Fix the Maven release workflow and harden CI#606
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThe release workflow is refactored to use GitHub App token authentication throughout its lifecycle. A new composite action ( Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
* Add server credentials to release workflow * Update GitHub Actions to use context variables
release:perform failed with 401 because setup-java was passed literal credential values where it expects environment-variable names, and because GitHub Packages does not accept GitHub App tokens. The Maven deploy and the GitHub release now authenticate with GITHUB_TOKEN, while the App token keeps doing the git pushes to the protected branches. Commits are authored as the diennea-bot machine user.
Bump test-reporter to v3 and upload-artifact to v7 (both move to the Node 24 runtime). Add a paths filter so PR validation runs only when module code, the parent pom, the Maven wrapper, or the PR validation workflow itself changes; PRs touching only docs or unrelated files no longer trigger a build.
NiccoMlt
force-pushed
the
fix-release-credential-split
branch
from
0105bf2 to
6de3c89
Compare
|
@coderabbitai resume |
✅ Action performedReviews resumed. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/pr-validation-report.yml (1)
16-16: Pindorny/test-reporterto a full commit SHA.Line 16 uses a mutable tag (
@v3). Pinning to an immutable commit SHA reduces supply-chain risk. Forv3.0.0, usea43b3a5f7366b97d083190328d2c652e1a8b6aa2.Suggested patch
- - uses: dorny/test-reporter@v3 + - uses: dorny/test-reporter@a43b3a5f7366b97d083190328d2c652e1a8b6aa2🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-validation-report.yml at line 16, The `dorny/test-reporter` action uses a mutable tag `@v3` which creates a supply chain risk since the tag can be modified. Replace the `@v3` tag in the `dorny/test-reporter` action reference with the immutable commit SHA `a43b3a5f7366b97d083190328d2c652e1a8b6aa2` to ensure the exact version is pinned and cannot be changed unexpectedly.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr-validation.yml:
- Around line 20-27: The paths filter in the pr-validation.yml workflow is
missing an entry for the pr-validation-report.yml file, allowing changes to that
report workflow to bypass validation. Add
'.github/workflows/pr-validation-report.yml' to the paths list at the same level
as the existing '.github/workflows/pr-validation.yml' entry to ensure PRs
modifying the report workflow trigger this validation chain.
- Line 62: Replace the mutable tag `@v7` with a pinned commit SHA in the
actions/upload-artifact action to prevent supply-chain attacks. Update both
instances (line 62 and line 70) of uses: actions/upload-artifact@v7 to uses:
actions/upload-artifact@043fb46c6418861d85040d828d546255799797c2 to pin to the
specific commit SHA for v7.0.1.
---
Nitpick comments:
In @.github/workflows/pr-validation-report.yml:
- Line 16: The `dorny/test-reporter` action uses a mutable tag `@v3` which
creates a supply chain risk since the tag can be modified. Replace the `@v3` tag
in the `dorny/test-reporter` action reference with the immutable commit SHA
`a43b3a5f7366b97d083190328d2c652e1a8b6aa2` to ensure the exact version is pinned
and cannot be changed unexpectedly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 2dd730f8-345f-4968-a097-a6e8354f8f37
📒 Files selected for processing (3)
.github/workflows/pr-validation-report.yml.github/workflows/pr-validation.yml.github/workflows/release.yml
The diennea-bot identity and gh credential-helper setup were duplicated across the Configure Git and Reconfigure Git steps. Move them into a local composite action so the bot identity lives in one place; behaviour is unchanged.
Supply-chain hardening for the two third-party actions bumped in this PR, pinned to their v7.0.1 and v3.0.0 commits with a version comment. The reviewer-suggested upload-artifact SHA did not exist; used the verified v7.0.1 commit instead.
Pin the rest of the external actions (checkout, setup-java, create-github-app-token, action-gh-release, maven-dependency-submission-action) to their release commit SHAs, consistent with the already-pinned upload-artifact and test-reporter. Also add pr-validation-report.yml to the PR validation paths so changes to either CI workflow trigger validation.
|
@coderabbitai resume |
✅ Action performedReviews resumed. |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/pr-validation.yml (1)
54-54: 💤 Low valueConsider adding
persist-credentials: falsefor defense-in-depth.While this workflow only has read permissions and doesn't perform any authenticated Git operations after checkout, adding
persist-credentials: falsewould align with security best practices and the pattern used inrelease.yml.Suggested change
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-validation.yml at line 54, The actions/checkout action in the pr-validation.yml workflow is missing the persist-credentials configuration parameter. Add persist-credentials: false as a with parameter to the checkout action to align with security best practices and match the pattern used in release.yml. This prevents credentials from persisting after checkout even though the workflow has read-only permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/master-snapshot.yml:
- Line 13: The actions/checkout action on line 13 of the master-snapshot.yml
workflow is using default credential persistence settings, which unnecessarily
exposes the GITHUB_TOKEN to later steps. Add the `persist-credentials: false`
option to the checkout action configuration since this job does not perform
authenticated git writes and does not need credential persistence enabled.
---
Nitpick comments:
In @.github/workflows/pr-validation.yml:
- Line 54: The actions/checkout action in the pr-validation.yml workflow is
missing the persist-credentials configuration parameter. Add
persist-credentials: false as a with parameter to the checkout action to align
with security best practices and match the pattern used in release.yml. This
prevents credentials from persisting after checkout even though the workflow has
read-only permissions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 9292dd53-e87b-4410-af28-a33848d30434
📒 Files selected for processing (5)
.github/actions/configure-git/action.yml.github/workflows/master-snapshot.yml.github/workflows/pr-validation-report.yml.github/workflows/pr-validation.yml.github/workflows/release.yml
✅ Files skipped from review due to trivial changes (1)
- .github/actions/configure-git/action.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/pr-validation-report.yml
The master-snapshot and pr-validation jobs do no authenticated git writes, so set persist-credentials: false on their checkouts to avoid leaving the token in the local git config, matching release.yml.
NiccoMlt
changed the title
Repairs the
Maven releaseworkflow so a release runs end-to-end (it previously failed at the deploy step) and cleans up how the release authenticates and attributes its commits.How the release authenticates (the core change)
The release needs two different credentials, and one token can't cover both:
master/release/*branches use a GitHub App token — it can bypass branch protection and attributes the release commits to a bot identity.GITHUB_TOKEN. This is required: the GitHub Packages Maven registry rejects GitHub App tokens, so only a PAT orGITHUB_TOKENauthenticates there. Published artifacts and the release show asgithub-actions[bot].Other release fixes
setup-javacredentials —server-username/server-passwordtake environment-variable names, not values; the previous literal values resolved to an empty password and a 401 on deploy.pom.xmlSCM switched to the HTTPS URL with<tag>HEAD, somaven-release-pluginpushes over HTTPS (matching the token auth) instead of SSH.diennea-bot; the shared Git identity + credential-helper setup is extracted into a local composite action (.github/actions/configure-git), defined once and reused by both checkouts.Also in this PR (CI hygiene)
Pinned all external actions to commit SHAs, bumped
test-reporter/upload-artifact/action-gh-releaseto their Node 24 majors, added a paths filter so PR validation skips non-code changes, and setpersist-credentials: falseon the read-only checkouts.