1- name : Build with '-Prelease'
2-
3- # Simply runs the build with -Prelease to avoid nasty surprises when running the release-to-maven-central workflow.
1+ name : Build with '-Prelease' (Trigger)
42
3+ # Trigger workflow for release profile build verification.
4+ # This workflow runs on PRs and uploads the PR info for the workflow_run job.
5+ # The actual build with secrets happens in build-with-release-profile-run.yml
6+ # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
57
68on :
7- # Handle all branches for now
9+ pull_request : # Changed from pull_request_target for security
810 push :
9- pull_request_target :
1011 workflow_dispatch :
1112
1213# Only run the latest job
@@ -15,47 +16,35 @@ concurrency:
1516 cancel-in-progress : true
1617
1718jobs :
18- build :
19+ trigger :
1920 # Only run this job for the main repository, not for forks
2021 if : github.repository == 'a2aproject/a2a-java'
2122 runs-on : ubuntu-latest
2223 permissions :
2324 contents : read
2425
2526 steps :
26- - name : Checkout repository
27- uses : actions/checkout@v4
28-
29- - name : Set up JDK 17
30- uses : actions/setup-java@v4
31- with :
32- java-version : ' 17'
33- distribution : ' temurin'
34- cache : maven
35-
36- # Use secrets to import GPG key
37- - name : Import GPG key
38- uses : crazy-max/ghaction-import-gpg@v6
39- with :
40- gpg_private_key : ${{ secrets.GPG_SIGNING_KEY }}
41- passphrase : ${{ secrets.GPG_SIGNING_PASSPHRASE }}
42-
43- # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
44- # Populate wqith username and password from secrets
45- - name : Create settings.xml
27+ - name : Prepare PR info
4628 run : |
47- mkdir -p ~/.m2
48- echo "<settings><servers><server><id>central-a2asdk-temp</id><username>${{ secrets.CENTRAL_TOKEN_USERNAME }}</username><password>${{ secrets.CENTRAL_TOKEN_PASSWORD }}</password></server></servers></settings>" > ~/.m2/settings.xml
49-
50- # Build with the same settings as the deploy job
51- # -s uses the settings file we created.
52- - name : Build with same arguments as deploy job
53- run : >
54- mvn -B install
55- -s ~/.m2/settings.xml
56- -P release
57- -DskipTests
58- -Drelease.auto.publish=true
59- env :
60- # GPG passphrase is set as an environment variable for the gpg plugin to use
61- GPG_PASSPHRASE : ${{ secrets.GPG_SIGNING_PASSPHRASE }}
29+ mkdir -p pr_info
30+
31+ # Store PR number for workflow_run job
32+ if [ "${{ github.event_name }}" = "pull_request" ]; then
33+ echo ${{ github.event.number }} > pr_info/pr_number
34+ echo ${{ github.event.pull_request.head.sha }} > pr_info/pr_sha
35+ echo ${{ github.event.pull_request.head.ref }} > pr_info/pr_ref
36+ else
37+ # For push events, store the commit sha
38+ echo ${{ github.sha }} > pr_info/pr_sha
39+ echo ${{ github.ref }} > pr_info/pr_ref
40+ fi
41+
42+ echo "Event: ${{ github.event_name }}"
43+ cat pr_info/*
44+
45+ name : Upload PR info
46+ uses : actions/upload-artifact@v6
47+ with :
48+ name : pr-info
49+ path : pr_info/
50+ retention-days : 1
0 commit comments