fix: use Maven 4 consumer POM instead of build POM

[mariuszs]

Summary

• Maven 4 generates a consumer POM (attached artifact with classifier consumer, type pom) containing resolved versions and model 4.0.0
• The plugin currently always uses mavenProject.getFile() (the build POM) which contains unresolved ${revision} and model 4.1.0
• This causes Maven Central Portal to reject deployments with "Failed to associate file with coordinates" because it cannot parse the 4.1.0 model POM

The fix

In ProjectUtilsImpl:

• Detect consumer POM among attached artifacts
• Use it as ProjectArtifactMetadata instead of the build POM
• Filter it from attached artifacts list to prevent it appearing as a separate -consumer.pom file in the bundle

Backwards compatible — without consumer POM (Maven 3 projects) behavior is unchanged.

Test plan

• shouldNotIncludeConsumerPomAsSeparateArtifact — verifies consumer POM is used as main POM metadata and filtered from artifacts
• shouldWorkNormallyWithoutConsumerPom — verifies Maven 3 backwards compatibility

Related

• MNG-8584 — Maven4: Central publishing readiness

Summary by CodeRabbit

• Bug Fixes

  • Improved Maven 4 consumer POM handling: plugin now prefers a consumer POM when present, excludes it from the artifact list, and substitutes consumer-POM signatures for build-POM signatures to avoid duplicate artifacts.

• Tests

  • Added tests validating consumer POM detection, artifact filtering, and fallback behavior when absent.
  • Added Mockito inline mock-maker test configuration.

[coderabbitai]

Warning

Rate limit exceeded

@mariuszs has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6b48713-e7e8-4f7c-af00-011a21fe10ec

📥 Commits

Reviewing files that changed from the base of the PR and between 592a31d and 18e13eb.

📒 Files selected for processing (3)

• src/main/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImpl.java
• src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java
• src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker

Walkthrough

Adds Maven 4 consumer POM detection and preference in ProjectUtilsImpl: consumer POMs are used as the primary POM when present, filtered from attached-artifact lists, and consumer-POM signatures substitute build-POM signatures. A new test class and Mockito inline config validate the behavior.

Changes

Cohort / File(s)	Summary
Consumer POM Handling src/main/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImpl.java	Introduces Optional-based consumer POM support: findConsumerPom(), findConsumerPomSignature(), isBuildPomSignature(), isConsumerPom(). Uses findConsumerPom(...).orElse(mavenProject.getFile()) for primary POM selection; filters consumer POM from attached artifacts and substitutes consumer-POM signature files where applicable.
Tests & Test Config src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java, src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker	Adds test suite validating consumer POM handling (exclusion from artifacts, signature substitution, and fallback behavior) and enables Mockito inline mock maker for tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: switching from the build POM to the consumer POM for Maven 4 compatibility.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java (1)

84-115: Add a test for the attached-only fallback branch.

Current tests don’t exercise the file == null && !attachedArtifacts.isEmpty() path in ProjectUtilsImpl, where POM file selection can regress independently.

Also applies to: 121-137

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java`
around lines 84 - 115, Add a new test (or extend
shouldNotIncludeConsumerPomAsSeparateArtifact) to exercise the attached-only
fallback branch in ProjectUtilsImpl.getArtifacts by creating a MavenProject
whose main Artifact has file == null but attachedArtifacts is non-empty (include
a consumer POM with classifier "consumer" and another attached artifact like
sources), then call projectUtils.getArtifacts(project, artifactFactory) and
assert the consumer POM is not returned as a separate ArtifactWithFile and only
the expected artifacts (e.g., sources and main jar replacement behavior) are
present; this targets the code path where file == null &&
!attachedArtifacts.isEmpty() so POM selection doesn't regress.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@src/main/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImpl.java`:
- Around line 161-163: The fallback branch is using mavenProject.getFile() and
bypasses the consumer-POM selected by findConsumerPom; capture the result of
findConsumerPom(mavenProject) into a pomFile variable and ensure that
artifact.addMetadata(new ProjectArtifactMetadata(...)) and the attached-only
fallback both use that same pomFile (instead of calling mavenProject.getFile()
directly) so the consumer-aware POM is always used (refer to findConsumerPom,
mavenProject, artifact.addMetadata, and ProjectArtifactMetadata to locate the
affected logic).

In
`@src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java`:
- Around line 81-82: Update the Javadoc comment in the
ProjectUtilsImplConsumerPomTest class: remove the stale phrase "Currently FAILS
- " from the comment that says "Currently FAILS - consumer POM leaks into the
artifact list." (or reword the whole sentence) so the test class comment
reflects the fixed state; locate the comment block in
ProjectUtilsImplConsumerPomTest and edit the Javadoc to a neutral or accurate
description of the test purpose.

---

Nitpick comments:
In
`@src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java`:
- Around line 84-115: Add a new test (or extend
shouldNotIncludeConsumerPomAsSeparateArtifact) to exercise the attached-only
fallback branch in ProjectUtilsImpl.getArtifacts by creating a MavenProject
whose main Artifact has file == null but attachedArtifacts is non-empty (include
a consumer POM with classifier "consumer" and another attached artifact like
sources), then call projectUtils.getArtifacts(project, artifactFactory) and
assert the consumer POM is not returned as a separate ArtifactWithFile and only
the expected artifacts (e.g., sources and main jar replacement behavior) are
present; this targets the code path where file == null &&
!attachedArtifacts.isEmpty() so POM selection doesn't regress.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd603dae-7249-4af9-82ee-75a85d45dc61

📥 Commits

Reviewing files that changed from the base of the PR and between 8143cf5 and bf1dbe5.

📒 Files selected for processing (3)

• src/main/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImpl.java
• src/test/java/org/sonatype/central/publisher/plugin/utils/ProjectUtilsImplConsumerPomTest.java
• src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker

[mhoffrog]

@mariuszs Many THANKS for your contribution! 👍