chore(build): clarify release GitHub App private key setup

.github/workflows/maven_central_release.yml

@@ -507,12 +507,30 @@ jobs:
             fi
           done
 
+      - name: Validate release GitHub App private key
+        env:
+          RAW_PRIVATE_KEY: ${{ secrets.MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY }}
+        run: |
+          private_key="${RAW_PRIVATE_KEY//$'\r'/}"
+          private_key="${private_key//\\n/$'\n'}"
+
+          if [[ "${private_key}" != *"-----BEGIN PRIVATE KEY-----"* && "${private_key}" != *"-----BEGIN RSA PRIVATE KEY-----"* ]]; then
+            echo "::error::MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY must be the GitHub App private key PEM, including BEGIN/END lines. Do not use the app client secret or webhook secret."
+            exit 1
+          fi
+          if ! printf '%s\n' "${private_key}" | openssl pkey -noout >/dev/null 2>&1; then
+            echo "::error::MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY is present but is not a parseable PEM private key."
+            exit 1
+          fi
+
       - name: Create release GitHub App token
         id: release-app-token
         uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ vars.MAVEN_RELEASE_GITHUB_APP_CLIENT_ID }}
           private-key: ${{ secrets.MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
           permission-contents: write
 
       - name: Check out release source
@@ -773,7 +791,7 @@ jobs:
             exit 0
           fi
 
-          git commit -am "Bump version to ${NEXT_DEVELOPMENT_VERSION}"
+          git commit -am "build: ${NEXT_DEVELOPMENT_VERSION}"
           # Plain --force: this branch is a throwaway owned solely by this workflow,
           # and the job never fetches it, so --force-with-lease has no lease ref and
           # would be rejected ("stale info") when the branch already exists.
@@ -784,7 +802,7 @@ jobs:
             gh pr create \
               --base "${SOURCE_REF}" \
               --head "${branch}" \
-              --title "Bump version to ${NEXT_DEVELOPMENT_VERSION}" \
+              --title "build: ${NEXT_DEVELOPMENT_VERSION}" \
               --body "Post-release housekeeping after publishing questdb-client ${RELEASE_VERSION}. Merge before the next release."
           else
             echo "A bump PR for ${branch} already exists."

artifacts/release/README.md

@@ -22,11 +22,17 @@ actor** on the ruleset (Organization settings -> Rules -> `restrict-tag-pushing`
 Store the app credentials for the workflow:
 
 - repository variable `MAVEN_RELEASE_GITHUB_APP_CLIENT_ID`: the app's client ID
-- `maven-release` environment secret `MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`: a private key for the app
+- `maven-release` environment secret `MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY`: a GitHub App private key for the app,
+  generated from the app's settings page
 
 The branch ruleset on `main` is intentionally **not** bypassed. The next-development snapshot bump lands as an ordinary
 pull request, so `main` keeps its "PR-only, squash, one approval" protection.
 
+`MAVEN_RELEASE_GITHUB_APP_PRIVATE_KEY` must be the PEM private key downloaded from the GitHub App's **Private keys**
+section, including the `BEGIN`/`END` lines. Do not use the app client secret or webhook secret. The workflow accepts the
+key pasted as a raw multi-line PEM or as a PEM with literal `\n` line separators; it validates the key before calling
+`actions/create-github-app-token` so setup failures point at the secret instead of surfacing as `Invalid keyData`.
+
 The AWS secret referenced by `MAVEN_RELEASE_AWS_SECRET_ARN` must expose these JSON keys (they become environment
 variables of the same name): `MAVEN_GPG_PRIVATE_KEY`, `MAVEN_CENTRAL_USERNAME`, `MAVEN_CENTRAL_PASSWORD`, and
 optionally `MAVEN_GPG_PASSPHRASE` (omit or leave empty for a passphrase-less signing key).