fix(build): rename source dirs to match package declarations#3
Merged
Conversation
Javadoc generation failed during the release build with: javadoc: error - Illegal package name: "io.github.decentralized-identity.didwebvh.core" The namespace migration (1505276) renamed the source directories to `io/github/decentralized-identity/...` but left the `package` statements as `io.github.decentralizedidentity.didwebvh.*` (matching the Maven groupId). Hyphens are not legal in Java package identifiers, so javac tolerated the mismatch but the javadoc tool — which infers packages from the directory tree — rejected it and aborted the `release` profile build before publishing to Maven Central. Rename the six affected directories (main + test for core, signing-local, and wizard) so the on-disk layout matches the package declarations. No source code changes; verified locally with `./mvnw -P release -DskipTests -Dgpg.skip clean install` — all four modules now build, including the javadoc jars.
Central Portal maps io.github.<X> to github.com/<X> for namespace verification. The repo lives under github.com/decentralized-identity, so the claimable namespace is io.github.decentralized-identity — not io.github.decentralizedidentity (a separate GitHub org we don't own). Maven groupIds may contain hyphens; Java package names may not. Source packages remain io.github.decentralizedidentity.didwebvh.* (valid Java identifiers) while the published Maven coordinates become: io.github.decentralized-identity:didwebvh-core io.github.decentralized-identity:didwebvh-signing-local io.github.decentralized-identity:didwebvh-wizard
Central Portal's User Token surfaces as a cleartext (namecode, password) pair that Maven feeds to <username>/<password> in settings.xml. Maven then base64-encodes user:pass itself for the HTTP Basic Auth header. If a maintainer pre-encodes the secret as base64(user:pass) (a common mistake, since some Sonatype docs show that form for bearer-style API calls), Maven double-encodes it and the Portal returns 401. The release job now decodes that shape automatically and logs which form it saw: OSSRH_TOKEN shape detected: raw cleartext password OSSRH_TOKEN shape detected: base64(user:pass) — decoded for Maven Detection is conservative: only triggers when OSSRH_TOKEN is valid base64 of all-printable ASCII containing a single ":" with non-empty halves. A genuine cleartext password is extremely unlikely to satisfy all three conditions. Decoded values are masked with ::add-mask:: so they don't leak in logs.
swcurran
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Javadoc generation failed during the release build with:
javadoc: error - Illegal package name:
"io.github.decentralized-identity.didwebvh.core"
The namespace migration (1505276) renamed the source directories to
io/github/decentralized-identity/...but left thepackagestatements asio.github.decentralizedidentity.didwebvh.*(matching the Maven groupId). Hyphens are not legal in Java package identifiers, so javac tolerated the mismatch but the javadoc tool — which infers packages from the directory tree — rejected it and aborted thereleaseprofile build before publishing to Maven Central.Rename the six affected directories (main + test for core, signing-local, and wizard) so the on-disk layout matches the package declarations. No source code changes; verified locally with
./mvnw -P release -DskipTests -Dgpg.skip clean install— all four modules now build, including the javadoc jars.