ci: update GitHub Actions workflows for Maven build and deploy

codeboyzhou · codeboyzhou · commit 942fb092ef56 · 2026-06-07T09:03:22.000+08:00
- Change trigger for Maven build to only run on the main branch.
- Add permissions and concurrency settings to both workflows.
- Remove the verify job from the deploy workflow and add validation for release tags.
- Ensure coverage reports are uploaded only for non-pull request events.
diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
@@ -2,13 +2,20 @@ name: Maven Build
 
 on:
   push:
-    tags:
-      - 'v*'
+    branches:
+      - main
 
   pull_request:
     branches:
       - main
 
+permissions:
+  contents: read
+
+concurrency:
+  group: maven-build-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
@@ -34,6 +41,8 @@ jobs:
           ./mvnw -B package --file pom.xml
 
       - name: Upload coverage reports to Codecov
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
diff --git a/.github/workflows/maven-deploy.yml b/.github/workflows/maven-deploy.yml
@@ -5,33 +5,19 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: maven-deploy-${{ github.ref }}
+  cancel-in-progress: false
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
 jobs:
-  verify:
-    name: maven verify
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Git Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@v5
-        with:
-          cache: maven
-          java-version: '17'
-          distribution: 'temurin'
-
-      - name: Verify with Maven
-        run: |
-          chmod +x ./mvnw
-          ./mvnw -B clean verify --file pom.xml
-
   deploy:
     name: maven deploy
-    needs: verify
     runs-on: ubuntu-latest
 
     steps:
@@ -50,6 +36,21 @@ jobs:
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           gpg-passphrase: GPG_PASSPHRASE
 
+      - name: Validate release tag
+        run: |
+          version="$(grep -m1 '<version>' pom.xml | sed -E 's/.*<version>([^<]+)<\/version>.*/\1/')"
+          tag_version="${GITHUB_REF_NAME#v}"
+
+          if [[ "$version" == *-SNAPSHOT ]]; then
+            echo "Refusing to deploy snapshot version: $version"
+            exit 1
+          fi
+
+          if [[ "$version" != "$tag_version" ]]; then
+            echo "Tag version ($tag_version) does not match pom.xml version ($version)"
+            exit 1
+          fi
+
       - name: Deploy to Maven Central
         run: |
           chmod +x ./mvnw
