diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 4b5e89f8c..e2fb7253d 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -26,7 +26,7 @@ jobs:
distribution: 'temurin'
cache: maven
- name: Build with Maven and run tests
- run: mvn -Pjavadoc -B package --file pom.xml -fae
+ run: mvn -B package --file pom.xml -fae
- name: Upload Test Reports
if: failure()
uses: actions/upload-artifact@v4
diff --git a/.github/workflows/build-with-release-profile-run.yml b/.github/workflows/build-with-release-profile-run.yml
new file mode 100644
index 000000000..245bb5edb
--- /dev/null
+++ b/.github/workflows/build-with-release-profile-run.yml
@@ -0,0 +1,108 @@
+name: Build with '-Prelease' (Run)
+
+# Workflow_run job for release profile build verification.
+# This workflow has access to secrets and runs the actual build.
+# Triggered by build-with-release-profile.yml completion.
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+
+on:
+ workflow_run:
+ workflows: ["Build with '-Prelease' (Trigger)"]
+ types:
+ - completed
+
+permissions: {}
+
+jobs:
+ build:
+ # Only run for successful trigger workflow from main repository
+ if: >
+ ${{ github.event.workflow_run.conclusion == 'success' &&
+ github.event.workflow_run.repository.full_name == 'a2aproject/a2a-java' }}
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ actions: read # Required to download artifacts
+
+ steps:
+ - name: Download PR info
+ uses: actions/download-artifact@v4
+ with:
+ name: pr-info
+ github-token: ${{ github.token }}
+ run-id: ${{ github.event.workflow_run.id }}
+
+ - name: Extract PR info
+ id: pr_info
+ run: |
+ if [ -f pr_number ]; then
+ PR_NUMBER=$(cat pr_number)
+ echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
+ echo "PR Number: ${PR_NUMBER}"
+ else
+ echo "No PR number (push event)"
+ fi
+
+ PR_SHA=$(cat pr_sha)
+ echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT
+ echo "PR SHA: ${PR_SHA}"
+
+ PR_REF=$(cat pr_ref)
+ echo "pr_ref=${PR_REF}" >> $GITHUB_OUTPUT
+ echo "PR Ref: ${PR_REF}"
+
+ - name: Checkout PR code
+ uses: actions/checkout@v4
+ with:
+ # Checkout the exact commit from the PR (or push)
+ # This is safe because the workflow code (this file) is always from main
+ ref: ${{ steps.pr_info.outputs.pr_sha }}
+
+ - name: Set up JDK 17
+ uses: actions/setup-java@v4
+ with:
+ java-version: '17'
+ distribution: 'temurin'
+ cache: maven
+
+ # Use secrets to import GPG key
+ - name: Import GPG key
+ uses: crazy-max/ghaction-import-gpg@v6
+ with:
+ gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+ passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
+
+ # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
+ # Populate with username and password from secrets
+ - name: Create settings.xml
+ run: |
+ mkdir -p ~/.m2
+ echo "central-a2asdk-temp${{ secrets.CENTRAL_TOKEN_USERNAME }}${{ secrets.CENTRAL_TOKEN_PASSWORD }}" > ~/.m2/settings.xml
+
+ # Build with the same settings as the deploy job
+ # -s uses the settings file we created.
+ - name: Build with same arguments as deploy job
+ run: >
+ mvn -B install
+ -s ~/.m2/settings.xml
+ -P release
+ -DskipTests
+ -Drelease.auto.publish=true
+ env:
+ # GPG passphrase is set as an environment variable for the gpg plugin to use
+ GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
+
+ - name: Build Summary
+ if: always()
+ run: |
+ if [ "${{ job.status }}" = "success" ]; then
+ echo "✅ Release profile build succeeded"
+ if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
+ echo " PR #${{ steps.pr_info.outputs.pr_number }} is ready for release"
+ fi
+ else
+ echo "❌ Release profile build failed"
+ if [ -n "${{ steps.pr_info.outputs.pr_number }}" ]; then
+ echo " PR #${{ steps.pr_info.outputs.pr_number }} has release profile issues"
+ fi
+ fi
diff --git a/.github/workflows/build-with-release-profile.yml b/.github/workflows/build-with-release-profile.yml
index 129833307..0f4c05687 100644
--- a/.github/workflows/build-with-release-profile.yml
+++ b/.github/workflows/build-with-release-profile.yml
@@ -1,12 +1,13 @@
-name: Build with '-Prelease'
-
-# Simply runs the build with -Prelease to avoid nasty surprises when running the release-to-maven-central workflow.
+name: Build with '-Prelease' (Trigger)
+# Trigger workflow for release profile build verification.
+# This workflow runs on PRs and uploads the PR info for the workflow_run job.
+# The actual build with secrets happens in build-with-release-profile-run.yml
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
on:
- # Handle all branches for now
+ pull_request: # Changed from pull_request_target for security
push:
- pull_request_target:
workflow_dispatch:
# Only run the latest job
@@ -15,7 +16,7 @@ concurrency:
cancel-in-progress: true
jobs:
- build:
+ trigger:
# Only run this job for the main repository, not for forks
if: github.repository == 'a2aproject/a2a-java'
runs-on: ubuntu-latest
@@ -23,39 +24,27 @@ jobs:
contents: read
steps:
- - name: Checkout repository
- uses: actions/checkout@v4
-
- - name: Set up JDK 17
- uses: actions/setup-java@v4
- with:
- java-version: '17'
- distribution: 'temurin'
- cache: maven
-
- # Use secrets to import GPG key
- - name: Import GPG key
- uses: crazy-max/ghaction-import-gpg@v6
- with:
- gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
- passphrase: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
-
- # Create settings.xml for Maven since it needs the 'central-a2asdk-temp' server.
- # Populate wqith username and password from secrets
- - name: Create settings.xml
+ - name: Prepare PR info
run: |
- mkdir -p ~/.m2
- echo "central-a2asdk-temp${{ secrets.CENTRAL_TOKEN_USERNAME }}${{ secrets.CENTRAL_TOKEN_PASSWORD }}" > ~/.m2/settings.xml
-
- # Build with the same settings as the deploy job
- # -s uses the settings file we created.
- - name: Build with same arguments as deploy job
- run: >
- mvn -B install
- -s ~/.m2/settings.xml
- -P release
- -DskipTests
- -Drelease.auto.publish=true
- env:
- # GPG passphrase is set as an environment variable for the gpg plugin to use
- GPG_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }}
\ No newline at end of file
+ mkdir -p pr_info
+
+ # Store PR number for workflow_run job
+ if [ "${{ github.event_name }}" = "pull_request" ]; then
+ echo ${{ github.event.number }} > pr_info/pr_number
+ echo ${{ github.event.pull_request.head.sha }} > pr_info/pr_sha
+ echo ${{ github.event.pull_request.head.ref }} > pr_info/pr_ref
+ else
+ # For push events, store the commit sha
+ echo ${{ github.sha }} > pr_info/pr_sha
+ echo ${{ github.ref }} > pr_info/pr_ref
+ fi
+
+ echo "Event: ${{ github.event_name }}"
+ cat pr_info/*
+
+ - name: Upload PR info
+ uses: actions/upload-artifact@v4
+ with:
+ name: pr-info
+ path: pr_info/
+ retention-days: 1
diff --git a/pom.xml b/pom.xml
index 21ee72eb3..8242e9462 100644
--- a/pom.xml
+++ b/pom.xml
@@ -511,20 +511,6 @@
-
-
- javadoc
-
-
-
- org.apache.maven.plugins
- maven-javadoc-plugin
-
-
-
-