From edc94f3a04ea042ea024e08590e5cd192bd997d4 Mon Sep 17 00:00:00 2001 From: Kaviarasu Sakthivadivel Date: Thu, 5 Mar 2026 17:43:05 -0800 Subject: [PATCH 1/2] fix(ci): explicitly trigger Maven release workflow from release-please GITHUB_TOKEN-triggered events don't cascade to prevent recursive workflows. When release-please creates a release using GITHUB_TOKEN, the 'release: published' event is suppressed and won't trigger the Maven Central publish workflow. Solution: explicitly trigger release.yml via workflow_dispatch when a release is created. Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow --- .github/workflows/release-please.yml | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 785ae9e4..35955237 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -8,18 +8,43 @@ on: permissions: contents: write pull-requests: write + actions: write jobs: release-please: runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - + - uses: googleapis/release-please-action@v4 id: release with: config-file: release-please-config.json manifest-file: .release-please-manifest.json token: ${{ secrets.GITHUB_TOKEN }} + + trigger-maven-release: + needs: release-please + if: ${{ needs.release-please.outputs.release_created == 'true' }} + runs-on: ubuntu-latest + steps: + - name: Trigger Maven Central publish + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: context.repo.owner, + repo: context.repo.repo, + workflow_id: 'release.yml', + ref: 'main', + inputs: { + tag_name: '${{ needs.release-please.outputs.tag_name }}' + } + }); + console.log('Triggered Maven Central publish workflow for tag: ${{ needs.release-please.outputs.tag_name }}'); From 892efa4b9ec46d0a6f8a5008907dc0074373ee1e Mon Sep 17 00:00:00 2001 From: Kaviarasu Sakthivadivel Date: Thu, 30 Apr 2026 14:51:26 -0700 Subject: [PATCH 2/2] fix(ci): harden trigger-maven-release against script-injection Move tag_name interpolation out of inline JS into an env var and read it via process.env, matching the pattern already used in release.yml. Also scope actions: write to the trigger-maven-release job instead of the whole workflow so release-please runs with minimum privilege. Addresses review feedback from @j10t on PR #161. --- .github/workflows/release-please.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 35955237..9d80f28e 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -8,7 +8,6 @@ on: permissions: contents: write pull-requests: write - actions: write jobs: release-please: @@ -32,19 +31,22 @@ jobs: needs: release-please if: ${{ needs.release-please.outputs.release_created == 'true' }} runs-on: ubuntu-latest + permissions: + actions: write steps: - name: Trigger Maven Central publish uses: actions/github-script@v7 + env: + TAG_NAME: ${{ needs.release-please.outputs.tag_name }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | + const tagName = process.env.TAG_NAME; await github.rest.actions.createWorkflowDispatch({ owner: context.repo.owner, repo: context.repo.repo, workflow_id: 'release.yml', ref: 'main', - inputs: { - tag_name: '${{ needs.release-please.outputs.tag_name }}' - } + inputs: { tag_name: tagName } }); - console.log('Triggered Maven Central publish workflow for tag: ${{ needs.release-please.outputs.tag_name }}'); + console.log(`Triggered Maven Central publish workflow for tag: ${tagName}`);