Explicitly switch to Sonatype token authentication

Token auth is now mandatory:

xerial/sbt-sonatype#464 (comment)

In January 2024, Sonatype started actively discouraging the legacy
username & password method of authentication, recommending token
authentication instead:

* https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests
* https://central.sonatype.org/publish/generate-token/

In this new scheme, the token is still split into a username/password
format, and both are randomised strings, making the username portion
a meaningful secret (ie one that can be revoked) and so worthy of being
treated as a secret.

.github/workflows/reusable-release.yml

@@ -20,14 +20,9 @@ on:
         default: 'oss.sonatype.org' # The default host is going to be whatever "com.gu" is using
         required: false # ...but if you're not the Guardian, you'll want to set this explicitly
         type: string
-      SONATYPE_USERNAME:
-        description: 'Sonatype username'
-        default: 'guardian.automated.maven.release' # Only for use by the Guardian!
-        required: false # Must be supplied if used by a non-Guardian project
-        type: string
     secrets:
-      SONATYPE_PASSWORD:
-        description: 'Password for the SONATYPE_USERNAME account - used to authenticate when uploading artifacts'
+      SONATYPE_TOKEN:
+        description: 'Sonatype authentication token, colon-separated (username:password) - https://central.sonatype.org/publish/generate-token/'
         required: true
       PGP_PRIVATE_KEY:
         description:
@@ -406,7 +401,7 @@ jobs:
           
           mkdir project
           echo 'addSbtPlugin("org.xerial.sbt" % "sbt-sonatype" % "3.10.0")' > project/plugins.sbt
-          echo 'sbt.version = 1.9.9' > project/build.properties
+          echo 'sbt.version = 1.10.0' > project/build.properties
           
           ls -lR .
       - uses: actions/setup-java@v4
@@ -416,9 +411,10 @@ jobs:
           cache: sbt # the issue described in https://github.com/actions/setup-java/pull/564 doesn't affect this step (no version.sbt)
       - name: Release
         env:
-          SONATYPE_USERNAME: ${{ inputs.SONATYPE_USERNAME }}
-          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+          SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
         run: |
+          export SONATYPE_USERNAME="${SONATYPE_TOKEN%%:*}" # See https://github.com/xerial/sbt-sonatype/pull/62
+          export SONATYPE_PASSWORD="${SONATYPE_TOKEN#*:}"
           sbt "sonatypeBundleRelease"
 
   github-release:

docs/credentials/generating-credentials.md

@@ -3,9 +3,25 @@
 Normally you'll be using [shared organisation-wide credentials](supplying-credentials.md),
 but if you need to rotate those credentials, or just create some new ones for your organisation:
 
-## Updating a Sonatype OSSRH user's password
-
-See [Sonatype's instructions](https://central.sonatype.org/faq/ossrh-password/).
+## Updating a Sonatype OSSRH Token username & password
+
+As of [January 2024](https://central.sonatype.org/news/20240109_issues_sonatype_org_deprecation/#support-requests),
+Sonatype is actively discouraging the legacy username & password method of authentication, recommending
+[token authentication](https://central.sonatype.org/publish/generate-token/)
+(see link for token-regenerating instructions).
+
+Note these points:
+
+* The token is in a colon:separated username/password format, and _both_ username & password are randomised & revocable
+  secret strings.
+* Tokens generated on either https://oss.sonatype.org/ or https://s01.oss.sonatype.org/ will be _different_, and
+  **a token generated on one will not work on the other**. So, eg, if your `SONATYPE_CREDENTIAL_HOST` is `s01.oss.sonatype.org`,
+  you'll need to use a token _generated_ on `s01.oss.sonatype.org`. Remember that the `SONATYPE_CREDENTIAL_HOST` you
+  use is [dictated](https://github.com/xerial/sbt-sonatype/pull/461) by which Sonatype OSSRH server your **profile**
+  is hosted on.  
+  **Guardian developers:** currently the Guardian's `com.gu` profile is hosted on `oss.sonatype.org`, so the token we
+  use must be generated [there](https://oss.sonatype.org/), logged in with the `guardian.automated.maven.release`
+  account.
 
 ## Generating a new PGP key
 
@@ -26,4 +42,4 @@ See [GitHub's instructions](https://docs.github.com/en/apps/creating-github-apps
 release workflow, see [Setting up the GitHub App](github-app.md) first.
 
 **Guardian developers:** Here's a direct link to our GitHub App settings page, where you can generate a new private key:
-https://github.com/organizations/guardian/settings/apps/gu-scala-library-release
+https://github.com/organizations/guardian/settings/apps/gu-scala-library-release

docs/credentials/supplying-credentials.md

@@ -20,7 +20,7 @@ has _access_ to those secrets.
 to grant repos access to the necessary Organisation secrets - you need to raise a PR (like [this example PR](https://github.com/guardian/github-secret-access/pull/24))
 which will grant access to these:
 
-* `AUTOMATED_MAVEN_RELEASE_SONATYPE_PASSWORD`
+* `AUTOMATED_MAVEN_RELEASE_SONATYPE_TOKEN`
 * `AUTOMATED_MAVEN_RELEASE_PGP_SECRET`
 * `AUTOMATED_MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`