Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions .github/workflows/maven-publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Publish to Maven Central

# Manually publish the current POM version to Maven Central, without creating a
# GitHub release or Docker image (use this to publish a version that was already
# tagged/released on GitHub, e.g. 4.8). Select the branch to run from in the
# "Run workflow" dropdown — it publishes whatever version the checked-out POM has.
#
# NOTE: Maven Central versions are immutable. Only run this from a branch whose
# build produces the thin main jar (i.e. after the thin-jar change is merged).
on:
workflow_dispatch:
Comment on lines +3 to +11

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/maven-publish.yml"

echo "=== file outline ==="
ast-grep outline "$file" --view expanded || true

echo
echo "=== numbered file excerpt ==="
cat -n "$file"

echo
echo "=== search for workflow env/permissions/checkout/setup-java/deploy ==="
rg -n "workflow_dispatch|permissions:|environment:|actions/checkout|setup-java|mvn|deploy|gpg|MAVEN_CENTRAL|maven" "$file"

Repository: testingbot/Testingbot-Tunnel

Length of output: 2438


Gate this publish job to a protected release ref. The workflow accepts any selected branch and runs it with Maven Central and GPG secrets, so a bad or compromised ref can publish the wrong immutable version or alter the publish steps. Enforce a protected tag/branch and reject POM/version mismatches before deploy.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 10-11: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-publish.yml around lines 3 - 11, Restrict the
workflow_dispatch entry for the Maven publish workflow to an approved protected
release tag or branch, and validate that the checked-out ref and POM version
match the expected release before deployment. Add the validation before the
Maven publish step and fail the workflow on any mismatch, while preserving the
existing manual publishing behavior for valid release refs.

Source: MCP tools


permissions:
contents: read

# Never deploy two publishes to Central at the same time; queue instead of racing.
concurrency:
group: maven-central-publish
cancel-in-progress: false

jobs:
publish:
runs-on: ubuntu-latest
Comment thread
coderabbitai[bot] marked this conversation as resolved.

steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- name: Set up JDK 11
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
java-version: '11'
distribution: 'temurin'
cache: 'maven'
server-id: central
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: GPG_PASSPHRASE

- name: Build and deploy to Maven Central
run: mvn -B clean deploy -DskipTests
env:
MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
14 changes: 11 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,19 @@ jobs:
MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

# Upload the JAR as a release asset
# The published Maven artifact is now the thin jar; use the runnable "shaded" jar as the
# downloadable CLI release asset, keeping the familiar TestingBotTunnel-<version>.jar name.
- name: Prepare runnable jar for release
run: |
VERSION=${GITHUB_REF#refs/tags/v}
mkdir -p release-assets
cp target/TestingBotTunnel-${VERSION}-shaded.jar release-assets/TestingBotTunnel-${VERSION}.jar

# Upload the runnable JAR as a release asset
- name: Upload JAR to GitHub Releases
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@3d0d9888cb7fd7b750713d6e236d1fcb99157228 # v3
with:
files: target/TestingBotTunnel-*.jar
files: release-assets/TestingBotTunnel-*.jar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ RUN mvn -B -ntp -DskipTests \
-Dmaven.javadoc.skip=true \
-Dmaven.source.skip=true \
package \
&& mv target/TestingBotTunnel-*.jar target/testingbot-tunnel.jar
&& mv target/TestingBotTunnel-*-shaded.jar target/testingbot-tunnel.jar

# -------- Runtime stage --------
FROM eclipse-temurin:11-jre-jammy
Expand Down
8 changes: 7 additions & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,12 @@
<goal>shade</goal>
</goals>
<configuration>
<!-- Publish a thin main artifact (project classes only, with dependencies declared
in the POM) so Maven consumers such as the Jenkins plugin get the real, correctly
versioned dependencies transitively instead of a fat jar that shadows them.
The runnable uber jar is attached under the "shaded" classifier for CLI/Docker use. -->
<shadedArtifactAttached>true</shadedArtifactAttached>
<shadedClassifierName>shaded</shadedClassifierName>
<minimizeJar>true</minimizeJar>
<filters>
<filter>
Expand Down Expand Up @@ -254,7 +260,7 @@
<executable>java</executable>
<arguments>
<argument>-jar</argument>
<argument>${project.build.directory}/${project.build.finalName}.jar</argument>
<argument>${project.build.directory}/${project.build.finalName}-shaded.jar</argument>
<argument>--version</argument>
</arguments>
</configuration>
Expand Down
Loading