auth-sample-code:<version>

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add Sonatype Maven Central publishing support

- Add Dokka plugin for Javadoc JAR generation (required by Sonatype)
- Add sources JAR task (required by Sonatype)
- Apply signing plugin with in-memory PGP key support for CI
- Complete POM metadata: url, licenses, developers, and SCM (required by Sonatype)
- Wire Dokka + nexus-publish plugin into root buildscript classpath
- Configure Sonatype OSSRH staging repository via nexus-publish plugin
- Add Sonatype publish step to release workflow using five new secrets:
  SONATYPE_USERNAME, SONATYPE_PASSWORD, SIGNING_KEY_ID, SIGNING_KEY, SIGNING_PASSWORD

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Nat Ray <nathaniel.ray@id.me>

Author: 3 people

.github/workflows/release.yml

@@ -176,6 +176,18 @@ jobs:
           echo "Generated POM content:"
           cat ~/.m2/repository/me/id/auth/android-auth-sample-code/$RELEASE_VERSION/android-auth-sample-code-$RELEASE_VERSION.pom
 
+      - name: Publish to Maven Central (Sonatype OSSRH)
+        env:
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+        run: |
+          ./gradlew :sdk:publishReleasePublicationToSonatypeRepository \
+            closeAndReleaseSonatypeStagingRepository \
+            -PreleaseVersion=$RELEASE_VERSION
+
       - name: Create Git tag
         run: |
           git config user.name "github-actions[bot]"
@@ -208,6 +220,10 @@ jobs:
           echo "### Maven Coordinates" >> $GITHUB_STEP_SUMMARY
           echo "\`me.id.auth:android-auth-sample-code:$RELEASE_VERSION\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Published To" >> $GITHUB_STEP_SUMMARY
+          echo "- GitHub Packages: https://github.com/IDme/android-auth-sample-code/packages" >> $GITHUB_STEP_SUMMARY
+          echo "- Maven Central: https://central.sonatype.com/artifact/me.id.auth/android-auth-sample-code" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Verification" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
           echo "gh attestation verify android-auth-sample-code-$RELEASE_VERSION.aar --repo IDme/android-auth-sample-code" >> $GITHUB_STEP_SUMMARY

.github/workflows/secure-pipeline-ast.yml

@@ -0,0 +1,18 @@
+name: Secure Pipeline | AST
+
+on:
+  push:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - converted_to_draft
+  schedule:
+    - cron: '0 8 * * *' # 3am EST (UTC-5)
+
+jobs:
+  execute:
+    uses: IDme/workflow-library/.github/workflows/secure-pipeline-ast.yml@7a259bb101fd4f20d7cd0137c1f99e8d60af0859
+    secrets: inherit

build.gradle.kts

@@ -1,3 +1,5 @@
+import io.github.gradlenexus.publishplugin.NexusPublishExtension
+
 buildscript {
     repositories {
         google()
@@ -8,5 +10,20 @@ buildscript {
         classpath("com.android.tools.build:gradle:8.2.2")
         classpath("org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.22")
         classpath("org.jetbrains.kotlin:kotlin-serialization:1.9.22")
+        classpath("org.jetbrains.dokka:dokka-gradle-plugin:1.9.20")
+        classpath("io.github.gradle-nexus:publish-plugin:2.0.0")
+    }
+}
+
+apply(plugin = "io.github.gradle-nexus.publish-plugin")
+
+configure<NexusPublishExtension> {
+    repositories {
+        sonatype {
+            nexusUrl.set(uri("https://s01.oss.sonatype.org/service/local/"))
+            snapshotRepositoryUrl.set(uri("https://s01.oss.sonatype.org/content/repositories/snapshots/"))
+            username.set(findProperty("sonatypeUsername")?.toString() ?: System.getenv("SONATYPE_USERNAME"))
+            password.set(findProperty("sonatypePassword")?.toString() ?: System.getenv("SONATYPE_PASSWORD"))
+        }
     }
 }

sdk/build.gradle.kts

@@ -1,11 +1,14 @@
 import com.android.build.gradle.LibraryExtension
 import org.gradle.api.publish.PublishingExtension
 import org.gradle.api.publish.maven.MavenPublication
+import org.gradle.plugins.signing.SigningExtension
 
 apply(plugin = "com.android.library")
 apply(plugin = "kotlin-android")
 apply(plugin = "kotlinx-serialization")
 apply(plugin = "maven-publish")
+apply(plugin = "signing")
+apply(plugin = "org.jetbrains.dokka")
 
 version = findProperty("releaseVersion")?.toString() ?: "1.0.0"
 
@@ -48,6 +51,17 @@ tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
     }
 }
 
+val sourcesJar by tasks.registering(Jar::class) {
+    archiveClassifier.set("sources")
+    from("src/main/java", "src/main/kotlin")
+}
+
+val javadocJar by tasks.registering(Jar::class) {
+    archiveClassifier.set("javadoc")
+    dependsOn(tasks.named("dokkaJavadoc"))
+    from(tasks.named("dokkaJavadoc").map { it.outputs.files })
+}
+
 dependencies {
     "implementation"("org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.3")
     "implementation"("org.jetbrains.kotlinx:kotlinx-serialization-json:1.6.2")
@@ -68,11 +82,36 @@ afterEvaluate {
                 version = project.version.toString()
 
                 from(components["release"])
+                artifact(sourcesJar)
+                artifact(javadocJar)
 
                 pom {
                     name.set("ID.me Auth Sample Code")
                     description.set("ID.me Android Auth Sample Code SDK")
+                    url.set("https://github.com/IDme/android-auth-sample-code")
                     packaging = "aar"
+
+                    licenses {
+                        license {
+                            name.set("MIT License")
+                            url.set("https://opensource.org/licenses/MIT")
+                            distribution.set("repo")
+                        }
+                    }
+
+                    developers {
+                        developer {
+                            id.set("idme")
+                            name.set("ID.me")
+                            email.set("engineering@id.me")
+                        }
+                    }
+
+                    scm {
+                        connection.set("scm:git:git://github.com/IDme/android-auth-sample-code.git")
+                        developerConnection.set("scm:git:ssh://github.com/IDme/android-auth-sample-code.git")
+                        url.set("https://github.com/IDme/android-auth-sample-code")
+                    }
                 }
             }
         }
@@ -81,4 +120,15 @@ afterEvaluate {
             mavenLocal()
         }
     }
+
+    configure<SigningExtension> {
+        val signingKeyId = findProperty("signingKeyId")?.toString() ?: System.getenv("SIGNING_KEY_ID")
+        val signingKey = findProperty("signingKey")?.toString() ?: System.getenv("SIGNING_KEY")
+        val signingPassword = findProperty("signingPassword")?.toString() ?: System.getenv("SIGNING_PASSWORD")
+
+        if (!signingKey.isNullOrBlank() && !signingPassword.isNullOrBlank()) {
+            useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword)
+            sign(extensions.getByType<PublishingExtension>().publications["release"])
+        }
+    }
 }